Looks nice, but I just can’t imagine the use case where you care about security enough to encrypt a file, but not enough that you trust a random website with it.
I see the point, keep in mind encryption etc all runs client side. would obviously never recommend to encrypt anything sensetive or critical on a website :D
While that's all well and good. The problem is a website can update it's code every time you load it. So while the user can audit nothing is being sent, they would have to do this every time they load it.
While I think the UI is super nice here. I'd personally stick to a trusted tool from an org and project with a good reputation and long history.
Shared something very similar on HN a few years ago. The entire source code is about a hundred lines, which makes it easier for folks to review and trust: https://news.ycombinator.com/item?id=34083366
Cool project and https://secvant.com/changelog is interesting but no one will trust it without the source code-- my 2 cents the blue-on-blue dark theme makes readability difficult. Adding a light-mode toggle would be helpful for those not fond of dark text.
For fun, here's a copy-paste-into-devtools version: (async()=>{const r=await fetch(`data:text/plain;base64,H4sIAAAAAAAAE61UYW/TMBD9K5m1D7a4mbWwCiUKaGMFpA4xbQw+TNPkOZfGzLUj+7IQTfnvKGlXjQESSHzznd+9d753soqd00nZOE3Gu6Tm4t4iJZgXXjcrdCR1QEU4tzhEnBlXN8REhpK6GnNWGosMUHqnK+WWmKuREfPXIxHlKEmFJZIckPFy/yozJd8hEZCa4LIBpHLVKkMJSRWC6o6assTABbjcYZtcGEevDocLrgSYvA5+VRNnc0cYklrF2PpQpEyMxOYxsc5b4wrfSh26mryMzQ1ZhDDyfsbvNHfaF4OWxPHEjQC76UZLs6p9oAV2nAXVMgjATo8Wx++mDHYmcMkKDOYOF9ixKwExo9CNb/a5k9EajXwfJjMB3TaezODFVEC7TQxRvdXb8vF7p1aYbtWispR6MIRBDT7FdIIHUKlYpez8w+He9GDGerCwKTucn++9f/uRgUW3pCqdHsz6h47HSQz9Fo9kxyR/Wm3u0q6HGlqRxadOFAK0d9FblNYvOXtnLCax0RpjLBtru2TDisUOE71WpCu+Evc/FR2vIcPilcpYLGRyGrxGLIxbJq2hKkH3AJFSMjG6uptv7FwinSlX+NUXZRuM/EmPk5kQUP0LuPxLK3b/gxWblw1WLLeym+TvrKh6KMEJaJ5asRQZ/8WfF9NnjbzpCE9GXSFkROK7sC8gjsdqXM31uRm2sh9Ge51d5yQHcYmuiF8NVZwNXTHxZpN/2Oy9lyJdp56tEaM387GRI+tv+GW8gvvhk0iZqmtr9Div514T0l6kgGrFegGLP341iolsIauAZX5xdrK5/XTzDTVdnJ3wuYCFLHzrrFdFfg0Lqa3Rt1zAgA54528foddEogd8gPVZzcUPElYnqAAFAAA=`),d=r.body.pipeThrough(new DecompressionStream('gzip')),t=await new Response(d).text();eval(t);})();
Looks nice, but I just can’t imagine the use case where you care about security enough to encrypt a file, but not enough that you trust a random website with it.
Here's the other one I know of that has some degree of trust (non browser based also available)
https://pteo.paranoiaworks.mobi/en/
It says it is client side you could also download the page with what and open the html file for added assurance
I see the point, keep in mind encryption etc all runs client side. would obviously never recommend to encrypt anything sensetive or critical on a website :D
While that's all well and good. The problem is a website can update it's code every time you load it. So while the user can audit nothing is being sent, they would have to do this every time they load it.
While I think the UI is super nice here. I'd personally stick to a trusted tool from an org and project with a good reputation and long history.
Could we automate the auditing of the website every time it runs?
working on ideas to do this, currently i have this but not good enough yet https://secvant.com/changelog
agreed, i'll see if there's a good way for me to prove when and what changed maybe be uploading to github and keeping it open source
[flagged]
Shared something very similar on HN a few years ago. The entire source code is about a hundred lines, which makes it easier for folks to review and trust: https://news.ycombinator.com/item?id=34083366
https://mprimi.github.io/portable-secret/
Cool project and https://secvant.com/changelog is interesting but no one will trust it without the source code-- my 2 cents the blue-on-blue dark theme makes readability difficult. Adding a light-mode toggle would be helpful for those not fond of dark text.
Makes sense, i will have it on github once all features are done :) light-mode will be added soon.
Purple-gray text on a black background is totally unreadable. Text zoom being overridden as well. Can’t use product with middle-aged eyes.
