Seeing as how the key is only being protected by TLS in the GET requests. You may want to tighten up your configuration. Also, patch the padding oracle vuln.

You scored an F on SSL Labs.

https://www.ssllabs.com/ssltest/analyze.html?d=beta.cryptpad...

I like the idea though! :)