Why I created scrt.link
blog.stophe.comI just created and consumed a secret message. It seemed to work. Plus, I didn't have to create an account. Easy to use. I also love the name.
I noticed in the FAQ you refer to your three secret types as text, redirect, and neogram. In other places you seem to call redirect "link". Could be a naming consistency fix.
Features like delete after N visits or by X date might be useful too.
I'm a little confused about the use case. Maybe I'm boring, but who would I need to send a scrt.link to? I can think of bad use cases, for example maybe a botnet could propagate messages through this, or share credentials that would change after using or something. I can't really think of other use cases though without going a bit unrealistic.
I read the FAQ about why I should use it. I'm not sure it's great for credentials because if they aren't continually going to be available through the link, the other party will need to copy them.
If I'm doing something with minor security concerns, e.g. sharing the Netflix password, I'm just going to send it over text or whatever. If it gets compromised I'll just reset and change it. If I'm doing something with significant security concerns, e.g. sharing credential to access a production database at work, then I'm obviously not going to use this due to trustworthiness concerns.
I use a similar service for when I need to share passwords in between the importance of a Netflix account and a production database.
For example, if I need to give access to an assistant to access my ShutterStock account to avoid paying ShutterStock an additional $350/month. I don't want that password sitting in email because that just isn't good practice. But I also don't need a full blown team password management system right now.
If the link is sitting in their email then surely that's just as unsafe as having the password there?
Not exactly. Sure, if your email is compromised someone could access the secret link, and ultimately your password. But now, you will know that someone else had access to your password, since the link won't work for you anymore. This is crucial information.
Btw. You can encrypt your secret with an optional password (which may be shared via a different channel).
No, it expires after they view it.
Yes, this is a nice solution, but email security services do click on links before delivering to the client's email inbox. As such, you may need to set the link expiry click number to greater than 1. And then you lose the security due to being ephemeral. Of course, you can log the IP addresses of the clickers, but still you have the leak.
> email security services do click on links before delivering to the client's email inbox
True. This may be a problem. Like mentioned, common bots are being blocked currently, plus, I will be testing POST instead of GET requests (Since bots apparently don't do POST). An another obvious solution is to include some kind of user interaction before the secret is fetched. Although I don't like that solution so much. C.
In practice this has not been a problem. It's like saying you can't put unsubscribe links in emails because a bot will click on it... You just simply design the software so that doesn't happen.
Like I said, I've used a similar service that only allows you to view the secret once and I've used it dozens of times with no problems.
> you just simply design the software so that doesn't happen.
How do you go about doing that? disregard security service clicks based on IP address blacklists, user agent sniffing, etc?
Nope you just use a POST request...
How does a legitimate user clicking on a link inside an email generate a POST request?
It loads a page which then makes a POST request to an API via JS.
Thanks again for all the feedback. Short update: I'm using DELETE now, since it feels a bit more accurate. As a side effect, the page is way more responsive. :)
Have fun sharing secrets. C.
Thanks for the feedback. Much appreciated - I'll look into the consistence naming issue.
> Features like delete after N visits or by X date might be useful too.
Indeed this is an often seen feature. I'll consider it.
About the use cases. Not sure I agree - I believe sharing credentials is one of the main purposes of the service. But like you said, it's limited to "transmitting" the secret in a secure way and not meant to act as a "storage". In other words, yes, a recipient should copy the password and store it in a password manager.
About the trustworthiness. Yes, trust has to be earned. Without affiliation to Mozilla, Google or other trusted brands it's not an easy task. That said, I think what makes the service trustworthy is the fact that:
- It's open source, which means full disclosure - all code and all dependencies can be accessed and reviewed.
- The encryption is happening on the client (browser). All code that is executed within the browser can be viewed. You'll notice in devtools that your secret never leaves the browser unencrypted (and the key doesn't get stored). Which means, even if the server infrastructure got compromised, or seized by the government, there is no way of decrypting the messages. tl;dr: It's safe to share "credential to access a production database" :)
someone in an abusive relationship?
whistleblower?
plenty of scenarios
I don't understand. If I'm in an abusive relationship or am a whistleblower why would I want to send a read-once message? Why is this better than pastebin? (Which, incidentally has this as an optional feature)
If you trust the recipient, but there's a chance that they will be threatened and asked/forced to reveal the message that you sent them, they may appreciate a mechanism that gives them plausible deniability.