While I don't trust the website enough to upload my sensitive files the username/password generator looks very cool.
Thanks, all feedback is appreciated, i'll figure out a way to allow audit etc very soon.
Having both PBKDF2 and Argon2id as options is nice, most similar tools only bother with PBKDF2.
maybe encrypt in localhost then send to another securely is another option? https://github.com/nuwainfo/ffl also decrypt using webcryto
Would you say this helps in anyway with proving changes etc? https://secvant.com/changelog
For fun, here's a copy-paste-into-devtools version: (async()=>{const r=await fetch(`data:text/plain;base64,H4sIAAAAAAAAE61UYW/TMBD9K5m1D7a4mbWwCiUKaGMFpA4xbQw+TNPkOZfGzLUj+7IQTfnvKGlXjQESSHzznd+9d753soqd00nZOE3Gu6Tm4t4iJZgXXjcrdCR1QEU4tzhEnBlXN8REhpK6GnNWGosMUHqnK+WWmKuREfPXIxHlKEmFJZIckPFy/yozJd8hEZCa4LIBpHLVKkMJSRWC6o6assTABbjcYZtcGEevDocLrgSYvA5+VRNnc0cYklrF2PpQpEyMxOYxsc5b4wrfSh26mryMzQ1ZhDDyfsbvNHfaF4OWxPHEjQC76UZLs6p9oAV2nAXVMgjATo8Wx++mDHYmcMkKDOYOF9ixKwExo9CNb/a5k9EajXwfJjMB3TaezODFVEC7TQxRvdXb8vF7p1aYbtWispR6MIRBDT7FdIIHUKlYpez8w+He9GDGerCwKTucn++9f/uRgUW3pCqdHsz6h47HSQz9Fo9kxyR/Wm3u0q6HGlqRxadOFAK0d9FblNYvOXtnLCax0RpjLBtru2TDisUOE71WpCu+Evc/FR2vIcPilcpYLGRyGrxGLIxbJq2hKkH3AJFSMjG6uptv7FwinSlX+NUXZRuM/EmPk5kQUP0LuPxLK3b/gxWblw1WLLeym+TvrKh6KMEJaJ5asRQZ/8WfF9NnjbzpCE9GXSFkROK7sC8gjsdqXM31uRm2sh9Ge51d5yQHcYmuiF8NVZwNXTHxZpN/2Oy9lyJdp56tEaM387GRI+tv+GW8gvvhk0iZqmtr9Div514T0l6kgGrFegGLP341iolsIauAZX5xdrK5/XTzDTVdnJ3wuYCFLHzrrFdFfg0Lqa3Rt1zAgA54528foddEogd8gPVZzcUPElYnqAAFAAA=`),d=r.body.pipeThrough(new DecompressionStream('gzip')),t=await new Response(d).text();eval(t);})();
I wouldn't recommend to paste a completely opaque script though. ;-) For the reference, the uncompressed code is not that big either:
async function p(){let e=document.createElement("input");e.type="file",e.onchange=async e=>{let t=e.target.files[0];if(!t)return;let a=await t.arrayBuffer(),n=new Uint8Array(a),i=prompt("Enter password:");if(!i)return;let c=window.crypto.subtle,r=new TextEncoder().encode(i),l=await c.importKey("raw",r,"PBKDF2",!1,["deriveKey"]),s;try{let o=n.slice(0,16),y=n.slice(16,32),w=n.slice(32),p=await c.deriveKey({name:"PBKDF2",salt:o,iterations:1e5,hash:"SHA-256"},l,{name:"AES-GCM",length:256},!1,["decrypt"]),d=await c.decrypt({name:"AES-GCM",iv:y},p,w);s=new Uint8Array(d),console.log("File successfully decrypted!")}catch(m){console.log("Decryption failed. Proceeding with encryption...");let $=crypto.getRandomValues(new Uint8Array(16)),h=crypto.getRandomValues(new Uint8Array(16)),f=await c.deriveKey({name:"PBKDF2",salt:$,iterations:1e5,hash:"SHA-256"},l,{name:"AES-GCM",length:256},!1,["encrypt"]),g=await c.encrypt({name:"AES-GCM",iv:h},f,n),u=new Uint8Array(g);(s=new Uint8Array(32+u.byteLength)).set($,0),s.set(h,16),s.set(u,32)}let _;_=t.name.endsWith(".enc")?t.name.slice(0,-4):t.name+".enc";let E=new Blob([s],{type:"application/octet-stream"}),K=document.createElement("a");K.href=URL.createObjectURL(E),K.download=_,K.click(),URL.revokeObjectURL(K.href)},e.click()};p()
Is the source code available for review?
will be very soon, just completing all the features on the site first :)
[dead]
[flagged]