Verifiably secure dead drop to share bitcoin addresses and other secrets \ stacker news ~bitcoin

pull down to refresh

Verifiably secure dead drop to share bitcoin addresses and other secrets

538 sats \ 8 comments \ @stacks 2 Mar bitcoin

Hi guys

I built a little tool over the weekend I often felt I was lacking. I am often in the situation where I need to share a bitcoin address (or some other confidential info) with someone or even between different devices of my own. Logging in on different accounts, using secure send features of password managers or memory sticks is always tedious (and sometimes also insecure) and I needed a service where I can share a simple link that I can type manually or share via the phone, etc.

There are a couple dead drop websites that kind of do that but they are all a bit sketchy, so I built something myself. The gist is, your data is encrypted directly in the browser client-side using a standard browser library that most modern browsers support out of the box (which is verifiable if you check the source code of the web page). Therefore you can be sure that the server never receives any data in clear text. Only the recipient of your dead drop can decrypt it by using the password that you can share with the receiving party off-band. But don't trust, verify. Check the source code and also let me know if you see some weakness there or what you would improve.

The service is free. I am hosting it on a free provider for now as well so long-term support is to be seen. ^^

You can find the service here: https://cypherhub.onrender.com/

If you find it useful, leave me a donation :)

view all related items

27 sats \ 3 replies \ @SwapMarket 20h

Host it on Github Pages with automated deployment with Github Actions. That way the source code can be verifyably trustworthy.

0 sats \ 2 replies \ @stacks OP 7h

Thanks for your feedback. However, Github Pages only allows static content as far as I know and I need a database in the background with some logic around it. Therefore, I don't see how this would add more security, right? As long as you can be sure that your secret has been correctly encrypted on the client side, it shouldn't matter that match if the storage server is trustworthy or not.

0 sats \ 0 replies \ @SwapMarket 5h

I think you could use AES encryption to generate base64 URLs from cleartext. They will be long and ugly, but reversible with a key and not requiring the database.

0 sats \ 0 replies \ @SwapMarket 5h

Yes, true, did not think about the database. Then no, it cannot be verifiably trustless. Whoever has access to the database can spy on and change the links.

27 sats \ 1 reply \ @nerd2ninja 21h

I recommend using cryptomator over relying on sandboxed remote code execution as a feature (javascript) to encrypt your stuff. Yes you can verify it, but you have to verify it every time you reload the browser.

The good news is, the code you've already written can still be adapted into an app. Just loaded locally rather than from a webserver every time you refresh the page.

As of right now, I would personally basically consider your site to be a honeypot that is trying to rely on time to relax a userbase before changing out the code one day. Nothing personal.

0 sats \ 0 replies \ @stacks OP 7h

Fair point and thanks for your feedback! I have added an option to download a HTML file that you can open and use locally. That way you can be sure that the code does not change and you are always using the correct encryption. ;) Let me know if it works for you.

10 sats \ 0 replies \ @lightcoin 4h

Have you looked at Winden? https://winden.app/s

It is based on the Magic Wormhole protocol:

https://magic-wormhole.readthedocs.io/en/latest/

0 sats \ 0 replies \ @OtamokanIshotas 22h outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.