Hacker News new | past | comments | ask | show | jobs | submit login
One-time Secret: Share passwords etc with URIs that work only once (onetimesecret.com)
219 points by delano on Nov 7, 2011 | hide | past | favorite | 104 comments

Please don't use this for passwords. Security is very hard to get right.

Do they do a secure delete of the contents of the webpages? Who knows.

Do they have strong physical protection around the server? Who knows.

Do they run up to date software so the machine can't get taken over? Who knows.

Can you even trust them not to log all your passwords? Who knows.

This is an interesting service for some things, but I would never use it for sending passwords (or anything equally sensitive) back and forth.

Even if you let me "encrypt" the information before uploading it with a password, if this encryption is done in javascript sent by the server then as soon as the server is taken over you can't trust the encryption.

All of those objections boil down to not trusting a 3rd party service.

I wonder objections there are to running your own service of this type? This way you could guarantee the physical security, keep up with regular patches, manage your own logging, and securely delete the secrets to your satisfaction.

The only real objection I can think of is that writing software without security holes is hard. This applies to any security related software however, and the solution is to use 'proven' apps that have survived scrutiny. This type of app is pretty simple, which would ideally be relatively easy to audit.

In principle, a read-once URL that you can safely send via email seems to be a pretty efficient way of dealing with sending passwords or other keys without having to deal with GPG or similar. Just tell the client 'Click on this link, that's your password. This message will self destruct'. If it's intercepted, you can detect this, and change the password/revoke the key. I'm sure I'm missing something, but if not, it would be nice to have this become the standard way of distributing new passwords or keys for services rather than sending by email (for those services where you have an initial password generated for you).

Nothing is entirely secure. We're two guys with no ulterior motives that take all reasonable precautions to keep the data safe. For most people that's not only enough, it's much better than having their passwords stored in their email archives and chat logs.

Perhaps you could go into detail about some of the security precautions which have been taken?

If the link is sent unencrypted a potential email relay or packet-sniffer could scan for the links related to your website and open it before the recipient. It would be easy to automate at any level. They wouldn't have context, sure, but they'd have whatever it is you wanted to send and your recipient wouldn't.

I don't think this is likely to happen.

Is your delete permanent, if not secure?

All of their http traffic redirects to https.

I didn't mean in reference to their site, but how the end-user transmits the link to a recipient.

The idea is that would be detectable because the recipient would no longer be able to view the actual link and the password can be changed again.

You're basically saying "don't use the internet". People who are gonna use it know what they re getting into. Plus the use case (a password to an unknown username of an unknown service) doesn't sound that dangerous to me

Well, maybe this isn't for you. Given the number of people who use "password" or "1234" to protect their accounts, your very valid concerns don't necessarily seem like show-stoppers. I don't expect any of the things you list above to be true for most other web services, either.

I highly doubt the typical user with password "1234" is going to go through the trouble of using this service. They would most likely email the password directly ("that's secure right?")

You know what's funny? The company that I work for wrote a web app for a large company and we also host it for them. At one point in time, they requested a way for users to reset their passwords. We implemented it, but they never use it. They prefer to email me their passwords in plain-text. I think I've handled two of these types of emails today, alone!

So what are you doing obliging them?

"I'm sorry, but we recently reviewed our security practices, and we've found this method of communicating passwords to be incompatible with our dedication to protecting the confidentiality and integrity of your business data. Please use the the password reset form at .. "

Just reply them with "oh, we now have an automated service for that" and a link to password reset form. They'll learn, eventually.

User receives password URL on an iPad, opens it, loads the destination login page, switches back to password tab, but it's gone forever because the iPad closed it to harvest memory.

User gets URL via webmail on Chrome, Chrome pre-fetches the URL. User closes Chrome because Starbucks is closing. When she finally visits the URL for the "first time" it's nuked.

Etc. etc.

Unexpected behavior is unexpected.

Data shouldn't change on a GET for these very reasons.

Therefore, the secret shouldn't be obtained from a GET, but rather a POST. A button or jQuery.post on the 'shared' page, for example, that fetches and causes the deletion.

I like this idea though.

An interesting approach would be to delete the original data, but issue an ETag to leverage browser caching. If the original user rerequests the page while it's still in the browser's persistent cache, the server can simply return a 304 Not Modified, and the user still sees their data. Anyone else, though, is SOL.

