Show HN: We open sourced One-Time Secret today (opens in new tab)

(blog.onetimesecret.com)

62 pointsdelano13y ago29 comments

29 comments

26 comments · 12 top-level

jtwaleson13y ago· 4 in thread

Also see this Python variant you can easily host yourself.

https://github.com/Achiel/SecretSexChange

I do not like storing my passwords etc with a third party.

codegeek13y ago

For a second, I thought you app is named "Secret Sex Change". Honest mistake until I went to the website which then made it clear as "Secrets exchange"

delanoOP13y ago

The old experts-exchange.com conundrum. They went so far as to not even have a redirect for expertsexchange.com

xanados13y ago

Given the capitalization on the Github repository, it looks like that is intentional.

jtwaleson13y ago

It's not my app, but I do know the creator. The capitalization is a joke ;)

hellonoam13y ago· 2 in thread

I made a very similar website. Also offers uploading files and encrypting the data you share. It offers a little more flexibility on how you want to secure the content you're sharing.

https://www.alicetobob.com

You can check out the source code https://github.com/hellonoam/cryptopad though I should probably update the readme with more info.

delanoOP13y ago

Nice, I hadn't seen that one yet either. I love the testimonial, "Finally I can share what really happened".

By the way, I'm getting a warning about your SSL cert in Chrome. Firefox was fine though but it could be b/c of an inconsistent server configuration:

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...

hellonoam13y ago

hmm that's a little strange. Haven't had this problem before. I'll look into it - Thanks.

jstalin13y ago· 2 in thread

I also like Zerobin, which encrypts in the browser so no cleartext is saved on the server:

http://sebsauvage.net/paste/

Of course, it's not SSL, but the source is available online and you could create your own implementation using SSL (as I have).

delanoOP13y ago

Thanks, I hadn't seen that one yet. There are issues with javascript crypto[1] which is why we didn't go in that direction.

[1] http://matasano.com/articles/javascript-cryptography/

chacham1513y ago

The problem with that article is that the author assumes that the only purpose for javascript cryptography is so that no middle man can understand the content, not the server itself. Javascript cryptography in this context is a more difficult problem only because you must trust that the code that the authentic source delivers does itself not contain a backdoor to the information.

2 more replies

jdludlow13y ago· 1 in thread

I use a similar system, but only because I know the people who wrote that one. It's nice to see the code, but there's still no guarantee that this is the code that is running on the real site. Now, having the code available makes it possible to run it myself if I'm super-paranoid, which is cool.

So, thanks.

delanoOP13y ago

Yeah, that's the idea. There are cases where it's preferable to use a third-party service but it's also good to be paranoid. Now we can serve both sides.

dalore13y ago· 1 in thread

What if a spammer used this? You send out spam emails with a one time link in it (per recipent). The recipient views the spam link sees the spam content and either (a) purchases or (b) spam reports

If they spam report the report tries to view the link but sees it is no longer there.

Not saying specifically with your service, but a spammer could setup something of his own like this and when a link is viewed a second time they could put up a fake this page has been reported for spamming etc.

delanoOP13y ago

It's certainly possible but there are solutions to mitigate that style usage. Spam is only profitable in bulk so they'd constantly be hitting our limiters which won't really make it worthwhile.

Also the content in the secrets in served as plain text so that diminishes the quality of the payload too (the recipient would have to copy & paste the URI).

Edit: by the way, Mandatum, not sure why from your few comments but you're hellbanned so they come up dead.

cllns13y ago· 1 in thread

You might want to put the description at the top of that post, and in the README on github.

delanoOP13y ago

Thanks for pointing that out. I updated the blog post with a brief description and added the what and why to the readme.

zefhous13y ago· 1 in thread

I like https://www.thismessagewillselfdestruct.com

Also available at https://tmwsd.ws

delanoOP13y ago

Yeah, that one is great. If I hadn't built https://onetimesecret.com/ that's the one I'd use.

Ixiaus13y ago· 1 in thread

Why is it so hard for people to set up GPG?! Installs even have contextual menus to encrypt text for a given person!!

I use contextual GPG for pastebin all the time.

delanoOP13y ago

Setting up GPG isn't hard but it's also not always the right tool for the job.

It's a lot to ask for someone to copy and paste a GPG encrypted message when you just want to send a private link to a (non-technical) client or when you just don't want something in my facebook message history.

tonetheman13y ago· 1 in thread

heh I too did one of these. http://encrypticate.com

Yours looks really nice.

delanoOP13y ago

Thanks, hadn't seen that one yet. Looks good. You just need an SSL cert.

If you google "SSL cert" and click Godaddy's ad, you can get one for $13/year (instead of $50+). Namecheap has good deals too.

delanoOP13y ago

We launched just over a year ago (http://news.ycombinator.com/item?id=3207489) and we finally made good on our intension to release it as open source.

Thanks for all the feedback so far; it's made a big a difference for us. Not just with features and bugs but with motivation too.

