Hacker News new | past | comments | ask | show | jobs | submit login

Privacy and security here are being commingled under the banner of AES encryption at rest, which is apparently disabled by default.

I always wonder, if your marketing pitch involves security features, but those features are off by default, aren't you technically pitching your lack of security?




Encryption at rest is disabled by default because many users do not want to keep track of all of their encryption keys, which are not stored by Horizon when that setting is enabled.

There are also other security features, like end-to-end encryption for pastes, but like mentioned before, not everyone wants to lose the ability to preview their content in the dashboard.

By giving the user a choice, I can cater to both crowds: one that prefers convenience, vs the other which prefers the most security.

Edit: To clarify, all files are already encrypted at rest with a key I control. But with Encryption enabled (capital E to distinguish the feature name), it is encrypted again with a key Horizon won't store.


Have you done an Independent security review of these features? What's your CRS score? Do you have CVE fix SLA in place? All these features are good if this was. 2000 website but a single vulnerability in any one of the vendors of your tech stack will compromise your users


Server side encryption is handled using the Go standard library. A more detailed breakdown of the process can be found in the Help Center. TLDR: It's reputable, and best practices are followed through cryptographically secure generation, random IV, high entropy keys, memory hard hashing, etc.

Paste end to end encryption uses the native window crypto subtle API, widely used and reputable.


Coming from cyber security one thing I have learnt is no matter how many layers of security you add nothing is fool proof, I would strongly recommend doing an Independent review getting if not an international certification like ISO or GDPR then something domestic, I like what Mozilla does https://www.mozilla.org/en-US/security/advisories/, this really will enforce trust in your users as today it's really hard to trust websites


Clear and concise. Well done. Impressive for a 17 year old.


And if $company controls the keys.. what happens once funding dries up? Yeah.. nothing personal but we've seen it previously.

In the meantime, OP and Co. could create an open standard for image hosting, and have a lasting impact on the order of S3. Wouldn't that be something?

Here's to hoping.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: