Show HN: I made a free, ad-free and open source tool for sharing private notes

From the about page:<p>&gt; However [alternatives&#x27;] pages are laden with ads, have a poor UI, and you can&#x27;t know for sure if they really are actually encrypting &#x2F; deleting anything.<p>There has been a private zero-knowledge pastebin for years: zerobin, forked into privatebin now (<a href="https:&#x2F;&#x2F;zerobin.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;zerobin.net&#x2F;</a>). In fact the original is almost 10-years old but hasn&#x27;t displayed a single ad, has been open source the whole time, has had time to iron out a lot of bugs and has a better UX than this: it doesn&#x27;t need cookies to work.<p>In terms of security, zerobin encrypts&#x2F;decrypts everything in the browser. The server has no knowledge of the content. In contrast, burnernote receives the content _and_ the password in cleartext and encrypts&#x2F;hashes them.<p>Unfortunately, as long as there&#x27;s a server you will have to trust it. In both cases you have to rely on something other than code and HTTPS to know if your content actually remains private or not

First of all, this is a cool idea. I always love to see something private and encrypted. But I found some concerns and ideas about your project (and I think you may can fix these):<p>0. This has XSS vulnerability. If attacker writes down this memo: &lt;script&gt;do_the_evil_things()&lt;&#x2F;script&gt; and passes to people, they might be unknowingly attacked(get tracked by attacker their IP&#x2F;Browser fingerprint, mine cryptocurrencies for attacker, etc...)<p>1. This basically works under server-side encryption. When user type their text in the website, it is encrypted with the secret key on your config file and saved on the database. This is only effective when attacker only succeeds to crack the database. Also, you can read the text. I know you won&#x27;t, but you know, cryptographers don&#x27;t trust anyone. If you want to mitigate this, you might want to learn about end-to-end encryption. In short: the hash of the private link is the secret key. The browser randomly generate the key and encrypt&#x2F;decrypt the text. The server only receives&#x2F;saves the ciphertext.<p>2. AES-256-CBC is unsafe because it provides confidentiallity and not authenticity.[1] This means the attacker who can only crack the database can edit the ciphertext to pseudo-arbitrary plaintext under certain circumstance without knowing of the key. Also under another circumstance, attacker can use &#x27;Padding oracle attack&#x27; to recover the ciphertext. it seems your service is not in this case: Laravel&#x27;s encryption is AES-256-CBC + MAC, which mitigates this problem. So this is safe, but next time, if you write some crypto-related things without Laravel, you&#x27;d better use some high-level library such as libsodium or sjcl.<p>3. This service uses CloudFlare. Using CloudFlare might be safe on small project because they have rock solid WAF to prevent general attacks. But it may be unsafe for a whistleblower from NSA: when it matters with state-sponsered attackers or law enforcements, CloudFlare can be attacked&#x2F;warranted. Then it becomes another attack vector.<p>Again, your service and idea are cool. But you should remember that this area is full of land mines, dragons, and dinosaurs with laser guns.<p>Welcome to privacy&#x2F;crypto world!<p>[1]: <a href="https:&#x2F;&#x2F;arxumpathsecurity.com&#x2F;blog&#x2F;2019&#x2F;10&#x2F;16&#x2F;cbc-mode-is-malleable-dont-trust-it-for-authentication" rel="nofollow">https:&#x2F;&#x2F;arxumpathsecurity.com&#x2F;blog&#x2F;2019&#x2F;10&#x2F;16&#x2F;cbc-mode-is-ma...</a>

FYI if I post 1MB of data it explodes and dumps a full stack trace. May not be something you want exposed.<p><pre><code> SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column &#x27;note&#x27; at row 1 (SQL: insert into `notes` (`note`, `password`, `user_id`, `token`, `updated_at`, `created_at`) values ...SNIP...</code></pre>

&gt; On clicking the link and opening your note, it is deleted instantly and completely from our database. Gone forever.<p>I worry about using such services when it comes to sending the note links over email or chat platforms, where the messaging platform may crawl the link and have the content destroyed before the human user has had a chance to see it. Has anyone encountered this on other secret sharing platforms? Using a password that’s not part of the link would prevent from that happening, but I see that it’s optional in this solution.

