

Crypt: Free, Anonymous AES256 file encryption - liamnewman
http://wesh.gift/crypt/

======
tptacek
Virtually everyone on the Internet is using an OS that has the built-in
capability to encrypt files with AES. Why would anyone delegate that to a
server?

~~~
freefouran
Only thing I could think of is that you can transfer it from one computer to
another quickly. And you don't need to create an account (like say if I
transferred it through DropBox), just type in a password.

~~~
tptacek
Right, so you encrypt locally, upload to Dropbox, pass the link to your
friend, and they decrypt locally. Still not seeing why you'd opt to trust this
doohickey.

~~~
freefouran
I always found DropBox a pain, you have to email them the link, which is a bit
more effort than saying going to a short URL and typing in a password. So I
could see this being somewhat useful :)

~~~
tptacek
If you've invented the most convenient file transfer tool on the whole
Internet, you've buried the lede here; forget about the encryption, and get
your Dropbox-competitor funded.

If you haven't, well, people should use that other service instead of this
one.

Either way: I'm still totally unclear on why anyone would allow a server to
encrypt files for them. I don't even reach the question of whether it's
possible to do it securely, because it seems like such a weird thing to want.

------
liamnewman
Well, there goes the server. If you're having issues, wait. I'm about to
switch servers.

------
juddus
The actual encryption of the file is secure, but everything else about the
site is insecure. Plus using a free web host to encrypt files with 256 aes is
kinda silly. The fact you use md5 for password hashing isn't very secure
either.

Edit: The idea of this is nice though. Maybe instead of focusing on encrypting
the files, focus on providing a very secure environment to store the files in.
Plus sort out the ssl and remove plain text transmission. This could turn into
a good site

------
junto
I assume that you're doing client side encryption here right?

To try and guarantee that the Javascript you are delivering is from your
server and not MITMed 'by the man', doesn't everything need to be over TLS/SSL
and certificate pinning needs to be in place?

I'm no security expert, but there are plenty around who can confirm or deny
that.

Edit: The password is being sent in a POST without any encryption to protect
that request, or am I missing something?

~~~
liamnewman
Encryption is server side. Your file is uploaded, encrypted, then deleted.

~~~
junto
But the password and file are sent over the wire without any protection?

------
wglb
How is it that the site does not have the password do the encryption server
side?

Unclear that claims match the reality.

