
Show HN: CryptSend.io – Share encrypted files with randomly generated links - whitef0x
http://cryptsend.io
======
gprasanth
I've recently analysed pricing of various storage providers when thinking of
building a side project, and I was surprised at how costly the services were.

S3, Drive, Dropbox, Spaces, B2, Box, several Object Storage solutions. Some
cases storage was cheap, but the transfer was costly. Everything seemed costly
for the simple use case of providing an end user 10GB monthly upload + ~50GB
bandwidth at low cost.

A vps with additional storage seemed to be the ~better~ most feasible solution
to me.

This sounds like a terrific thing to host on a vps.

~~~
tyingq
wasabi.com might be worth looking into. $.0049 per GB/month, no egress
charges.

That's roughly $5/month for 1TB, which probably beats doing this on a VPS.

~~~
mafuyu
Thanks, hadn't heard of Wasabi before. The storage pricing is comparable with
B2, but no egress charges is nice. Any have experience with this provider?

~~~
jermaustin1
So after reading their pricing FAQ, it looks like you are billed for a minimum
of 1TB, and every file is billed for 90 days minimum.

Based on their calculations, if you plan on storing files for more 16 days, it
will be marginally cheaper than S3, but if you plan on keeping files around
longer than 90 days, it is ~5x cheaper than S3.

~~~
ayushgta
Interesting, in that case, it likely makes a wasabi a good choice for Arq
([https://wasabi-support.zendesk.com/hc/en-
us/articles/1150015...](https://wasabi-support.zendesk.com/hc/en-
us/articles/115001594211-How-do-I-use-Arq-with-Wasabi-))

------
trothamel
Is there any advantage to this over
[https://send.firefox.com/](https://send.firefox.com/) ?

~~~
cmurf
It says "Big Files" but I don't see an explicit size. Whereas send.firefox.com
is 1GiB. Self hosted I imagine you're only limited by filesystem max file
size.

One thing I like about send.firefox.com is it's a one time download, and then
the URL is denied to have ever existed. CryptSend sounds like you could share
the URL with multiple destinations; multiple downloads.

~~~
justusthane
Firefox Send doesn't have an explicit limit either:

> For the most reliable operation, it’s best to keep your file under 1GB

------
kodablah
Tempted to make a version of this myself because it's simple. Single file
executable, with statically linked Tor, that starts a v3 onion service (with
or without client auth), hosts web server with file at URL, gives onion
address URL (and client auth if any, could include the as part of URL or URL
fragment or whatever depending upon approach desired). Client can use exe or
Tor Browser to download it. Could add any features you want such as killing
the server after first download, deadlines, etc.

Pro: doesn't upload to server and preserves anonymity. Con: slower than non-
anonymous.

Here's a simple code example of a v2 onion file server using external Tor
process w/ no auth:
[https://github.com/cretz/bine#example](https://github.com/cretz/bine#example).
This is essentially what onionshare does:
[https://github.com/micahflee/onionshare](https://github.com/micahflee/onionshare).

------
devinl
Seems like a bit of an oversight that they are including third party tracking
scripts like googletagmanager.com in the same context as the javascript doing
encryption. If you need user tracking, at least put the tracking scripts in an
iframe sandbox or something that can't accidentally grab the keys from the URL
fragment and send them off to google.

Also they do call out that URL fragments get stored in browser history which
is a big risk, but they should also mention that many browsers automatically
"sync" history across devices (so keys will get sent to a cloud if you aren't
using incognito/private browsing).

------
ohashi
Amusing to see something that looks almost the same as a project I worked on
with a couple friends 5 years ago.
[https://securesha.re/](https://securesha.re/)

It's open source too.

------
whitef0x
Hello HN!

Cryptsend was created as a result of my company having to share large amounts
of medical data with our clients. We couldn't find an easy and secure
solution, so we sat down and created cryptsend. Our codebase is currently in
alpha stages so any audits/improvements/security vulns you find would be
really appreciated!

------
madmaniak
If the key is attached in link it also should be passed secure way, which is
not usually.

~~~
prophesi
Yeah, the best solution I've found was Sharelock[0], but I couldn't for the
life of me self-host the app without weird errors cropping up. It's also not
free if you want more than one social sign-in via Auth0.

[0]: [https://sharelock.io/about](https://sharelock.io/about)

~~~
grezql
it require login with fb, google, twitter or MS. this does not solve the
problem with secure key exchange

~~~
prophesi
Do you not trust the OAuth protocol?

------
lifeformed
The first thing I thought of when I saw the url is that it's some kind of
cryptocurrency transfer service. It's pretty crazy how much cryptocurrency has
hijacked the word "crypto".

------
uncled1023
So one thing, it mentions that it is JS dependence free. How are you
encrypting the files client side then?

If you are encrypting the files server side, then that is NOT E2E encryption.

~~~
jesseb
There are JavaScript files in the GitHub repository, so I'm going to assume
they mean third-party dependencies, but some more clarification would be nice.

There is a file called cipher.js with encrypt and decrypt functions
[https://github.com/countable-
web/cryptsend/blob/develop/publ...](https://github.com/countable-
web/cryptsend/blob/develop/public/js/cipher.js)

~~~
uncled1023
Yea, and I just noticed it downloading a bunch when visiting the page. So it's
probably safe to assume they mean 3rd Party.

~~~
ech085
Confirmed. The intent is anyone can audit our whole codebase in one GitHub
repo for vulnerabilities and not scripts spread across many CDNS and projects
which may change over time.

------
CiTyBear
Hi. Thank you for your work, this will be useful.

However, the `Get folder link` does not work. Is it deactivated for now ?

~~~
ech085
Hmm, it's working for me on Chrome. What browser are you using? Do you see any
javascript errors in your dev tools console (provided you know what that is)?

------
sbarker
Why are all the "m" gray?

~~~
lioeters
Looks to be caused by the font they're using, "Comfortaa". With font weight
600, the "m" is lighter than other letters.

------
threesquared
I made something like this a while ago. I think the name has a better ring to
it though..

[https://sendsh.it/](https://sendsh.it/)

