Cryptpad: a free/open, end-to-end encrypted, zero-knowledge shared text editor


Originally published at:


What a strange world where security by obscurity is a known fail but security by url obscurity makes some sense.


The secret encryption key is stored in the URL fragment identifier which is never sent to the server but is available to javascript so by sharing the URL, you give authorization to others who want to participate.

As long as the communication channel used to share the URL is safe and the browser is well behaving, the document is safe. No obscurity here.


But it makes man in the middle attacks trivial. And it is normal to proxy http.


Just like anything HTTP-based, no less, no more. In order to capture to fragment identifier, the attacker must serve a page with a script that will retrieve it and sent it somewhere.


Presumably, you’d set this up over HTTPS, which would protect the URL itself, and use an encrypted channel to communicate the URL (and fragment identifier). I think my preferred way would be gpg-encrypted email (or even just a gpg encrypted attachment) to collaborators containing the URL to use, and go from there.


I’d use OTR XMPP to share the URL. Or Signal with an encrypted tunnel. is there any review or trusted source saying this is what it says it is?



This topic was automatically closed after 5 days. New replies are no longer allowed.