[asadeddin]

The private keys are in the requester's browser. So if anyone gets a hold of the URL, they'll see nothing.

For example, here's a secret I just put into Retriever. Are you able to see it? https://retriever.corgea.io/#eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJ...

[e12e]

This is essentially client side TLS, which browsers cut because the ux was bad? Only now you can backdoor/mitm/typosquat a website, rather than attack the major browsers or the os?

And as I understand it, there's no way to verify you're talking to the right person, so sharing a secret via signal is strictly better?

[andrewaylett]

Share the URLs via Signal, then you have a validated identity, and the secret won't pop up in your notifications or be retained in your chat history.