I noticed in the FAQ you refer to your three secret types as text, redirect, and neogram. In other places you seem to call redirect "link". Could be a naming consistency fix.
Features like delete after N visits or by X date might be useful too.
I'm a little confused about the use case. Maybe I'm boring, but who would I need to send a scrt.link to? I can think of bad use cases, for example maybe a botnet could propagate messages through this, or share credentials that would change after using or something. I can't really think of other use cases though without going a bit unrealistic.
I read the FAQ about why I should use it. I'm not sure it's great for credentials because if they aren't continually going to be available through the link, the other party will need to copy them.
If I'm doing something with minor security concerns, e.g. sharing the Netflix password, I'm just going to send it over text or whatever. If it gets compromised I'll just reset and change it. If I'm doing something with significant security concerns, e.g. sharing credential to access a production database at work, then I'm obviously not going to use this due to trustworthiness concerns.
For example, if I need to give access to an assistant to access my ShutterStock account to avoid paying ShutterStock an additional $350/month. I don't want that password sitting in email because that just isn't good practice. But I also don't need a full blown team password management system right now.
> Features like delete after N visits or by X date might be useful too.
Indeed this is an often seen feature. I'll consider it.
About the use cases. Not sure I agree - I believe sharing credentials is one of the main purposes of the service. But like you said, it's limited to "transmitting" the secret in a secure way and not meant to act as a "storage". In other words, yes, a recipient should copy the password and store it in a password manager.
About the trustworthiness. Yes, trust has to be earned. Without affiliation to Mozilla, Google or other trusted brands it's not an easy task. That said, I think what makes the service trustworthy is the fact that:
- It's open source, which means full disclosure - all code and all dependencies can be accessed and reviewed.
- The encryption is happening on the client (browser). All code that is executed within the browser can be viewed. You'll notice in devtools that your secret never leaves the browser unencrypted (and the key doesn't get stored). Which means, even if the server infrastructure got compromised, or seized by the government, there is no way of decrypting the messages. tl;dr: It's safe to share "credential to access a production database" :)
whistleblower?
plenty of scenarios
“We’ll encrypt the file, trust us.”
This message can only come from an already-trusted party. Mozilla had an identical service to this except it was for files (Firefox Send) and that one I could trust.
I believe you can earn the necessary trust by being transparent. For this kind of service two things are essential:
- Open source software: Let everyone review your code
- Encryption in the browser. Sensitive information should never leave the browser in plaintext.
I'm considering file transfer - but there are some challenges to meet :)
C.
Front end JavaScript generates a symmetric encryption key that is never shared to the server. User enters message. Message is encrypted with the generated key. You create the scrt sending only the ciphertext to the server which doesn't have the key and so couldn't read the message. You click a button to copy both the link to the scrt and the encryption key. You then share both to your recipient. The recipient visits the link and gets the ciphertext and then copies and pastes in the key to see the message.
If it's all done frontend like this then it should be demonstrably secure and only slightly more complicated for the users.
--
As an aside, I know you are trying to be funny, but your username is tad offensive.
*Secrets*
created: 1,179 | viewed: 960 | compromised: 0