Obviously a recipient could make a copy of any disappearing message that they receive if they really wanted to, so you do need to actually trust them. It's less for your security, and more for theirs.
yup, also you can trust the person but maybe not trust their long term security. the short the lifespan the small surface of attack.
Depends on "they", I guess. Plausible deniability goes south, once you are greeted with a wrench. Reminds me of https://xkcd.com/538/
I use https://www.saltify.io which also lets you add a shared passphrase.
I’m always wary of consumer services that specifically target secrecy and encryption. How many of those “lockbox” photo apps are just syphons into the developer’s server?
“We’ll encrypt the file, trust us.”
This message can only come from an already-trusted party. Mozilla had an identical service to this except it was for files (Firefox Send) and that one I could trust.
Thanks for the feedback. Appreciate it.
I believe you can earn the necessary trust by being transparent. For this kind of service two things are essential:
- Open source software: Let everyone review your code
- Encryption in the browser. Sensitive information should never leave the browser in plaintext.
I'm considering file transfer - but there are some challenges to meet :)
C.
I don’t think you can do anything to early my trust personally other than sticking some big brand name in your domain. Anything you say or put on your website still comes from some random server on the web.
I wonder if you could do the encryption entirely in the client so it was verifiably secure.
Front end JavaScript generates a symmetric encryption key that is never shared to the server. User enters message. Message is encrypted with the generated key. You create the scrt sending only the ciphertext to the server which doesn't have the key and so couldn't read the message. You click a button to copy both the link to the scrt and the encryption key. You then share both to your recipient. The recipient visits the link and gets the ciphertext and then copies and pastes in the key to see the message.
If it's all done frontend like this then it should be demonstrably secure and only slightly more complicated for the users.
It is done entirely on the client. You can check the source code. Read more on scrt.link/security.
But if the key is added to the link itself then you could be storing the encrypted string and decrypting it after getting a request for a link that contained the key.
I'm not accusing you of that - just saying there is no way to prove that's not happening.
The part of the URL holding the encryption key is not sent to the server. https://stackoverflow.com/questions/14462218/is-the-url-frag...
Don't take my word for it :) You can check all code that runs in your browser and check all requests made within the network tab.
Okay, nice! I withdraw my comments.
If I wrote something like this, I'd try to be as transparent as I could be as to who I was, and how you could contact me. Hopefully that would create some small level of trust.
--
As an aside, I know you are trying to be funny, but your username is tad offensive.
Regarding the name, search Scunthorpe on YouTube
If I pasted a scrt.link to a friend over WhatsApp or Messenger, and the little link preview pops up, does that trigger a visit count, resulting in the message already being destroyed before the friend gets to click on it?
Good question! Bot traffic from common apps/services is beeing blocked. But let me know if you run into a problem. C.
On a related note, I see that getting the secret is a GET request. However, since that request also deletes the secret I think it would be best if it was a POST request. This would probably also automatically fix any issue of a link preview triggering the secret deletion because I think they are designed to not execute POST requests generally speaking (but I could be wrong here).
Very good point! Thank you. I'll look into this.
Issue is resolved. Using DELETE request now, which feels a bit more accurate. Blocking crawlers is no longer needed, which also benefits page speed! Thanks again for the input. C.
I've used onetimesecret for a long time, so good to see alternatives and I like the sensible pricing structure here. This has me confused though:
*Secrets*
created: 1,179 | viewed: 960 | compromised: 0
Yes, this is a joke. Not sure it's a good one to earn trust ;). C.
This website is flagged as malware/inappropriate at my institution.
Oh wow :) Do you know, by any chance, what type of filter/firewall your institution is using? I'd be interested in the reasoning behind the flagging/blocking. C.