Please don't use this for passwords. Security is very hard to get right.
Do they do a secure delete of the contents of the webpages? Who knows.
Do they have strong physical protection around the server? Who knows.
Do they run up to date software so the machine can't get taken over? Who knows.
Can you even trust them not to log all your passwords? Who knows.
This is an interesting service for some things, but I would never use it for sending passwords (or anything equally sensitive) back and forth.
Even if you let me "encrypt" the information before uploading it with a password, if this encryption is done in javascript sent by the server then as soon as the server is taken over you can't trust the encryption.
All of those objections boil down to not trusting a 3rd party service.
I wonder objections there are to running your own service of this type? This way you could guarantee the physical security, keep up with regular patches, manage your own logging, and securely delete the secrets to your satisfaction.
The only real objection I can think of is that writing software without security holes is hard. This applies to any security related software however, and the solution is to use 'proven' apps that have survived scrutiny. This type of app is pretty simple, which would ideally be relatively easy to audit.
In principle, a read-once URL that you can safely send via email seems to be a pretty efficient way of dealing with sending passwords or other keys without having to deal with GPG or similar. Just tell the client 'Click on this link, that's your password. This message will self destruct'. If it's intercepted, you can detect this, and change the password/revoke the key. I'm sure I'm missing something, but if not, it would be nice to have this become the standard way of distributing new passwords or keys for services rather than sending by email (for those services where you have an initial password generated for you).
Nothing is entirely secure. We're two guys with no ulterior motives that take all reasonable precautions to keep the data safe. For most people that's not only enough, it's much better than having their passwords stored in their email archives and chat logs.
If the link is sent unencrypted a potential email relay or packet-sniffer could scan for the links related to your website and open it before the recipient. It would be easy to automate at any level. They wouldn't have context, sure, but they'd have whatever it is you wanted to send and your recipient wouldn't.
You're basically saying "don't use the internet". People who are gonna use it know what they re getting into. Plus the use case (a password to an unknown username of an unknown service) doesn't sound that dangerous to me
Well, maybe this isn't for you. Given the number of people who use "password" or "1234" to protect their accounts, your very valid concerns don't necessarily seem like show-stoppers. I don't expect any of the things you list above to be true for most other web services, either.
I highly doubt the typical user with password "1234" is going to go through the trouble of using this service. They would most likely email the password directly ("that's secure right?")
You know what's funny? The company that I work for wrote a web app for a large company and we also host it for them. At one point in time, they requested a way for users to reset their passwords. We implemented it, but they never use it. They prefer to email me their passwords in plain-text. I think I've handled two of these types of emails today, alone!
"I'm sorry, but we recently reviewed our security practices, and we've found this method of communicating passwords to be incompatible with our dedication to protecting the confidentiality and integrity of your business data. Please use the the password reset form at .. "
User receives password URL on an iPad, opens it, loads the destination login page, switches back to password tab, but it's gone forever because the iPad closed it to harvest memory.
User gets URL via webmail on Chrome, Chrome pre-fetches the URL. User closes Chrome because Starbucks is closing. When she finally visits the URL for the "first time" it's nuked.
Data shouldn't change on a GET for these very reasons.
Therefore, the secret shouldn't be obtained from a GET, but rather a POST. A button or jQuery.post on the 'shared' page, for example, that fetches and causes the deletion.
An interesting approach would be to delete the original data, but issue an ETag to leverage browser caching. If the original user rerequests the page while it's still in the browser's persistent cache, the server can simply return a 304 Not Modified, and the user still sees their data. Anyone else, though, is SOL.
You raise some great usecases. We have an option to require a password to view the secret but that doesn't directly solve the cases you bring up.
We're considering changing the basic UX to require a click to display the secret (the click will send a POST to retreive the contents). That will include a much more visible disclaimer that it's only available one time.
• loading starts a countdown timer, visible on screen: after that long, the message is destroyed. (In the meantime, an iPad re-download succeeds.)
• the reader sees a big button on the page which must be pressed to complete deletion (or to speed deletion, if the above timer is counting down).
