Encrypted One Time Secret Sharing App – A Tozny Labs Project

Introducing the Tozny Encrypted One Time Secret Sharing App. It encrypts a secret in your browser, gives you a link to share it (with an optional password), and decrypts it in the browser of whoever you send it to. It also deletes the secret after a set number of reads.

The Options

At some point you will want to share private information with someone which you would prefer that no one else could see. That information could be social security numbers, secret family recipes, passwords to production databases, or shared company twitter passwords. The choices on how to send this data falls into one of three categories, two you are probably familiar with and a third that you might not know exists.

  • Option 1: An insecure service that “everyone” has, such as email, Slack, or text message.
  • Option 2: A more secure service that requires signup and coordination
  • Option 3: A simple web service that securely encrypts your one time secret, requires no signup, and can never decrypt your data server-side.

The second option is really great if you regularly share secrets with the same person and you both already use the service. But when you just need your grandmother to send that super secret brisket recipe – you know, the one you love, the one she stores in the saltine tin behind the bag of flour. Getting her to set up Keybase, or Signal is a real lift for a one-off transaction. Especially for less-technically inclined people, it is unreasonable to expect everyone to be a security expert. 

On the other hand, Option 1 is the normal pattern of communication that make sense to pretty much everyone but doesn’t offer security guarantees. Unfortunately, on corporate accounts all your emails can be read, deleting emails doesn’t always mean truly deleting, and email service providers don’t make any promises about employees having access to your emails. Additionally, sending email from an https connection doesn’t mean that the plain text isn’t making unencrypted hops across untrusted servers. With email, you can go through the process to setup s/MIME encryption to give some peace of mind, but then you are moving to Option 2 with more configuration and overhead.

secret sharing

I eventually did go with Option 1 and convinced my grandmother to email me her brisket recipe, but that was definitely a risk. In case any email snooper was able to compromise this exchange, I really hope their brisket came out tough and dry! However, I really just wanted a simple, secure solution that even my grandmother could easily use and trust.

The best solution would be something that has high security, is easy to use, and requires no setup. Tozny’s development documentation and SDKs make it easy for developers to create secure applications, but this isn’t currently an out of the box solution for the one-off use case.

That is why we are introducing an Option 3, the Tozny end-to-end encrypted one time secret sharing webapp, a free service for easily sharing messages you don’t want prying eyes to see.

The Encrypted One Time Secret App

The simple service interface allows users to create and securely share messages with just a few steps.

  1. Enter the message to share and set the maximum number of times it can be read.
  2. Press ENCRYPT to encrypt the message in your browser and get a sharing link for the recipient to use.
  3. The recipient follows the link, which decrypts the message in their browser, and sees the message displayed.

That’s it! Try it here.

After it’s viewed the maximum number of times, the encrypted message gets deleted from our servers and can’t be retrieved anymore. It really is that simple! 

For folks who are inherently trustful, go ahead and use it, and don’t worry too much about how it works. (#trustus) For everyone else, you might have some questions.

  • Why is sending my message to your service any better, can’t Tozny staff be the nosy ones and just snoop on it? 
  • When I click ENCRYPT, the link it returns has the password in it, isn’t that a bad idea?
    • The password never leaves the browser. In order to make your life easier, we take advantage of a browser/URL feature called fragment identifiers to embed the password. Everything after the # symbol is reserved for local processing only and is not sent to the server. But we also make it easy to get the password separately if you don’t trust browsers or want to send the password out of band for extra security. Just click the “Show Separate Link and Password” button and enter it when prompted before loading the message.
  • Is encryption in the browser secure?
    • Yes. Some security professionals worry that the nature of dynamic code on the web reduces the security. However, browser crypto has come a long way and the libSodium crypto library is supported in all the major browsers. End-to-end encryption makes your data drastically more secure and supporting that in the browser means more people can rely on strong encryption for privacy.

Simple and Secure Sharing

Since we launched the end-to-end encrypted web app our office has enthusiastically switched to using one time messages for sharing our secrets, and we think that you will really like it for your use cases as well. Try it out and let us know what you think!

And if you’re interested in learning more about Tozny’s platform and capabilities, check out the developers docs mentioned above, or sign-up for a free account and try it out for yourself.

P.S. If you are interested in the brisket recipe, the first 10 opens can find it here. https://share.labs.tozny.com/view/df59776b-a921-4e1e-beff-8f0c52f5a3be#sigSalt=G7kfWHiqd3a-ekBKaBAdFL0s-MV2SucH&encSalt=oHH9jylMl_fr8Z5cjGhB-IC7KOSrRmek&password=ffHsvsyzxuLb4SYEC3pnVfRVfnPslOJ745RbKFxxpPU