Hacker News new | ask | show | jobs
by ajvpot 1288 days ago
Have you considered adding some kind of encryption of the secrets with a preshared key generated inside the action to make the SaaS zero-knowledge? Currently it appears the service can read all the secrets in plaintext.
2 comments
thewataccount 1288 days ago
This is tangential to your comment and not a complaint - That isn't zero-knowledge that is end-to-end encryption.

I've been noticing a lot of marketing materials describe themselves as "zero-knowledge" when it's just E2EE.

I definitely agree it would be nice to have.

link
varunsharma07 1288 days ago
Added an issue to track this: https://github.com/step-security/wait-for-secrets/issues/56

The backend API is open-source, and the secrets are cleared immediately after use from the data store, but I agree this is a good idea.

link