* on initial load, the browser is given a unique cookie (or even decryption key); from then on, even if the message has an additional countdown 'grace period' (of seconds, days, or longer), only that one browser can reload (or decrypt) it.
Then the receiver reports to the sender that the link didn't work. The sender, not knowing if the password was compromised or if it was a situation you mentioned above, changes the password/revokes the key and generates a new one. This time, the receiver doesn't access it at closing time in Starbucks/doesn't switch tabs, and gets the new password correctly.
Unexpected behavior doesn't happen every time.
As an optimization, if you have a self hosted service of this sort that gives proper logs, you can probably verify that the link wasn't intercepted by looking at the source IP and comparing to what the user reports (if they're able to do that, if not, you fall back to assuming it was compromised), and if so, skip the revocation/regeneration procedure.
Chrome beta does prefetch URLs: download the latest version, go to a Wikipedia page, wait a few seconds then click the first link – it should appear (almost) instantly.
I don't know if it prefetches links in webmail, however, and that would be about the only situation I can think of where this might happen.
Edit: of course, now that I posted this, I can't seem to make it work. I promise it does happen.
GDH: your reply to this comment is not visible: you've been hellbanned. It appears to have been for a comment you made 312 days ago.
Your demo link seems broken, it prefetches a new page every time you mouseover, not just once. Also, there's autoplaying audio ads, something that I can only regard as a bug.
Interesting case of abuse: Send anonymous death threats as secrets. Would be hard to prove the message ever existed without server logs. Also, botnet c&c messages. WikiLeaks leaks! Damn, this is a useful tool.
Also, unfortunate for anyone trying to share the secret over the internet: if a repressive regime is sniffing traffic and looking for these URIs and grabs the contents first they can still discover the messages of dissidents before they get passed on.
A neat idea would be if you encoded the information on your server with a secret key, then put that key in the URL in addition to the unique identifier. This way you never store the information on your server. The secret key should never be put in your logs until the information is accessed and destroyed. If this policy is followed it would alleviate some fears of giving all my secrets to a third-party site.
In order for this to work, the key would have to be generated client-side and the secret encrypted client side. And you're still trusting that the site doesn't send the key when you submit the form.
While I think that this is a good idea, I hink that this would unfortunately result in URLs that would be much too long to be user-friendly - especially if we are talking about sending information to non-technical people.
An AES key is 128 bits, or 22 BASE64 characters. That's reasonable, and you can switch to BASE96 or Unicode.
This doesn't help if the server is malicious, but it does help if the server is honest but is later hacked/subpoenad/whatever. Generating a key entirely in RAM/encrypted swap is reasonable, and securely erasing RAM is easy (securely erasing individual files is nontrivial to say the least.)
I do like the idea though of keeping the secrets safe with a client-side (or non-stored) key. So long as it's known that it isn't about keeping the server honest, since you have to implicitly trust that they won't be storing the key.
This is what I'm thinking. They could reasonably be unable to divulge your secret to a fourth party. The decryption could even be done client-side. They just generate a pair of (encrypted-secret, key). They store encrypted-secret and send you a pointer to it and the key, then destroy the key on their side.
There is no difference between storing plaintext on the server and storing encrypted text on the server if encryption key is (was) known to the server.
I also do something like this for http://jsonifier.com. I had users requesting that JSON pastes could be deleted after they were requested once. So, I know people find these kinds of features useful. I didn't think about building an entire tool around that one feature. Nice thinking!
They _should_ save everything that is sent with this service. They'll have a pretty good dataset to determine common passwords, etc. Then, they could use the data to help users pick better passwords. It's not an invasion of privacy if it's done anonymously, in aggregate, right!?
I can't speak for the others, but let me make clear that I am being entirely facetious. Selling data of user-provided passwords in this kind of context (an app ostensibly used to provide security) is among the worst kinds of evil. Requiring, or even allowing, users to escape from this kind of evil by paying a ransom is unconscionable.
Oh my god, this whole thread is ridiculous. I need to say that I intended my original comment as a joke. I don't think it is ethical to misuse users' data, even if it's anonymous.
