

Show HN: Encrypt text into url using Javascript on browser - ww520
http://boxuptext.com/

======
ww520
I've just created a web app for encrypting data into url. The intent is to
encrypt data at the client side without leaking the plain data to any server.
The encrypted data are packed into a url for easy sharing. Decryption is done
on the browser with a password. SJCL is used as the workhorse for encryption.

I know there's a prevalent view against doing crypto stuff in Javascript so
extra precautions are taken to minimize the security risks.

\- All web content (html, css, js, images) come from the same server.

\- No download from any 3rd party websites or CDN.

\- Use SSL certificate for all content to prevent code injection along the
way.

\- Encryption and decryption are done on the browser.

\- Nothing is submitted to the server and no input shown to avoid XSS.

\- Url fragment is used for encrypted data which stays on browser.

\- Server doesn't do any encryption work besides serving the web content.

\- The web pages can be downloaded and run off from the local file system.

\- Have as few dependencies as possible, just: SJCL, Bootstrap (css), and
html5.js.

\- Keep things simple for verification.

Please review the app and code to see if there are any security concerns.
Thanks!

~~~
Mithrandir
As far as I can see, minus it being in JS, it's pretty secure, so good job! My
only suggestion is to put this on Github, so any changes made to it can be
publicly seen and referenced.

~~~
ww520
The use of JS is unfortunate. I view it as a tradeoff for convenience and
interop between platforms. It's easy to encrypt a tidbit as a link, send it to
others, and have them simply clicked on it to decrypt it.

Thanks for the feedback.

------
papaf
Would it be possible to get the browser to generate a random key, use the
current mechanism to encrypt that key and then upload a file, that has been
encrypted with the original key, to a third party?

The reason I ask is that something like that could be used to build a file
sharing service where the content is only known to those people with the
correct links (with the # anchor information).

This would be super useful for distributing private data.

------
roryokane
Suggestion: make the "!" under "4. Shorten the URL" heading link directly to
the FAQ entry that its tooltip mentions.

~~~
ww520
Changes made. Thanks!

~~~
roryokane
The link works great, thanks. But now the "!" is colored orange. It's hard to
identify the "!" symbol in dark orange on gray. I think it should be white
again or light gray.

Also, it would help to temporarily highlight the exact linked question on the
page when you visit the link, so we can easily spot it among the other
questions on that part of the page. I'm thinking of something like Stack
Overflow's anchor link highlighting, seen on links like
[http://stackoverflow.com/q/10720420/578288#comment13941533_1...](http://stackoverflow.com/q/10720420/578288#comment13941533_10720420).
But this is not that important, and perhaps one day browsers will do this
highlighting for us - I think Opera already does.

~~~
ww520
Ha. I never notice that's how SO does its fading. Learn something everyday.
Anyway, I put something in to do the highlight and fading on the FAQ. Also
changed the ! from dark orange to gray.