Anyone else, except for people behind the same caching web proxy...

Presumably the entire thing is served over HTTPS, making this a non-issue.

You raise some great usecases. We have an option to require a password to view the secret but that doesn't directly solve the cases you bring up.

We're considering changing the basic UX to require a click to display the secret (the click will send a POST to retreive the contents). That will include a much more visible disclaimer that it's only available one time.

Using a POST seems like a solid workaround. It might even be possible to include a POST form from your default email notification.

Some interesting variants are thusly suggested:

• loading starts a countdown timer, visible on screen: after that long, the message is destroyed. (In the meantime, an iPad re-download succeeds.)

• the reader sees a big button on the page which must be pressed to complete deletion (or to speed deletion, if the above timer is counting down).

* on initial load, the browser is given a unique cookie (or even decryption key); from then on, even if the message has an additional countdown 'grace period' (of seconds, days, or longer), only that one browser can reload (or decrypt) it.

Your first two don't solve the problem of someone listening in on your conversation and visiting the link first (or shortly after you).


(That 'problem' wasn't even mentioned in the parent to which I was responding.)

Then the receiver reports to the sender that the link didn't work. The sender, not knowing if the password was compromised or if it was a situation you mentioned above, changes the password/revokes the key and generates a new one. This time, the receiver doesn't access it at closing time in Starbucks/doesn't switch tabs, and gets the new password correctly.

Unexpected behavior doesn't happen every time.

As an optimization, if you have a self hosted service of this sort that gives proper logs, you can probably verify that the link wasn't intercepted by looking at the source IP and comparing to what the user reports (if they're able to do that, if not, you fall back to assuming it was compromised), and if so, skip the revocation/regeneration procedure.

Chrome prefetches DNS, not URLs.

Chrome beta does prefetch URLs: download the latest version, go to a Wikipedia page, wait a few seconds then click the first link – it should appear (almost) instantly.

I don't know if it prefetches links in webmail, however, and that would be about the only situation I can think of where this might happen.

Edit: of course, now that I posted this, I can't seem to make it work. I promise it does happen.

GDH: your reply to this comment is not visible: you've been hellbanned. It appears to have been for a comment you made 312 days ago.

Your demo link seems broken, it prefetches a new page every time you mouseover, not just once. Also, there's autoplaying audio ads, something that I can only regard as a bug.

Chrome is testing pre-fetching in beta builds and its expected to become part of the mainline product soon.

I'm sure there are other issues. GETs are kind of unreliable. Better to do this stuff via POST.

Interesting case of abuse: Send anonymous death threats as secrets. Would be hard to prove the message ever existed without server logs. Also, botnet c&c messages. WikiLeaks leaks! Damn, this is a useful tool.

Also, unfortunate for anyone trying to share the secret over the internet: if a repressive regime is sniffing traffic and looking for these URIs and grabs the contents first they can still discover the messages of dissidents before they get passed on.

Actually this service is perfect for finding out if someone has been snooping, since the "secrets" disappear on viewing.

There's an option to require a password before displaying the secret.

You can also see if someone is really (not) reading your mails.

A neat idea would be if you encoded the information on your server with a secret key, then put that key in the URL in addition to the unique identifier. This way you never store the information on your server. The secret key should never be put in your logs until the information is accessed and destroyed. If this policy is followed it would alleviate some fears of giving all my secrets to a third-party site.

In order for this to work, the key would have to be generated client-side and the secret encrypted client side. And you're still trusting that the site doesn't send the key when you submit the form.

While I think that this is a good idea, I hink that this would unfortunately result in URLs that would be much too long to be user-friendly - especially if we are talking about sending information to non-technical people.

An AES key is 128 bits, or 22 BASE64 characters. That's reasonable, and you can switch to BASE96 or Unicode.

This doesn't help if the server is malicious, but it does help if the server is honest but is later hacked/subpoenad/whatever. Generating a key entirely in RAM/encrypted swap is reasonable, and securely erasing RAM is easy (securely erasing individual files is nontrivial to say the least.)

