from Hacker News

Show HN: CryptSend.io – Share encrypted files with randomly generated links

by whitef0x on 10/3/18, 9:54 AM with 44 comments

  • by gprasanth on 10/4/18, 2:56 PM

    I've recently analysed pricing of various storage providers when thinking of building a side project, and I was surprised at how costly the services were.

    S3, Drive, Dropbox, Spaces, B2, Box, several Object Storage solutions. Some cases storage was cheap, but the transfer was costly. Everything seemed costly for the simple use case of providing an end user 10GB monthly upload + ~50GB bandwidth at low cost.

    A vps with additional storage seemed to be the ~better~ most feasible solution to me.

    This sounds like a terrific thing to host on a vps.

  • by trothamel on 10/4/18, 2:19 PM

    Is there any advantage to this over https://send.firefox.com/ ?

  • by kodablah on 10/4/18, 2:48 PM

    Tempted to make a version of this myself because it's simple. Single file executable, with statically linked Tor, that starts a v3 onion service (with or without client auth), hosts web server with file at URL, gives onion address URL (and client auth if any, could include the as part of URL or URL fragment or whatever depending upon approach desired). Client can use exe or Tor Browser to download it. Could add any features you want such as killing the server after first download, deadlines, etc.

    Pro: doesn't upload to server and preserves anonymity. Con: slower than non-anonymous.

    Here's a simple code example of a v2 onion file server using external Tor process w/ no auth: https://github.com/cretz/bine#example. This is essentially what onionshare does: https://github.com/micahflee/onionshare.

  • by devinl on 10/4/18, 9:14 PM

    Seems like a bit of an oversight that they are including third party tracking scripts like googletagmanager.com in the same context as the javascript doing encryption. If you need user tracking, at least put the tracking scripts in an iframe sandbox or something that can't accidentally grab the keys from the URL fragment and send them off to google.

    Also they do call out that URL fragments get stored in browser history which is a big risk, but they should also mention that many browsers automatically "sync" history across devices (so keys will get sent to a cloud if you aren't using incognito/private browsing).

  • by ohashi on 10/4/18, 5:16 PM

    Amusing to see something that looks almost the same as a project I worked on with a couple friends 5 years ago. https://securesha.re/

    It's open source too.

  • by whitef0x on 10/4/18, 6:55 PM

    Hello HN!

    Cryptsend was created as a result of my company having to share large amounts of medical data with our clients. We couldn't find an easy and secure solution, so we sat down and created cryptsend. Our codebase is currently in alpha stages so any audits/improvements/security vulns you find would be really appreciated!

  • by madmaniak on 10/4/18, 2:41 PM

    If the key is attached in link it also should be passed secure way, which is not usually.

  • by lifeformed on 10/4/18, 5:07 PM

    The first thing I thought of when I saw the url is that it's some kind of cryptocurrency transfer service. It's pretty crazy how much cryptocurrency has hijacked the word "crypto".

  • by uncled1023 on 10/4/18, 4:59 PM

    So one thing, it mentions that it is JS dependence free. How are you encrypting the files client side then?

    If you are encrypting the files server side, then that is NOT E2E encryption.

  • by CiTyBear on 10/4/18, 2:19 PM

    Hi. Thank you for your work, this will be useful.

    However, the `Get folder link` does not work. Is it deactivated for now ?

  • by sbarker on 10/4/18, 6:05 PM

    Why are all the "m" gray?

  • by threesquared on 10/4/18, 3:22 PM

    I made something like this a while ago. I think the name has a better ring to it though..

    https://sendsh.it/