

Show HN: Kevlar.io – Secrets that when accessed are deleted permanently - adambutler
http://kevlar.io/

======
mbenjaminsmith
I think this is neat. I can't imagine a use for it but I like the UI.

The fundamental problem with this:

There's no way to prove that the secret has been deleted and / or not copied.
You have access to the plaintext and the password / url (presumably an
encryption key). You (the malicious server operator or the compromised server)
can do anything you want with the information.

This would be interesting if you could:

1) Offer end-to-end encryption. This would require encryption in the client
which has its own issues.

2) Be able to provide proof that the information has been made inaccessible.
This is not the same thing as having the link return a 404 the second time.

~~~
adambutler
I will be open sourcing the code once I've cleaned it up a little.

~~~
mkohlmyr
Doesn't solve the problem he's describing since it won't prove that the
published code is what's running.

~~~
tuananh
you can host it yourself?

~~~
mkohlmyr
It was my understanding it is supposed to be used to pass secrets between
people. If I host my own I may trust it but you may not.

~~~
tuananh
then i guess there's no service for both of you

------
empressplay
Er, how "secret" are secrets submitted without encryption? Could use an "s" on
the end of that http for starters...

~~~
AlyssaRowan
Yeah, that's a showstopper.

You shouldn't be launching a site in 2014 without https: that could handle
'secrets', or even any personal information, or really at all!

Also, as said above, you can't actually prove destruction (as far as I know,
without a Trent i.e. trusted party to do it), which is a big theoretical flaw
in the whole idea.

------
fishnchips
There's always a possibility of someone just taking a screenshot.

~~~
borplk
Every time some service like this is submitted there's someone complaining
about screenshots.

Of course they can take screenshots, that's not the use case.

People can also memorize things, or create fake pages and screenshots. Or film
the screen of their phones, or take photos of their TV.

You can't just send beams magically to their head and then make all evidence
and memory of it magically disappear.

The use case is for when you want to send someone a password or a small
message, instead of sending it to live in their IM history or email inbox, you
send it with something like this, so if they can successfully read it, you
know they were the only ones to ever read it, otherwise they would not be able
to read it.

Is it for super secret stuff? No.

Is it good enough for many use cases? Yes.

In case of password, you'd communicate URL, username etc regularly and just
use something like this for password, so even if this thing itself is not
terribly secure, it's missing context so it's still fine.

Example:

Hey John, here's the login details for the grocery manager: username: blahblah
login url: [http://example.com/login](http://example.com/login) password: get
it from
[http://kevlar.io/QlIk6NKFfX78dRq3ZES5yw](http://kevlar.io/QlIk6NKFfX78dRq3ZES5yw)

~~~
viraptor
> when you want to send someone a password or a small message

No, this is a terrible service for it for a few reasons:

\- it doesn't force https, so you should never send any password through it

\- you have no control over it, so for all we know all secrets will be saved
forever on an insecure server

\- you have no idea who runs the service, so for all we know all secrets will
be published in a year, available for everyone to download

Best way to collect lots of logins, passwords, cc details? Start your own
"secure" storage service.

~~~
borplk
Without the other context the random password itself is not useful to the
service.

People exchange full login details in email and IM all the time, this simply
helps with the problem of having them sit in the history and archives
indefinitely.

Security is a spectrum not an absolute measure.

------
drKarl
Nice... but I would prefer some self hosting alternatives, like Zerobin
[http://sebsauvage.net/paste/](http://sebsauvage.net/paste/)
([https://github.com/sebsauvage/ZeroBin](https://github.com/sebsauvage/ZeroBin))

or [http://yaap.it/](http://yaap.it/)
([https://github.com/SeyZ/yaapit](https://github.com/SeyZ/yaapit))

or even [http://g0bin-demo.appspot.com/new/](http://g0bin-
demo.appspot.com/new/)
([https://github.com/jyap808/g0bin](https://github.com/jyap808/g0bin))

------
radiospiel
While I like the UI and such, the principle is basically flawed, as users had
to implicitely trust the server administrators, their hosting providers and
their CA (assuming https). Even iMessage offers a better trust model - you
only need to trust apple, and, if what apple says is true, messages cannot be
read by apple nor anyone else.

It could be a different thing if the service was installed locally, i.e. under
the control of one of the participants in the information exchange (and then
the "burn after reading" feature is pointless).

If a user would really want to pass along secrets without those things she
should use XMPP/OTR instead (i.e. pidgin/adium). Which is really not that hard
to use.

------
andridk
Seems like someone accessed the site, causing it to be deleted. Now shows a
Gandi.net landing page.

