

Show HN: We open sourced One-Time Secret today - delano
http://blog.onetimesecret.com/2013/01/30/onetimesecret-is-now-opensource/?via=h

======
delano
We launched just over a year ago
(<http://news.ycombinator.com/item?id=3207489>) and we finally made good on
our intension to release it as open source.

Thanks for all the feedback so far; it's made a big a difference for us. Not
just with features and bugs but with motivation too.

We have a special free plan for people coming from Hacker News:

<https://onetimesecret.com/>

------
jdludlow
I use a similar system, but only because I know the people who wrote that one.
It's nice to see the code, but there's still no guarantee that this is the
code that is running on the real site. Now, having the code available makes it
possible to run it myself if I'm super-paranoid, which is cool.

So, thanks.

~~~
delano
Yeah, that's the idea. There are cases where it's preferable to use a third-
party service but it's also good to be paranoid. Now we can serve both sides.

------
hellonoam
I made a very similar website. Also offers uploading files and encrypting the
data you share. It offers a little more flexibility on how you want to secure
the content you're sharing.

<https://www.alicetobob.com>

You can check out the source code <https://github.com/hellonoam/cryptopad>
though I should probably update the readme with more info.

~~~
delano
Nice, I hadn't seen that one yet either. I love the testimonial, _"Finally I
can share what really happened"_.

By the way, I'm getting a warning about your SSL cert in Chrome. Firefox was
fine though but it could be b/c of an inconsistent server configuration:

[https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...](https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.alicetobob.com%2F)

~~~
hellonoam
hmm that's a little strange. Haven't had this problem before. I'll look into
it - Thanks.

------
jtwaleson
Also see this Python variant you can easily host yourself.

<https://github.com/Achiel/SecretSexChange>

I do not like storing my passwords etc with a third party.

~~~
codegeek
For a second, I thought you app is named "Secret Sex Change". Honest mistake
until I went to the website which then made it clear as "Secrets exchange"

~~~
delano
The old experts-exchange.com conundrum. They went so far as to not even have a
redirect for expertsexchange.com

------
dalore
What if a spammer used this? You send out spam emails with a one time link in
it (per recipent). The recipient views the spam link sees the spam content and
either (a) purchases or (b) spam reports

If they spam report the report tries to view the link but sees it is no longer
there.

Not saying specifically with your service, but a spammer could setup something
of his own like this and when a link is viewed a second time they could put up
a fake this page has been reported for spamming etc.

~~~
delano
It's certainly possible but there are solutions to mitigate that style usage.
Spam is only profitable in bulk so they'd constantly be hitting our limiters
which won't really make it worthwhile.

Also the content in the secrets in served as plain text so that diminishes the
quality of the payload too (the recipient would have to copy & paste the URI).

 _Edit: by the way, Mandatum, not sure why from your few comments but you're
hellbanned so they come up dead._

------
jstalin
I also like Zerobin, which encrypts in the browser so no cleartext is saved on
the server:

<http://sebsauvage.net/paste/>

Of course, it's not SSL, but the source is available online and you could
create your own implementation using SSL (as I have).

~~~
delano
Thanks, I hadn't seen that one yet. There are issues with javascript crypto[1]
which is why we didn't go in that direction.

[1] <http://matasano.com/articles/javascript-cryptography/>

~~~
chacham15
The problem with that article is that the author assumes that the only purpose
for javascript cryptography is so that no middle man can understand the
content, not the server itself. Javascript cryptography in this context is a
more difficult problem only because you must trust that the code that the
authentic source delivers does itself not contain a backdoor to the
information.

~~~
jstalin
I'd rather trust the javascript code that I can review than believe that
whatever is happening on the service side can be trusted.

~~~
delano
Being cautious is important but keep in mind that the goal here is to be a
replacement for having plaintext, sensitive info in your email history and
chat logs.

We've all seen these: <http://plaintextoffenders.com/>

------
cllns
You might want to put the description at the top of that post, and in the
README on github.

~~~
delano
Thanks for pointing that out. I updated the blog post with a brief description
and added the what and why to the readme.

------
zefhous
I like <https://www.thismessagewillselfdestruct.com>

Also available at <https://tmwsd.ws>

~~~
delano
Yeah, that one is great. If I hadn't built <https://onetimesecret.com/> that's
the one I'd use.

------
andrewcooke
i have this confused dream that somehow people will implement different
cryptographic "elements" as web services and eventually someone will find a
way to tie them together into something awesome. i think this could be one; my
own (much more pointless) contribution is human-readable timestamps (like
taking a photo of yourself and today's newspaper):
<http://colorlessgreen.net/> (also open-source)

------
Ixiaus
Why is it so hard for people to set up GPG?! Installs even have contextual
menus to encrypt text for a given person!!

I use contextual GPG for pastebin all the time.

~~~
delano
Setting up GPG isn't hard but it's also not always the right tool for the job.

It's a lot to ask for someone to copy and paste a GPG encrypted message when
you just want to send a private link to a (non-technical) client or when you
just don't want something in my facebook message history.

------
toddnessa
It is amazing the ideas out there. A one time use URL... Why didn't I think of
that! With the code open source, this should catch on.

------
tonetheman
heh I too did one of these. <http://encrypticate.com>

Yours looks really nice.

~~~
delano
Thanks, hadn't seen that one yet. Looks good. You just need an SSL cert.

If you google "SSL cert" and click Godaddy's ad, you can get one for $13/year
(instead of $50+). Namecheap has good deals too.

