
One-time Secret: Share passwords etc with URIs that work only once - delano
https://onetimesecret.com/
======
Xk
Please don't use this for passwords. Security is very hard to get right.

Do they do a secure delete of the contents of the webpages? Who knows.

Do they have strong physical protection around the server? Who knows.

Do they run up to date software so the machine can't get taken over? Who
knows.

Can you even trust them not to log all your passwords? Who knows.

This is an interesting service for some things, but I would never use it for
sending passwords (or anything equally sensitive) back and forth.

Even if you let me "encrypt" the information before uploading it with a
password, if this encryption is done in javascript sent by the server then as
soon as the server is taken over you can't trust the encryption.

~~~
delano
Nothing is entirely secure. We're two guys with no ulterior motives that take
all reasonable precautions to keep the data safe. For most people that's not
only enough, it's much better than having their passwords stored in their
email archives and chat logs.

~~~
trebor
If the link is sent unencrypted a potential email relay or packet-sniffer
could scan for the links related to your website and open it before the
recipient. It would be easy to automate at any level. They wouldn't have
context, sure, but they'd have whatever it is you wanted to send and your
recipient wouldn't.

I don't think this is likely to happen.

Is your delete permanent, if not secure?

~~~
brendoncrawford
All of their http traffic redirects to https.

~~~
trebor
I didn't mean in reference to their site, but how the end-user transmits the
link to a recipient.

~~~
asdfaoeu
The idea is that would be detectable because the recipient would no longer be
able to view the actual link and the password can be changed again.

------
mapgrep
User receives password URL on an iPad, opens it, loads the destination login
page, switches back to password tab, but it's gone forever because the iPad
closed it to harvest memory.

User gets URL via webmail on Chrome, Chrome pre-fetches the URL. User closes
Chrome because Starbucks is closing. When she finally visits the URL for the
"first time" it's nuked.

Etc. etc.

Unexpected behavior is unexpected.

~~~
true_religion
Chrome prefetches DNS, not URLs.

~~~
alastairpat
Chrome beta does prefetch URLs: download the latest version, go to a Wikipedia
page, wait a few seconds then click the first link – it should appear (almost)
instantly.

I don't know if it prefetches links in webmail, however, and that would be
about the only situation I can think of where this might happen.

Edit: of course, now that I posted this, I can't seem to make it work. I
promise it does happen.

------
peterwwillis
Interesting case of abuse: Send anonymous death threats as secrets. Would be
hard to prove the message ever existed without server logs. Also, botnet c&c
messages. WikiLeaks leaks! Damn, this is a useful tool.

Also, unfortunate for anyone trying to share the secret over the internet: if
a repressive regime is sniffing traffic and looking for these URIs and grabs
the contents first they can still discover the messages of dissidents before
they get passed on.

~~~
phogster
Actually this service is perfect for finding out if someone has been snooping,
since the "secrets" disappear on viewing.

------
Periodic
A neat idea would be if you encoded the information on your server with a
secret key, then put that key in the URL in addition to the unique identifier.
This way you never store the information on your server. The secret key should
never be put in your logs until the information is accessed and destroyed. If
this policy is followed it would alleviate some fears of giving all my secrets
to a third-party site.

~~~
mbreese
In order for this to work, the key would have to be generated client-side and
the secret encrypted client side. And you're still trusting that the site
doesn't send the key when you submit the form.

While I think that this is a good idea, I hink that this would unfortunately
result in URLs that would be much too long to be user-friendly - especially if
we are talking about sending information to non-technical people.

~~~
JoachimSchipper
An AES key is 128 bits, or 22 BASE64 characters. That's reasonable, and you
can switch to BASE96 or Unicode.

This doesn't help if the server is malicious, but it does help if the server
is honest but is later hacked/subpoenad/whatever. Generating a key entirely in
RAM/encrypted swap is reasonable, and securely erasing RAM is easy (securely
erasing individual files is nontrivial to say the least.)

~~~
mbreese
I'm thinking that their unique ID (31 char) plus the key (AES 22) is a little
long for a URL:

[http://example.com/1234567890123456789012345678901/123456789...](http://example.com/1234567890123456789012345678901/1234567890123456789012)

I do like the idea though of keeping the secrets safe with a client-side (or
non-stored) key. So long as it's known that it isn't about keeping the server
honest, since you have to implicitly trust that they won't be storing the key.

