Self Destructing Notes

About secrets.mikej.tech

This is an open source destructing notes website. Any note is destroyed after being read for the first time and all information is hidden from the server and will atomatically expire 7 days after being created.

Security

All notes are encrypted using AES in CBC mode with a 256 bit SHA HMAC key in the browser then a SHA-256 fingerprint is created from the id and passphrase combination then the encrypted message and fingerprint are sent to the server. When a note is requested from the server the server will only return the encrypted note if both the id and fingerprint match. Before the note is sent to the browser the encypted message is overwritten with random information then deleted. After the deletion the note is sent and decrypted in the browser and displayed.

One time view

Every note is destroyed from the filesystem before it is sent to the browser and if the note is ever requested again this site will return a 404 not found error.

Expiration

To ensure safety each note is tagged with an expiration date when the server saves it and after the expiration the note is destroyed and will no longer be available to view.

The expiration is currently set to 7 days.

URL

Since each note needs a key to decypt it, when a note is using a generated key that key is provided as a hash value in the url. A hash value is never sent to the server and remains only in the browser to make sure the server will never have enough information to decrypt the note.

Why a fingerprint?

A SHA256 fingerprint is used because as of right now the only way to get the values out of a SHA256 hash is to know what it is, or to brute force every combination until you find what works. The fingerprint is used by the server to ensure that you have all the correct information before sending the encrypted message to slow down an attacker and protect the message.

This site sends a cookie

To have the plug and play functionality of the framework that manages the database for this service it does set a cookie PHPSESSID. To ensure privacy this also sets the cookie to expire immediately so it is never sent back to the server in following requests.

Are there backdoors?

Not in the default source code. Make sure you trust the server or you can check the checksum values in the html head against the ones in the source code to make sure none of the external resources have been modified.


Additionally you should check the html code to make sure there are no <script> tags with any javascript programmed inside. There should only be 4: CryptoJS, lz-string, qrcode, and the main script.