Hacker News new | ask | show | jobs
by BiteCode_dev 1772 days ago
Yep, that's what we do with https://0bin.net.

Also you must avoid client side 3rd party scrips, so no analytics. Also no cdn. I hope ots will self host their google fonts at some point, since you basically slink all secret URL to you google account (albeit without pwd) if you are logged in.

We also had several demands for an url shortener but couldn't find a sustainable way to do it. 3rs party have rate limits and hosting our own would get us back to step one.

DMCA also gets really interesting when you get a request but they don't include the hash because some of their tooling strip it along the way.

Anyway, even with all that, you still trust us since we could inject a rogue script at any time in the page.

So the process really protects only us as host (see our faq), but if you want real security, use pgp or signal. Or if you like the cmd thingy, magic wormhole is kinda awesome.

Still better than sending a password using plan text of course :)
2 comments
contravariant 1772 days ago
Yeah guess you'd have to write your own client if you really wanted to be sure nobody could read the message in transit. But not sending the password to the server should at least remove the obvious

And credit to the Sniptt team, apparently they do actually put the password in the fragment in newer versions (and presumably you could build your own client for it using this repository if you're extra paranoid).

link
BiteCode_dev 1772 days ago
Yes, I think if they remove the cdn call it will start to be quite nice
link
giancarlostoro 1772 days ago
The alternative is to do file transfers through WebRTC which is supposed to be end-to-end from my understanding.
link
BiteCode_dev 1772 days ago
If you use a webclient, it doesn't matter, you trust the server no matter what you use. Ots cli has the advantage of being auditable once, and remain on your computer.
link
giancarlostoro 1772 days ago
True, I was thinking about the problem from a web only perspective, since WebRTC tries to do a direct connection between peers and only uses a third party server when one or both connections are behind a NAT.
link
BiteCode_dev 1772 days ago
If you initiate the session from your browser it doesn't matter. At best you get better cryto since it's native, but nothing more, and you can't store the result, so the receiver has to be connected.

If you don't, then the point is moot, and the problem has been solved with the excellent magic whormhole cli.

link