~~~
JoachimSchipper
TinyURL is currently giving out 8-character identifiers; I'm confident that
those 31 characters can be trimmed a bit. ;-)

------
spydum
I really like the simplicity of this (even down to the concise html.. next to
no bloat), what is behind it?

Also, pretty cool, if you refresh the private page, it'll tell you whether or
not someone has picked up the shared secret. Nice.

~~~
delano
Thanks, glad you like it. We kept it as simple as possible to get it out the
door and start getting feedback.

It's built with Ruby and Redis behind thin and nginx.

------
mattlong
The guys behind behind Zencoder released the same thing more than a year ago:
<https://www.thismessagewillselfdestruct.com>

~~~
delano
Cool. I hadn't seen that. I like the way they handle the password.

------
Skywing
I also do something like this for <http://jsonifier.com>. I had users
requesting that JSON pastes could be deleted after they were requested once.
So, I know people find these kinds of features useful. I didn't think about
building an entire tool around that one feature. Nice thinking!

~~~
delano
Thanks. jsonifier.com looks cool btw.

------
joejohnson
They _should_ save everything that is sent with this service. They'll have a
pretty good dataset to determine common passwords, etc. Then, they could use
the data to help users pick better passwords. It's not an invasion of privacy
if it's done anonymously, in aggregate, right!?

~~~
artursapek
Agreed. Selling anonymous data (in this case to security companies, etc) is a
great way for this kind of free service to pay the bills.

~~~
mkopinsky
They could even go freemium by giving an option to be excluded from aggregate
data reporting.

~~~
delano
You guys raise an interesting case we hadn't thought about yet.

Devil's advocate: how would that be better than the algorithmic approaches
(weak, medium, strong indicators implemented in javascript etc).

~~~
mkopinsky
I can't speak for the others, but let me make clear that I am being entirely
facetious. Selling data of user-provided passwords in this kind of context (an
app ostensibly used to provide security) is among the worst kinds of evil.
Requiring, or even allowing, users to escape from this kind of evil by paying
a ransom is unconscionable.

~~~
joejohnson
Oh my god, this whole thread is ridiculous. I need to say that I intended my
original comment as a joke. I don't think it is ethical to misuse users' data,
even if it's anonymous.

~~~
delano
Let's just say we're all in agreeance.

------
dazbradbury
Love it. I came into a use case for something like this a while ago, and ended
up using a combination of goo.gl (to know when the person had clicked), and
text converted to an image (to stop simple copy and paste).

Maybe you could also incorporate the second part. It's obviously not a
guarantee the information won't be copied, but if you know you're sending it
to someone non-technical, it can be made extremely difficult.

Congrats on the product though.

~~~
delano
That's an interesting idea. We could offer that as an option: "Convert this
text to an image".

------
jazzychad
Very neat concept. I like thinking about these new classes of sites/utilities
- like one I made called <http://shoutkey.com/> \- which deal with useful
temporary data instead of storing loads of data forever and ever.

I'm interested to know what data store you are using (just curious)?

~~~
delano
We're using Redis. You?

~~~
jazzychad
Yep, Redis for me, too.

------
fduran
I built something similar a few months ago: <http://whisperpassword.com/> , it
includes client-side encryption and email notification (including IP address
and geolocation) of when the secret was disclosed.

------
cpenner461
I'm often wanting something like this, and have often thought "I should build
this" - congrats/thanks for actually building it!

------
nigma
For me sending sensitive information using a 3rd party service, no matter what
the privacy policy is, is not an option.

On the other hand the amount of positive comments simply shows how bad user
experience do the current solutions like GPG/PGP have and how easy it is for
people to choose convenience over security, even on this forum.

~~~
delano
Here's our privacy policy: we don't care to know your secrets.

That's tongue and cheek obviously b/c you do raise a good point. Do you have
any examples we could base one on?

------
Sami_Lehtinen
Well, it does look pretty much like one of my hobby projects I did about two
years ago.

<https://off-the-record.appspot.com/> or <http://otr.dy.fi/>

There is also FAQ: <https://off-the-record.appspot.com/faq> Any feedback is
welcome. There is also secure pickup option on front page. Using it server
logs won't show up even retrieved keys. Those could be potentially abused to
fetch data from Google's backups.

~~~
__float
The color scheme is a bit...extreme. To be honest the interface isn't nearly
as straightforward, and in a small utility tool like this, that's what matters
most.

------
cleverjake
I really like the idea, a privacy policy would be really nice though.

~~~
mc32
Agree. I know it says that you can't do anything with the data, since
necessary information isn't available. But... even if its random, it is known
that it is a password. So, it's feasible to build a table of known passwords,
at least.

