A service to share secrets securely
I built a simple program to share sensitive data securely
In the last few months I've been working on a service, which helps to share data securely. The service called sekret.link.
I wanted to practice Golang and Angular and it was a good candidate for that.
Imagine that a new colleague joined to the company, there are bunch of things she will need to have access, like WiFi, database, internal site or whatever. You know the password or you generate the password and you will need to send it to her on Slack or e-mail. You can send it as a simple message, but that will mean that Slack or her e-mail provider can read the information. What is worse that then this information won't be deleted automatically. If someone breaks into her account now can discover these secret informations and the company will be in a pretty bad situation.
The service what I created tries to help on these issues. You send the sensitive information to the service and it will store it encrypted. It returns an URL which can be used to decrypt the information. After the secret has been read it also destroyed and there is no way to restore it.
No one else will have access to the decryption key. It isn't saved, it isn't logged can not be guessed. The web client (which is visible at https://sekret.link) is even encrypting the data before sending it, so the unencrypted data never left your browser.
As the main purpose of the application is to protect privacy and keep secret hidden from unauthorized third parties I made it as secure as possible:
- The decryption key is random and long enough to be secure
- The decryption key is only known by the user who created the secret
- No external scripts included to the site
- No tracking scripts included to the site, it's not tracking even internally
- It doesn't use any cookies
- Both the frontend application and the server code are Open Source
- It has an API, so if you don't trust in the frontend application you can create your own
There were (are) several challenges I needed to solve. I wanted to make it secure as possible, as usable as possible and as developer friendly as possible.
The very first version had no UI, and I only wanted to be able to use it with
curl. For example
curl -d 'secret message' https://sekret.link/api/ will
return the link what you can send to your friend right away. However, it's
simple and good, already has one issue: many applications, like Slack and other
services fetches the pasted URLs to create some kind of preview. It means two
very bad things: this application will read the secret will also be destroyed,
so the real recipient will not be able to read it. That's why I needed to
create the frontend application.
Footnote: the idea is not new, there are several other services like that, for example Privnote, what I used before I created this service.