~~~
krallin
Apparently the URL isn't correct. Try:
[http://www.kevlar.io/](http://www.kevlar.io/)

------
arb99
Good luck using that name.
[http://dictionary.reference.com/browse/kevlar](http://dictionary.reference.com/browse/kevlar)

"Trademark. 1\. a brand of aramid fiber."

That is like calling it Nike or Adidas.

~~~
DanBC
Do the people who own the Kevlar trademark also create software?

I agree that it's probably foolhardy to use somethin that is an existing
trademark I can't see the Kevlar-the-fibre people winning any lawsuit.
Although just the process is probably harmful to the Kevlar-the-software
people.

~~~
brass9
There used to be a FTP client for linux called kevlarftp (it was a OSS clone
of the bulletproof ftp client). Dupont lawyers raised copyright issues against
the product name. The author promptly gave up and the software was renamed to
"kftp"

------
brass9
Kevlar.io? Start counting the days till a Dupont lawyer knocks on your door...
Anybody remember the FTP client formerly known as kevlarftp?

------
GregP91
Similar to what my friend did recently
([http://ididntsay.com/](http://ididntsay.com/)) :)

~~~
stck
Tell your friend to store only an encrypted version of the message on their
server and add the encryption key to the message url as a hash. Decrypt it in
the browser for the reader.

Sending unencrypted text over http isn't what I'd choose for my top secret
messages.

------
tux3
Sure, and how exactly am I supposed to trust them ?

There are tons of services doing exactly the same thing, some even on Tor.

~~~
phoet
this one is going to be a similar service [https://www.burn-
notice.me/](https://www.burn-notice.me/)

which other alternatives are there you are talking about? i would like to have
a look at them.

in terms of trust, lot's of people put their data on facebook, so there is
that... specifically for you, would it help if you can audit such an
application?

------
joekinley
Seems kinda similar to justleak.it. But I would have to give the link to the
person manually.

See, the thing is, having seen Leak i immediately wanted to use it, and
actually did use it. Seeing your thing, I just tried it for myself and don't
really see a use in my life for it.

So what's your plan on the service?

~~~
abluecloud
On a side note, why don't justleak.it use AWS SES?

------
manish_gill
Heh. I created pretty much this exact same thing for my minor project in
college. Might still be up and running on Heroku somewhere. :)

Edit: Also see: [https://oneshar.es/](https://oneshar.es/)

------
callum85
What are the use cases for this?

~~~
adrow
You could use it for sending things like passwords. You may want to give
someone access to something but not have it stored in chat or email records.
If anyone else were to look up the link later, presumably it's no longer there
as the recipient already clicked the link.

I think that's actually something worth clarifying about this service.
Assuming that a link is created with a secret, but not accessed, how long is
it stored for? Is it ever deleted otherwise?

------
Artemis2
Kevlar is a registered trademark. You might run into some problems with that.

[https://en.wikipedia.org/wiki/Kevlar](https://en.wikipedia.org/wiki/Kevlar)

~~~
radiospiel
Depending on the class the existing Kevlar mark is registered in.

------
prof_hobart
Hmmm.

Don't know if it's down, but every attempt I try gets "404 - It's most likely
your seeing this page because a message has already been accessed and
deleted".

~~~
Soyuz
So do I

------
gprasanth
There was another idea on HN sometime back:

A link unclicked for an amount of time after it has made live will expire.
Opening it before the counter expires resets the counter.

------
rafaqueque
Did the same to try Node.js.

[https://github.com/rafaqueque/weezper](https://github.com/rafaqueque/weezper)

------
zuccs
So, same as the [https://encry.pt](https://encry.pt) which has been around for
3+ years?

------
ganessh
Just wondering, why should the secret be accessed over HTTP instead of HTTPS?

------
bru
>Share this secret by sending this URL with a freind.

*friend

~~~
Void_
That's what bothers you in that sentence? :-)