I'm thinking that their unique ID (31 char) plus the key (AES 22) is a little long for a URL:


I do like the idea though of keeping the secrets safe with a client-side (or non-stored) key. So long as it's known that it isn't about keeping the server honest, since you have to implicitly trust that they won't be storing the key.

TinyURL is currently giving out 8-character identifiers; I'm confident that those 31 characters can be trimmed a bit. ;-)

This is what I'm thinking. They could reasonably be unable to divulge your secret to a fourth party. The decryption could even be done client-side. They just generate a pair of (encrypted-secret, key). They store encrypted-secret and send you a pointer to it and the key, then destroy the key on their side.

There is no difference between storing plaintext on the server and storing encrypted text on the server if encryption key is (was) known to the server.

I really like the simplicity of this (even down to the concise html.. next to no bloat), what is behind it?

Also, pretty cool, if you refresh the private page, it'll tell you whether or not someone has picked up the shared secret. Nice.

Thanks, glad you like it. We kept it as simple as possible to get it out the door and start getting feedback.

It's built with Ruby and Redis behind thin and nginx.

The guys behind behind Zencoder released the same thing more than a year ago: https://www.thismessagewillselfdestruct.com

Cool. I hadn't seen that. I like the way they handle the password.

I also do something like this for http://jsonifier.com. I had users requesting that JSON pastes could be deleted after they were requested once. So, I know people find these kinds of features useful. I didn't think about building an entire tool around that one feature. Nice thinking!

Thanks. jsonifier.com looks cool btw.

They _should_ save everything that is sent with this service. They'll have a pretty good dataset to determine common passwords, etc. Then, they could use the data to help users pick better passwords. It's not an invasion of privacy if it's done anonymously, in aggregate, right!?

Agreed. Selling anonymous data (in this case to security companies, etc) is a great way for this kind of free service to pay the bills.

They could even go freemium by giving an option to be excluded from aggregate data reporting.

You guys raise an interesting case we hadn't thought about yet.

Devil's advocate: how would that be better than the algorithmic approaches (weak, medium, strong indicators implemented in javascript etc).

I can't speak for the others, but let me make clear that I am being entirely facetious. Selling data of user-provided passwords in this kind of context (an app ostensibly used to provide security) is among the worst kinds of evil. Requiring, or even allowing, users to escape from this kind of evil by paying a ransom is unconscionable.

Oh my god, this whole thread is ridiculous. I need to say that I intended my original comment as a joke. I don't think it is ethical to misuse users' data, even if it's anonymous.

Let's just say we're all in agreeance.

Love it. I came into a use case for something like this a while ago, and ended up using a combination of goo.gl (to know when the person had clicked), and text converted to an image (to stop simple copy and paste).

Maybe you could also incorporate the second part. It's obviously not a guarantee the information won't be copied, but if you know you're sending it to someone non-technical, it can be made extremely difficult.

Congrats on the product though.

That's an interesting idea. We could offer that as an option: "Convert this text to an image".

Very neat concept. I like thinking about these new classes of sites/utilities - like one I made called http://shoutkey.com/ - which deal with useful temporary data instead of storing loads of data forever and ever.

I'm interested to know what data store you are using (just curious)?

We're using Redis. You?

Yep, Redis for me, too.

I built something similar a few months ago: http://whisperpassword.com/ , it includes client-side encryption and email notification (including IP address and geolocation) of when the secret was disclosed.

I'm often wanting something like this, and have often thought "I should build this" - congrats/thanks for actually building it!

For me sending sensitive information using a 3rd party service, no matter what the privacy policy is, is not an option.

On the other hand the amount of positive comments simply shows how bad user experience do the current solutions like GPG/PGP have and how easy it is for people to choose convenience over security, even on this forum.

Here's our privacy policy: we don't care to know your secrets.

That's tongue and cheek obviously b/c you do raise a good point. Do you have any examples we could base one on?

Maybe it could work if you split the password up. Email someone the first half of the password, then tell them to append the second half from the link.

Well, it does look pretty much like one of my hobby projects I did about two years ago.

https://off-the-record.appspot.com/ or http://otr.dy.fi/

There is also FAQ: https://off-the-record.appspot.com/faq Any feedback is welcome. There is also secure pickup option on front page. Using it server logs won't show up even retrieved keys. Those could be potentially abused to fetch data from Google's backups.

