Author here. This was a weekend project I've been working on. It's very much in beta.<p>I'm using SJCL (<a href="https://crypto.stanford.edu/sjcl/" rel="nofollow">https://crypto.stanford.edu/sjcl/</a>) and CryptoJS (<a href="https://code.google.com/p/crypto-js/" rel="nofollow">https://code.google.com/p/crypto-js/</a>) for client-side encryption, and Python's Cryptography library (<a href="https://cryptography.io/en/latest/" rel="nofollow">https://cryptography.io/en/latest/</a>) for back-end encryption.<p>Would love some feedback. Since it's in beta, signups are limited but you can use "hackernews500" as an early access code to sign up now if you want to check it out.<p>Thanks!<p>EDIT (PS - It's not mobile friendly yet, so you'll probably run into some UI issues on mobile devices)
I'm not being negative or sarcastic, but what is the purpose of this?<p>If I was concerned about secrecy or privacy, why is this better than just using some regular encryption tools and some "cloud drive" or whateveryoumightcallit?<p>I appreciate that this is a weekend project (and by the way it looks nice) so I'm not trying to beat it up, but its a big leap from a project for scratching your own itch to inviting others to give you their sensitive data (encrypted or not) with a promise of security.<p>At the very least you might want to publish a terms of service and privacy policy. A warrant canary might be nice as well.<p>PS - I have a spectacular ability to make an ass of myself, so if my criticisms come off as rude or are unwarranted, I truly apologize.
I'll let someone else rant about browser Javascript encryption (it serves essentially no security purpose), but instead just comment to say that "AES-256 in CBC mode" is not a confidence-inspiring description of a cryptosystem.<p>Have you published the Javascript code you used for this anywhere? Can we see it? I was going to peek at it, but would apparently need to register for the site to do that.<p>You might consider hoisting your SJCL crypto code out of the DOM and sticking it in a Chrome extension.
Hello, I created some time ago <a href="http://secretdiary.org/" rel="nofollow">http://secretdiary.org/</a> [now deleted]. It was basically the same idea but implemented server-side since that was what I wanted to learn at the moment, using the encryption MCRYPT_RIJNDAEL_256 from PHP [1]<p>I think that the double encryption is not needed, but since I am not an expert (just an enthusiast) I dig in the past about it and the experts and enthusiasts say the same [2][3]<p>I just re-bought the name so that no one could buy it when I made it public. If you want it, I have no problem in giving it for free since it reminds me a lot to my project and I think the name could be more suitable and you <i>are</i> indeed much more advanced that my project ever was and actively developing it (:<p>[1] <a href="https://github.com/FranciscoP/secretdiary" rel="nofollow">https://github.com/FranciscoP/secretdiary</a><p>[2] <a href="http://security.stackexchange.com/a/32260/9161" rel="nofollow">http://security.stackexchange.com/a/32260/9161</a><p>[3] <a href="http://www.reddit.com/r/crypto/comments/1nhi4m/why_encrypting_twice_is_not_much_better/" rel="nofollow">http://www.reddit.com/r/crypto/comments/1nhi4m/why_encryptin...</a>
This is cool, but all that it takes to break down the fancy encryption is for the government/law enforcement to take it over and add some tiny js in the page.<p>If you really need to be secure, never trust a third party.
I can't see myself using this for journal, simply having a usb or some other way is preferable if I need privacy. However, this has potential as a very nice solution for encrypting entries of any kind. Some kind of secure evernote. Anyhow, if you decide to further develop, I think this can grow into very interesting solution.
Just curious, why the double encryption? if I trust the client-side encryption (thats a whole other discussion) then the server-side is redundant. If I don't trust the client-side encryption, I'm entrusting all my security to your second round of encryption (and, you).
Very cool project! Would be interesting if you did something along the lines of facebook - asking a user to recognize a photo of friends after they connect their facebook account as an alternate encryption method. My bank also allows the upload of an image, which you need to choose and it's paired with the password.
I'd rather keep any personal journal/diary offline.<p>Even if Web technology was trustworthy in itself, I'd have to learn about exactly what is safe to do in a browser, if I trust the website itself and if I trust the person/entity/company behind the website. That is a <i>lot</i> of things to learn and be wary of for just being able to write a diary online.<p>A personal diary is the most private and uncensored thing that I could write. I would never consider adding any more complexity to the question of "is this really for my eyes only?".<p>It might be fine for something like a technical journal though.