Show HN: Pixelator.io – Secure data in pictures (opens in new tab)

(pixelator.io)

29 pointstimetoogo10y ago11 comments

11 comments

'We currently use the AES encryption algorithm combined with strong password hashing to ensure your data is secure as possible.'

They don't mention cipher mode, hash algorithm, hash tuning parameters, or if they are even using authentication of some form alongside the encryption.

Complete transparency in terms of crypto ensures you aren't holding a steaming pile of shit if the service becomes popular and it is found that you were using ECB and SHA1.

tagawa10y ago

Seems to work but I was surprised to see the "Uploading" message. For me to trust it with secret files I'd at least want it to work locally with nothing being sent to the server.

deathanatos10y ago

Even if it did it in-browser and didn't show you an upload message, you still need to trust the JavaScript that gets downloaded when you load the page. It could upload behind your back. Or, it could embed your password in the image, encrypted with a known key.

You MUST trust the software you feed your unencrypted data to. And if that softare is downloaded each time from the web, it's rather hard to do.

tagawa10y ago

Right, but at least it would be locally-run code that you can (potentially) verify and run offline, similar to existing Bitcoin/Dogecoin paper wallet generators. I agree most people wouldn't or couldn't though.

flashman10y ago

Just so I'm not misunderstanding: we just have to take it on trust that the developer isn't holding onto the data we upload, right?

jones161810y ago

It's a terrific project, well executed.

To all the naysayers: You're right that you have no reason to trust ANY online tool or channel with your secret documents. Open source is best, etc. But, this crypto tool is more about hiding data than securing it. So, for instance, maybe you don't care if this site "steals" your resume as long as your boss doesn't see it. So, relying on their encryption works for that. Still, if you want to keep secrets from everybody, just encrypt your files before hiding them with this. Either way, pixelator is still a viable (and kind of fun) tool to use.

empressplay10y ago

Some of the "common passwords" listed in the javascript are a hoot!

That said it looks like it does it all client-side (but I'm not 100% sure -- could we get a confirmation on that?)

recoleta10y ago

I won't trust such an online service.

A search for steganography on github lead to projects like darkjpeg that are open-source.

https://github.com/yndi/darkjpeg

oxplot10y ago

steghide [1] has been around for more than a decade and can hide data in WAV files as well.

[1]: http://steghide.sourceforge.net/

grumblestumble10y ago

This would help me tremendously if it was an open source lib.

alanmorph10y ago

So there are two way I can see how they did this encoding, either way they still store some data on their side. It would be useful as an offline app for sure.

j / k navigate · click thread line to collapse

11 comments

Everlag10y ago

'We currently use the AES encryption algorithm combined with strong password hashing to ensure your data is secure as possible.'

They don't mention cipher mode, hash algorithm, hash tuning parameters, or if they are even using authentication of some form alongside the encryption.

Complete transparency in terms of crypto ensures you aren't holding a steaming pile of shit if the service becomes popular and it is found that you were using ECB and SHA1.

tagawa10y ago

Seems to work but I was surprised to see the "Uploading" message. For me to trust it with secret files I'd at least want it to work locally with nothing being sent to the server.

deathanatos10y ago

You MUST trust the software you feed your unencrypted data to. And if that softare is downloaded each time from the web, it's rather hard to do.

tagawa10y ago

flashman10y ago

Just so I'm not misunderstanding: we just have to take it on trust that the developer isn't holding onto the data we upload, right?

jones161810y ago

It's a terrific project, well executed.

empressplay10y ago

Some of the "common passwords" listed in the javascript are a hoot!

That said it looks like it does it all client-side (but I'm not 100% sure -- could we get a confirmation on that?)

recoleta10y ago

I won't trust such an online service.

A search for steganography on github lead to projects like darkjpeg that are open-source.

https://github.com/yndi/darkjpeg

oxplot10y ago

steghide [1] has been around for more than a decade and can hide data in WAV files as well.

[1]: http://steghide.sourceforge.net/

grumblestumble10y ago

This would help me tremendously if it was an open source lib.

alanmorph10y ago

So there are two way I can see how they did this encoding, either way they still store some data on their side. It would be useful as an offline app for sure.

j / k navigate · click thread line to collapse