The color scheme is a bit...extreme. To be honest the interface isn't nearly as straightforward, and in a small utility tool like this, that's what matters most.

I really like the idea, a privacy policy would be really nice though.

A privacy policy is a must! If the whole point of the site is to share secrets, with a second party, we need to know just what the third-party is planning to do with them.

Agree. I know it says that you can't do anything with the data, since necessary information isn't available. But... even if its random, it is known that it is a password. So, it's feasible to build a table of known passwords, at least.

How would that work? The URL only works once, so even if they crawled every possibility, the intended recipient would never get it, and would alert the sender.

I'm just theorizing. But let's say the site gets compromised for a few days/weeks and they don't find out.

When I test this, the page is getting cached - and thus my one time secret is viewable multiple times. Interesting little quirk...

Cached by the browser?

I wouldn't use this for passwords, but overall I like the idea, I was thinking along the same lines. I will use this for sure.

Thanks for making it.

You're welcome.

The reason we use it for passwords is because there's no way to know the application or the user account associated to it.

I found strange that no one mentioned Privnote (https://privnote.com), a much older/popular service that does this but more securely since it generates URLs with keys in the fragment to encrypt the messages on client side (so that the plain message never hits the server).

fantastic. any application that has a password should also provide a method to generate a few one-time log-in urls that one could use from untrusted computers/environments. These uris could be issued with different privileges: e.g. for email, providing just access to the data younger than maybe two weeks.

Interesting. I had made a similar service a few years ago (sendmypassword.net) but it never got much traction outside of my company.

Do you send confirmation mails, etc after the password is seen so that the sender knows the password got there?

No we don't keep any identifying information so we have no way to contact people. We only display a message on the private URI page to the effect of, "Message was received 30 minutes ago".

Is there an api? I would love to make a textexpander snippit for this.

What language does it use? Seems pretty easy to create a library for this if it has an HTTP API and HTML parser (or even regex).

We don't have an API yet, but we will soon.

yes thats what i was asking?

No, I'm saying that you could use the site as it is in an automated form. You just need to POST the data to a certain URL and then parse the page to extract the contents.

No need for them to have an API.

Nice app, I would like to suggest adding a copy to clipboard feature for the created link, sometimes you can miss a letter or something and the message will get lost....

would love one additional field that enables a user to specify the number of minutes, hours, or days until the url auto-expires (perhaps that's two fields).

Nice idea. Seems like a no-brainer for one of the "More Options".

Secure notes: one time readable text messages http://sn.linkstore.ru

It will be very difficult to impossible for a .ru domain to gain traction with North American visitors for this purpose.

How does this differ from sending pass-phrase encrypted ZIP file via email or IM beyond auto-delete feature?

Instead of sending a pass-phrase encrypted ZIP file via email or IM beyond auto-delete feature, you go to this website, input the information and share the URL with the person of choice.

My grandfather wouldn't know what to do with an encrypted ZIP file. A lot of my friends wouldn't either.

Yes, difference in ease of use is certainly there and not ignorable. But wouldn't the need to send URL and pass-phrase via two different channels would be rather difficult to communicate to 'grandfathers'? Not an impossible task but, as someone who built consumer security products in the past, it's not ignorable either.

I can't open this website at all in Internet Explorer. Not that I'd want to, of course, but why is that?

What happens?

It Breaks on my IE9 as well. Mine just sits there "loading" a white screen. Further investigation is needed. Works great on chrome/firefox/webkit.

Can't wait to start using this sucker.

My secret was "monitored by Stella". Yikes! Perhaps lose the Stella promotion for this application.

Well, it is actually monitored by Stella. What is the issue?

Really? You don't understand that the disclaimer "monitored by $human_name" on a page that contains a secret is off-putting on first reading?

Of course I know what Stella is...now. I clicked on it pretty damn fast as soon as I saw it, because I wanted to know who Stella was and why she was privy to my secret. Do you really not understand why causing the users that moment of doubt is non-optimal?

Ah, you raise a good point. We monitor and track only the homepage. We don't mention this explicitly and it would be a good idea to remove from other pages to avoid confusion.


http://onetime.2ch.to/ The idea is imitated.

Does anyone know how much data can be passed with this tool? Also, what data is logged?

Very cool idea!

I think is is really neat.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact