Hacker News new | past | comments | ask | show | jobs | submit login

> 2) They add their secret and share the URL Retriever generates.

How do you prevent the URL from becoming something which needs to be kept secret?




The private keys are in the requester's browser. So if anyone gets a hold of the URL, they'll see nothing.

For example, here's a secret I just put into Retriever. Are you able to see it? https://retriever.corgea.io/#eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJ...


This is essentially client side TLS, which browsers cut because the ux was bad? Only now you can backdoor/mitm/typosquat a website, rather than attack the major browsers or the os?

And as I understand it, there's no way to verify you're talking to the right person, so sharing a secret via signal is strictly better?


Share the URLs via Signal, then you have a validated identity, and the secret won't pop up in your notifications or be retained in your chat history.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: