When it comes to sharing sensitive information online you will sooner or later come across onetimesecret.com. In fact, One-Time Secret ranks #1 for many Google search queries related to sharing secrets online. According to their website over 50,000 secrets a month are being shared via the platform. And just for context, as of 2021, the site has been up and running for over a decade. Sounds great, right? Yes, but there is a catch.
Screenshot from 2011 via Archive.org
Now, for many years the site has been my go-to tool whenever I had to send a password to a coworker. But then, one day, I decided to create my own version of such a tool. (For context, there is a blog post that describes in detail why I created scrt.link.)
A Great Source of Inspiration
When you visit onetimesecret.com for the first time, it becomes obvious that the creators don't intend to follow web design trends. And I mean this in a positive way: The website is, above all, practical - it offers a simple interface to help you do one specific thing: Create one time secrets. It's a unpretentious, fast and responsive website without overhead, distraction or ads. It's clearly a project run by idealists not incentivized by selling out its users. To me, it is also a reminder that the web is (still) a great place.
The One Big Caveat
Now, after digging the topic of secure disposable messaging and analyzing the website from a security perspective, I came to notice one big flaw: Messages are not end-to-end encrypted.
As you can see in the screenshot. A secret is sent in plain text to the server. That doesn't mean everybody in the network can just eavesdrop on your message. The connection is still secured with HTTPS. But this fact opens the door for potential vulnerabilities.
What it means is that the back end (server) receives your secret in plain text - in other words, as a user you have to 100% trust the service. And even if you do, a successful attack on the server may still compromise your confidential data. (It is noteworthy that One-Time Secret doesn't hide that fact.
Time for Change
I believe that no one, including the service provider, should be trusted when it comes to handling personal secrets. That's why we created our service not only 100% open source, but also in way that minimizes potential risk. We use end-to-end encryption, where a secret gets encrypted and decrypted in the browser (where you have full access to the code that runs the website).
You will notice in the screenshot that the secret is already encrypted before it gets posted to the server. (You can check for yourself. Just open the network tab in the DevTools and checkout the POST request to the API)
To be transparent, scrt.link is only one among many tools that can be used as alternatives to One-Time Secret. Some of them have similar security features. Try for yourself.