Love it. I came into a use case for something like this a while ago, and ended up using a combination of goo.gl (to know when the person had clicked), and text converted to an image (to stop simple copy and paste).
Maybe you could also incorporate the second part. It's obviously not a guarantee the information won't be copied, but if you know you're sending it to someone non-technical, it can be made extremely difficult.
Very neat concept. I like thinking about these new classes of sites/utilities - like one I made called http://shoutkey.com/ - which deal with useful temporary data instead of storing loads of data forever and ever.
I'm interested to know what data store you are using (just curious)?
I built something similar a few months ago: http://whisperpassword.com/ , it includes client-side encryption and email notification (including IP address and geolocation) of when the secret was disclosed.
For me sending sensitive information using a 3rd party service, no matter what the privacy policy is, is not an option.
On the other hand the amount of positive comments simply shows how bad user experience do the current solutions like GPG/PGP have and how easy it is for people to choose convenience over security, even on this forum.
Maybe it could work if you split the password up. Email someone the first half of the password, then tell them to append the second half from the link.
There is also FAQ: https://off-the-record.appspot.com/faq Any feedback is welcome. There is also secure pickup option on front page. Using it server logs won't show up even retrieved keys. Those could be potentially abused to fetch data from Google's backups.
The color scheme is a bit...extreme. To be honest the interface isn't nearly as straightforward, and in a small utility tool like this, that's what matters most.
A privacy policy is a must! If the whole point of the site is to share secrets, with a second party, we need to know just what the third-party is planning to do with them.
Agree. I know it says that you can't do anything with the data, since necessary information isn't available. But... even if its random, it is known that it is a password. So, it's feasible to build a table of known passwords, at least.
How would that work? The URL only works once, so even if they crawled every possibility, the intended recipient would never get it, and would alert the sender.
I found strange that no one mentioned Privnote (https://privnote.com), a much older/popular service that does this but more securely since it generates URLs with keys in the fragment to encrypt the messages on client side (so that the plain message never hits the server).
fantastic. any application that has a password should also provide a method to generate a few one-time log-in urls that one could use from untrusted computers/environments. These uris could be issued with different privileges: e.g. for email, providing just access to the data younger than maybe two weeks.
No we don't keep any identifying information so we have no way to contact people. We only display a message on the private URI page to the effect of, "Message was received 30 minutes ago".
No, I'm saying that you could use the site as it is in an automated form. You just need to POST the data to a certain URL and then parse the page to extract the contents.
Nice app, I would like to suggest adding a copy to clipboard feature for the created link, sometimes you can miss a letter or something and the message will get lost....
would love one additional field that enables a user to specify the number of minutes, hours, or days until the url auto-expires (perhaps that's two fields).
Instead of sending a pass-phrase encrypted ZIP file via email or IM beyond auto-delete feature, you go to this website, input the information and share the URL with the person of choice.
Yes, difference in ease of use is certainly there and not ignorable. But wouldn't the need to send URL and pass-phrase via two different channels would be rather difficult to communicate to 'grandfathers'? Not an impossible task but, as someone who built consumer security products in the past, it's not ignorable either.
Really? You don't understand that the disclaimer "monitored by $human_name" on a page that contains a secret is off-putting on first reading?
Of course I know what Stella is...now. I clicked on it pretty damn fast as soon as I saw it, because I wanted to know who Stella was and why she was privy to my secret. Do you really not understand why causing the users that moment of doubt is non-optimal?
Ah, you raise a good point. We monitor and track only the homepage. We don't mention this explicitly and it would be a good idea to remove from other pages to avoid confusion.
Do they do a secure delete of the contents of the webpages? Who knows.
Do they have strong physical protection around the server? Who knows.
Do they run up to date software so the machine can't get taken over? Who knows.
Can you even trust them not to log all your passwords? Who knows.
This is an interesting service for some things, but I would never use it for sending passwords (or anything equally sensitive) back and forth.
Even if you let me "encrypt" the information before uploading it with a password, if this encryption is done in javascript sent by the server then as soon as the server is taken over you can't trust the encryption.