We have a special free plan for people coming from Hacker News:

https://onetimesecret.com/

andrewcooke13y ago

i have this confused dream that somehow people will implement different cryptographic "elements" as web services and eventually someone will find a way to tie them together into something awesome. i think this could be one; my own (much more pointless) contribution is human-readable timestamps (like taking a photo of yourself and today's newspaper): http://colorlessgreen.net/ (also open-source)

toddnessa13y ago

It is amazing the ideas out there. A one time use URL... Why didn't I think of that! With the code open source, this should catch on.

j / k navigate · click thread line to collapse

29 comments

26 comments · 12 top-level

jtwaleson13y ago· 4 in thread

Also see this Python variant you can easily host yourself.

https://github.com/Achiel/SecretSexChange

I do not like storing my passwords etc with a third party.

codegeek13y ago

For a second, I thought you app is named "Secret Sex Change". Honest mistake until I went to the website which then made it clear as "Secrets exchange"

delanoOP13y ago

The old experts-exchange.com conundrum. They went so far as to not even have a redirect for expertsexchange.com

xanados13y ago

Given the capitalization on the Github repository, it looks like that is intentional.

jtwaleson13y ago

It's not my app, but I do know the creator. The capitalization is a joke ;)

hellonoam13y ago· 2 in thread

I made a very similar website. Also offers uploading files and encrypting the data you share. It offers a little more flexibility on how you want to secure the content you're sharing.

https://www.alicetobob.com

You can check out the source code https://github.com/hellonoam/cryptopad though I should probably update the readme with more info.

delanoOP13y ago

Nice, I hadn't seen that one yet either. I love the testimonial, "Finally I can share what really happened".

By the way, I'm getting a warning about your SSL cert in Chrome. Firefox was fine though but it could be b/c of an inconsistent server configuration:

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...

hellonoam13y ago

hmm that's a little strange. Haven't had this problem before. I'll look into it - Thanks.

jstalin13y ago· 2 in thread

I also like Zerobin, which encrypts in the browser so no cleartext is saved on the server:

http://sebsauvage.net/paste/

Of course, it's not SSL, but the source is available online and you could create your own implementation using SSL (as I have).

delanoOP13y ago

Thanks, I hadn't seen that one yet. There are issues with javascript crypto[1] which is why we didn't go in that direction.

[1] http://matasano.com/articles/javascript-cryptography/

chacham1513y ago

2 more replies

jdludlow13y ago· 1 in thread

So, thanks.

delanoOP13y ago

Yeah, that's the idea. There are cases where it's preferable to use a third-party service but it's also good to be paranoid. Now we can serve both sides.

dalore13y ago· 1 in thread

What if a spammer used this? You send out spam emails with a one time link in it (per recipent). The recipient views the spam link sees the spam content and either (a) purchases or (b) spam reports

If they spam report the report tries to view the link but sees it is no longer there.

delanoOP13y ago

It's certainly possible but there are solutions to mitigate that style usage. Spam is only profitable in bulk so they'd constantly be hitting our limiters which won't really make it worthwhile.

Also the content in the secrets in served as plain text so that diminishes the quality of the payload too (the recipient would have to copy & paste the URI).

Edit: by the way, Mandatum, not sure why from your few comments but you're hellbanned so they come up dead.

cllns13y ago· 1 in thread

You might want to put the description at the top of that post, and in the README on github.

delanoOP13y ago

Thanks for pointing that out. I updated the blog post with a brief description and added the what and why to the readme.

zefhous13y ago· 1 in thread

I like https://www.thismessagewillselfdestruct.com

Also available at https://tmwsd.ws

delanoOP13y ago

Yeah, that one is great. If I hadn't built https://onetimesecret.com/ that's the one I'd use.

Ixiaus13y ago· 1 in thread

Why is it so hard for people to set up GPG?! Installs even have contextual menus to encrypt text for a given person!!

I use contextual GPG for pastebin all the time.

delanoOP13y ago

Setting up GPG isn't hard but it's also not always the right tool for the job.

tonetheman13y ago· 1 in thread

heh I too did one of these. http://encrypticate.com

Yours looks really nice.

delanoOP13y ago

Thanks, hadn't seen that one yet. Looks good. You just need an SSL cert.

If you google "SSL cert" and click Godaddy's ad, you can get one for $13/year (instead of $50+). Namecheap has good deals too.

delanoOP13y ago

We launched just over a year ago (http://news.ycombinator.com/item?id=3207489) and we finally made good on our intension to release it as open source.

Thanks for all the feedback so far; it's made a big a difference for us. Not just with features and bugs but with motivation too.

We have a special free plan for people coming from Hacker News:

https://onetimesecret.com/

andrewcooke13y ago

toddnessa13y ago

It is amazing the ideas out there. A one time use URL... Why didn't I think of that! With the code open source, this should catch on.

j / k navigate · click thread line to collapse