

Show HN: Password-Protect My File - sobel
https://www.passwordprotectmyfile.com/

======
michaelt
If a user doesn't trust Dropbox, why would they trust
passwordprotectmyfile.com?

I know it claims the file doesn't leave your computer, and that might be true
right now, but in five minutes if I visit the page the code could have
changed. And it would hardly be user-friendly to ask users to check the
minified javascript before using it.

~~~
sobel
It's a little clunky, but I do have a process in place for checking that the
website matches the code:
[https://github.com/louissobel/ppmf/blob/master/bin/check_pro...](https://github.com/louissobel/ppmf/blob/master/bin/check_production_sha)

~~~
hamburglar
If you have to run a local program to verify the code on your web page, why
don't you just put the code you are verifying in the local program?

------
rayshan
Should really highlight the fact that it could be self-hosted [0]. Typing a
password and uploading a sensitive file is never a good idea.

[0] [https://github.com/louissobel/ppmf](https://github.com/louissobel/ppmf)

~~~
untitaker_
At first sight it seems the encryption is done by client-side javascript, so
you don't gain much by hosting it yourself.

~~~
herge
If the javascript comes from your computer (because it's embedded in the page
you self-host), how could it get compromised?

------
chrisfarms
As soon as my file is readable by javascript it _could_ be sent anywhere by
your code. I'm not saying you _do_ , but it _could_. Therefore this adds an
unnecessary risk. I would have to disconnect my machine from the network and
clear all the browser storage before reconnecting to even begin to think this
was safe.

Just to be clear: I'm not saying it's useless, just that if the file I was
encrypting was so important that I needed to encrypt it, doing it in a sandbox
that is directly connected to an untrusted third-party wouldn't be a very
bright move.

~~~
sobel
It's all in one html file, so it will work disconnected from the internet.
Download or save the page, turn off your internet, open it in a browser, and
encrypt with peace of mind (although the javascript could still use off-line
storage and then next time you're online on the page access it, I guess).

------
herge
I really like this. Especially the self-contained html file you send around
afterwards.

You should recommend people to download the html and then save it instead of
using the page itself. Maybe make a big download button. Also, remove google
analytics from the self-contained version, that way the page should never
download/upload anything from the network.

------
chrisxcross
It's the same as using openssl aes-256-cbc -in plaintext -out ciphertext
That's as easy and convenient as it can get for me. But it might be helpful if
I have to send an encrypted file to someone not able to use openssl or gpg.
It's pretty cool to combine an encrypted file with the tools needed to decrypt
it :)

------
55873445216111
How is this better than symmetric encryption with GnuPG?

~~~
sobel
The encrypted result of this tool contains all the code necessary to decrypt
itself (in a web browser).

I'm not too familiar with GnuPG, so I don't know if that's different.

~~~
selter01
Any browser?

~~~
sobel
Tested and working with recent Chrome, Firefox, Opera, Safari 6.1+, IE 10+.
[https://www.passwordprotectmyfile.com/faq](https://www.passwordprotectmyfile.com/faq).

It uses, among others, the Blob API so will not work on older browsers.

