Do you need to trust this tool?
No. Click and read some code yourself.
We use your browser's crypto API to encrypt your secrets before we send the ciphertext to the backend. Do you trust your browser? Well… that's another question. But at least you can inspect the code before you type anything into the text area above.
Notes for nerds
- This is one single HTML page. All code is here and unminified.
- Check the browser inspector to see that only a single legit network request is made by this page.
- Be aware that the hash part of an URL is not submitted to the server by the browser
when you request a web page.
It contains ID and encryption key (like
https://secrets.renuo.ch/try#<ID>:<secret>
). The ID is used to query the correct record from the backend. The encryption key stays on your machine. - Theoretically we could show the consumer of the secret a custom tailored web page to steal the secret part of the URL. To omit this risk, you can split the generated link at the colon. If a secret link is opened without the second part after the colon attached, we show a password input field. In that case, the receiver can inspect the page's source code before entering the secret encryption key.
- You actually have to trust us with the expiry feature. We could simply keep the ciphertext forever.
- You can run your own backend. Find the source of this page on GitHub.