Hacker News new | comments | show | ask | jobs | submit login
Show HN: We open sourced One-Time Secret today (onetimesecret.com)
62 points by delano on Jan 30, 2013 | hide | past | web | favorite | 29 comments



We launched just over a year ago (http://news.ycombinator.com/item?id=3207489) and we finally made good on our intension to release it as open source.

Thanks for all the feedback so far; it's made a big a difference for us. Not just with features and bugs but with motivation too.

We have a special free plan for people coming from Hacker News:

https://onetimesecret.com/


I use a similar system, but only because I know the people who wrote that one. It's nice to see the code, but there's still no guarantee that this is the code that is running on the real site. Now, having the code available makes it possible to run it myself if I'm super-paranoid, which is cool.

So, thanks.


Yeah, that's the idea. There are cases where it's preferable to use a third-party service but it's also good to be paranoid. Now we can serve both sides.


I made a very similar website. Also offers uploading files and encrypting the data you share. It offers a little more flexibility on how you want to secure the content you're sharing.

https://www.alicetobob.com

You can check out the source code https://github.com/hellonoam/cryptopad though I should probably update the readme with more info.


Nice, I hadn't seen that one yet either. I love the testimonial, "Finally I can share what really happened".

By the way, I'm getting a warning about your SSL cert in Chrome. Firefox was fine though but it could be b/c of an inconsistent server configuration:

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...


hmm that's a little strange. Haven't had this problem before. I'll look into it - Thanks.


Also see this Python variant you can easily host yourself.

https://github.com/Achiel/SecretSexChange

I do not like storing my passwords etc with a third party.


For a second, I thought you app is named "Secret Sex Change". Honest mistake until I went to the website which then made it clear as "Secrets exchange"


The old experts-exchange.com conundrum. They went so far as to not even have a redirect for expertsexchange.com


Given the capitalization on the Github repository, it looks like that is intentional.


It's not my app, but I do know the creator. The capitalization is a joke ;)


What if a spammer used this? You send out spam emails with a one time link in it (per recipent). The recipient views the spam link sees the spam content and either (a) purchases or (b) spam reports

If they spam report the report tries to view the link but sees it is no longer there.

Not saying specifically with your service, but a spammer could setup something of his own like this and when a link is viewed a second time they could put up a fake this page has been reported for spamming etc.


It's certainly possible but there are solutions to mitigate that style usage. Spam is only profitable in bulk so they'd constantly be hitting our limiters which won't really make it worthwhile.

Also the content in the secrets in served as plain text so that diminishes the quality of the payload too (the recipient would have to copy & paste the URI).

Edit: by the way, Mandatum, not sure why from your few comments but you're hellbanned so they come up dead.


I also like Zerobin, which encrypts in the browser so no cleartext is saved on the server:

http://sebsauvage.net/paste/

Of course, it's not SSL, but the source is available online and you could create your own implementation using SSL (as I have).


Thanks, I hadn't seen that one yet. There are issues with javascript crypto[1] which is why we didn't go in that direction.

[1] http://matasano.com/articles/javascript-cryptography/


The problem with that article is that the author assumes that the only purpose for javascript cryptography is so that no middle man can understand the content, not the server itself. Javascript cryptography in this context is a more difficult problem only because you must trust that the code that the authentic source delivers does itself not contain a backdoor to the information.


You raise a good point. I'm not against encryption in the browser as a rule but it does open up a whole new can of worms. Our approach is to be just good enough for most usecases.


I'd rather trust the javascript code that I can review than believe that whatever is happening on the service side can be trusted.


Being cautious is important but keep in mind that the goal here is to be a replacement for having plaintext, sensitive info in your email history and chat logs.

We've all seen these: http://plaintextoffenders.com/


You might want to put the description at the top of that post, and in the README on github.


Thanks for pointing that out. I updated the blog post with a brief description and added the what and why to the readme.



Yeah, that one is great. If I hadn't built https://onetimesecret.com/ that's the one I'd use.


i have this confused dream that somehow people will implement different cryptographic "elements" as web services and eventually someone will find a way to tie them together into something awesome. i think this could be one; my own (much more pointless) contribution is human-readable timestamps (like taking a photo of yourself and today's newspaper): http://colorlessgreen.net/ (also open-source)


Why is it so hard for people to set up GPG?! Installs even have contextual menus to encrypt text for a given person!!

I use contextual GPG for pastebin all the time.


Setting up GPG isn't hard but it's also not always the right tool for the job.

It's a lot to ask for someone to copy and paste a GPG encrypted message when you just want to send a private link to a (non-technical) client or when you just don't want something in my facebook message history.


It is amazing the ideas out there. A one time use URL... Why didn't I think of that! With the code open source, this should catch on.


heh I too did one of these. http://encrypticate.com

Yours looks really nice.


Thanks, hadn't seen that one yet. Looks good. You just need an SSL cert.

If you google "SSL cert" and click Godaddy's ad, you can get one for $13/year (instead of $50+). Namecheap has good deals too.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: