from Hacker News

Show HN: Ots – share a secret via one-time URL

by slavomirvojacek on 8/9/21, 1:38 PM with 44 comments

  • by contravariant on 8/9/21, 2:05 PM

    Edit: This information is apparently outdated, see discussion below.

    > # Why should I trust you with my secrets?

    > All secrets are encrypted end-to-end, which means the plaintext values never leave your device. We do not log, track, share, or store the encryption key that protects your secret. You can check the client code to learn more about how we create the encryption key as well as what data is being sent to our servers.

    Those are all good, but ultimately don't really answer the question when the decryption key is part of the URL. If you wanted to avoid the necessity to trust secure.sniptt.com the decryption key should at least have been placed inside the fragment. Then you could at least verify if it's being sent to the server or not. As it is it's definitely sent to the server, you'll just have to trust them that they wont use it for anything nefarious

  • by fishtoaster on 8/9/21, 4:34 PM

    Man, I would love a self-hosted version of this. I've worked at a lot of tiny startups and it often goes like this:

    1. Sam needs to send some sensitive credentials to Alex

    2. Well, we know we shouldn't use slack or email

    3. We should probably use a shared password manager, but that'd be a much larger conversation with the whole dev team

    4. There are a ton of options if I search "share secrets securely," but I'd have to dig into a few to figure out if I trust A. that company and B. their security model

    5. Fuck it, just share it on slack, delete the message later, and hope for the best. We'll figure out a better solution "next time."

    I'd love something simple and self-hosted that I could throw onto heroku, or deploy as a ready-made container, that'd provide one-time-use urls like this. It'd be a great way to have slightly better secret delivery over insecure channels (like slack) in the early days of an eng team before we get around to setting up a unified system for secret sharing. And easy self-hosting means we don't have to solve the trust problem every time.

  • by bndw on 8/9/21, 5:06 PM

    If anyone is curious like I was, here's a quick review of what the linked code does:

    - Reads plaintext input from stdin

    - Symmetrically encrypts the plaintext using a 32-byte [cryptographically] random generated key (AES-256 GCM)

    - POSTs the ciphertext and expiry (default 24h) to https://api.ots.sniptt.com/secrets

    - The server responds with a URL to view the secret via a response header

    - Query string "?ref=cli&v=<version>" are appended to the secret URL

    - The decryption key is base64 encoded and appended to the secret URL as a Fragment, "#<key>"

    - The secret URL is printed to stdout

  • by redm on 8/9/21, 4:23 PM

    The problem with these one-time URL's is that most people share them in places where the "one-time" is usually a cloud provider. If you share over IM, the IM service will check the URL to provide preview, or virus scan it. Same for many email providers. By the time you try to open it, it's already been burned.

    You can whitelist those parties, but it somewhat defeats the purpose of a secure one-time link.

  • by slavomirvojacek on 8/9/21, 3:05 PM

    Hi all, since we've had a bit of traction today I thought I'd ask whether there are any additional features you'd like to see added?

    For example, some sort of "self-serve" UI where you could get an API key which would allow users/teams have dedicated rate-limits and not use the default/public limits? Or a self-hosted option where the API could be deployed to the company's cloud of choice?

    Or.. leave as is?

    Please let us know! :)

  • by postalrat on 8/10/21, 3:49 AM

    I'm surprised nobody has created a sort of s3 service that only serves files once. It would be useful to enable services like this or other things like leaving a trail of files that reference future urls.

  • by yewenjie on 8/9/21, 2:23 PM

    I have been wondering recently - how secure are URLs? For example Telegram's bot API is authenticated with a token which has to be included in the URL for any request.

    What kind of failure modes are there regarding this?