DO NOT USE THIS SITE:<p>1. Create Note with the contents &lt;script&gt;alert(1);&lt;&#x2F;script&gt;<p>2. Go to link<p>3. this site is a massive security flaw.

Nice gigamick.<p>This has a problem though, when you paste that link in a chat window (e.g. WhatsApp, Telegram, Discord, ...), the app tries to get a link preview.<p>This has the side effect of also expiring the note.<p>I think it&#x27;s best to implement a feature to detect whether it&#x27;s a human opening the link or a bot.

Very cool, but the FAQ doesn’t address the questions people will ask: open source is fine, but what guarantee do we have that the source code matches the deployed code? Or that the deployment is done in a secure environment?

AES-CBC for quick and dirty encryption can be a red flag: the scheme needs to include an encrypt-then-MAC phase or it&#x27;ll be vulnerable to padding oracle attacks. I tried to do a quick scan of the code[1] to determine whether it does that, but I couldn&#x27;t locate it, possibly because my PHP comprehension is terrible.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;GigaMick&#x2F;burnernote" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;GigaMick&#x2F;burnernote</a>

<a href="https:&#x2F;&#x2F;onetimesecret.com" rel="nofollow">https:&#x2F;&#x2F;onetimesecret.com</a>

nice project, but I prefer the approach of <a href="https:&#x2F;&#x2F;privnote.com" rel="nofollow">https:&#x2F;&#x2F;privnote.com</a><p>notes are encrypted client-side before sending, click-to-read prevents scraper burn, auto-delete after 30days

Issue: Forward and back buttons allow the note to persist (at least visually).<p>Impact: Someone reads a private note on a shared computer, how long will it remain visible in history?<p>Browser: Chrome 95

Fun, I made something very similar, but that encrypts E2E and using ECDH (demo: <a href="https:&#x2F;&#x2F;drop.fev.al&#x2F;" rel="nofollow">https:&#x2F;&#x2F;drop.fev.al&#x2F;</a> and github: <a href="https:&#x2F;&#x2F;github.com&#x2F;cfe84&#x2F;drop" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cfe84&#x2F;drop</a>)

I just want to say @gigamick these burn systems are powerful.<p>You might get divorced some day. You might have a business partner subpoena your old gmail account. ALL those emails&#x2F;texts will be turned over, ALL those emails&#x2F;texts will get leaked. Use something like this! Make the message burn after reading.

Very zeitgeisty :), I&#x27;ve created something similar a while ago (<a href="https:&#x2F;&#x2F;tmp.page" rel="nofollow">https:&#x2F;&#x2F;tmp.page</a>), the idea was to have expiring web pages, with a nice API. Our FEs are quite similar, yours is nicer tough :).

Yo, this is in &quot;DEV&quot; or &quot;STAGING&quot; mode, and made with laravel <a href="https:&#x2F;&#x2F;burnernote.com&#x2F;create-note" rel="nofollow">https:&#x2F;&#x2F;burnernote.com&#x2F;create-note</a>

<a href="https:&#x2F;&#x2F;burnernote.com&#x2F;n&#x2F;c39401e3-9e82-4c54-b65c-791820831354" rel="nofollow">https:&#x2F;&#x2F;burnernote.com&#x2F;n&#x2F;c39401e3-9e82-4c54-b65c-79182083135...</a><p>I dare you.

Related: <a href="https:&#x2F;&#x2F;temp.pm&#x2F;" rel="nofollow">https:&#x2F;&#x2F;temp.pm&#x2F;</a>

Database will have backups. For smallish text data I&#x27;d just use memory only.

Pretty cool. What&#x27;s the tech stack for this?

how do I burn the note ?

Incoming CSAM.b64 in 3, 2, 1 . . .