~~~
wccrawford
How would that work? The URL only works once, so even if they crawled every
possibility, the intended recipient would never get it, and would alert the
sender.

~~~
mc32
I'm just theorizing. But let's say the site gets compromised for a few
days/weeks and they don't find out.

------
devongall
When I test this, the page is getting cached - and thus my one time secret is
viewable multiple times. Interesting little quirk...

~~~
delano
Cached by the browser?

------
desireco42
I wouldn't use this for passwords, but overall I like the idea, I was thinking
along the same lines. I will use this for sure.

Thanks for making it.

~~~
delano
You're welcome.

The reason we use it for passwords is because there's no way to know the
application or the user account associated to it.

------
pablohoffman
I found strange that no one mentioned Privnote (<https://privnote.com>), a
much older/popular service that does this but more securely since it generates
URLs with keys in the fragment to encrypt the messages on client side (so that
the plain message never hits the server).

------
czam
fantastic. any application that has a password should also provide a method to
generate a few one-time log-in urls that one could use from untrusted
computers/environments. These uris could be issued with different privileges:
e.g. for email, providing just access to the data younger than maybe two
weeks.

------
harisenbon
Interesting. I had made a similar service a few years ago (sendmypassword.net)
but it never got much traction outside of my company.

Do you send confirmation mails, etc after the password is seen so that the
sender knows the password got there?

~~~
delano
No we don't keep any identifying information so we have no way to contact
people. We only display a message on the private URI page to the effect of,
"Message was received 30 minutes ago".

------
lukeholder
Is there an api? I would love to make a textexpander snippit for this.

~~~
icebraining
What language does it use? Seems pretty easy to create a library for this if
it has an HTTP API and HTML parser (or even regex).

~~~
lukeholder
yes thats what i was asking?

~~~
icebraining
No, I'm saying that you could use the site as it is in an automated form. You
just need to POST the data to a certain URL and then parse the page to extract
the contents.

No need for them to have an API.

------
patylu001
Nice app, I would like to suggest adding a copy to clipboard feature for the
created link, sometimes you can miss a letter or something and the message
will get lost....

------
smoody
would love one additional field that enables a user to specify the number of
minutes, hours, or days until the url auto-expires (perhaps that's two
fields).

~~~
delano
Nice idea. Seems like a no-brainer for one of the "More Options".

------
abava
Secure notes: one time readable text messages <http://sn.linkstore.ru>

~~~
JabavuAdams
It will be very difficult to impossible for a .ru domain to gain traction with
North American visitors for this purpose.

------
donpark
How does this differ from sending pass-phrase encrypted ZIP file via email or
IM beyond auto-delete feature?

~~~
delano
My grandfather wouldn't know what to do with an encrypted ZIP file. A lot of
my friends wouldn't either.

~~~
donpark
Yes, difference in ease of use is certainly there and not ignorable. But
wouldn't the need to send URL and pass-phrase via two _different_ channels
would be rather difficult to communicate to 'grandfathers'? Not an impossible
task but, as someone who built consumer security products in the past, it's
not ignorable either.

------
georgefox
I can't open this website at all in Internet Explorer. Not that I'd want to,
of course, but why is that?

~~~
delano
What happens?

~~~
celljak
It Breaks on my IE9 as well. Mine just sits there "loading" a white screen.
Further investigation is needed. Works great on chrome/firefox/webkit.

Can't wait to start using this sucker.

------
pdx
My secret was "monitored by Stella". Yikes! Perhaps lose the Stella promotion
for this application.

~~~
delano
Well, it is actually monitored by Stella. What is the issue?

~~~
pdx
Really? You don't understand that the disclaimer "monitored by $human_name" on
a page that contains a secret is off-putting on first reading?

Of course I know what Stella is...now. I clicked on it pretty damn fast as
soon as I saw it, because I wanted to know who Stella was and why she was
privy to my secret. Do you really not understand why causing the users that
moment of doubt is non-optimal?

~~~
delano
Ah, you raise a good point. We monitor and track only the homepage. We don't
mention this explicitly and it would be a good idea to remove from other pages
to avoid confusion.

Fixed.

------
one_time_secret
<http://onetime.2ch.to/> The idea is imitated.

------
RexRollman
Does anyone know how much data can be passed with this tool? Also, what data
is logged?

------
spun
Very cool idea!

------
shmeeps
I think is is really neat.

