Why should I trust you with my secrets? #13
-
|
Starting this to answer some of the most commonly asked questions around how we ensure your secrets are secure with us. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Secrets created using the It goes without saying that URL-accessible one-time secrets should be shared with intended recipients only. Implementation detailsClient-sideAll secrets are encrypted end-to-end, which means the plaintext values never leave your device. We do not log, track, share, or store the encryption key that protects your secret. You can check the client code to learn more about how we create the encryption key as well as what data is being sent to our servers. The following happens when a new secret is created:
Source: https://news.ycombinator.com/item?id=28119386 Server-sideWe are considering making the server and infrastructure repos public in the foreseeable future - most likely once we've agreed on and implemented some sort of self-hosted option(s). As it stands, the API is rather simple (it creates items with TTL and upon retrieval deletes them in a single transaction), so please let us know whether there is anything specific you'd like us to cover in the comments below. Useful reading |
Beta Was this translation helpful? Give feedback.
Secrets created using the
ots newcommand (as well as the web version at https://ots.sniptt.com) are what we refer to as "one-time secrets". Once they are retrieved by the recipient, they can no longer be viewed even if someone got hold of the URL. Furthermore, each one-time secret gets automatically deleted after specified duration if not viewed. By default, this is 24 hours but you can change this as required, for exampleots new -x 2h.It goes without saying that URL-accessible one-time secrets should be shared with intended recipients only.
Implementation details
Client-side
All secrets are encrypted end-to-end, which means the plaintext values never leave your device. We do not log, …