Show HN: Online journal that encrypts entries with a cipher

Author here. This was a weekend project I&#x27;ve been working on. It&#x27;s very much in beta.<p>I&#x27;m using SJCL (<a href="https://crypto.stanford.edu/sjcl/" rel="nofollow">https:&#x2F;&#x2F;crypto.stanford.edu&#x2F;sjcl&#x2F;</a>) and CryptoJS (<a href="https://code.google.com/p/crypto-js/" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;crypto-js&#x2F;</a>) for client-side encryption, and Python&#x27;s Cryptography library (<a href="https://cryptography.io/en/latest/" rel="nofollow">https:&#x2F;&#x2F;cryptography.io&#x2F;en&#x2F;latest&#x2F;</a>) for back-end encryption.<p>Would love some feedback. Since it&#x27;s in beta, signups are limited but you can use &quot;hackernews500&quot; as an early access code to sign up now if you want to check it out.<p>Thanks!<p>EDIT (PS - It&#x27;s not mobile friendly yet, so you&#x27;ll probably run into some UI issues on mobile devices)

I&#x27;m not being negative or sarcastic, but what is the purpose of this?<p>If I was concerned about secrecy or privacy, why is this better than just using some regular encryption tools and some &quot;cloud drive&quot; or whateveryoumightcallit?<p>I appreciate that this is a weekend project (and by the way it looks nice) so I&#x27;m not trying to beat it up, but its a big leap from a project for scratching your own itch to inviting others to give you their sensitive data (encrypted or not) with a promise of security.<p>At the very least you might want to publish a terms of service and privacy policy. A warrant canary might be nice as well.<p>PS - I have a spectacular ability to make an ass of myself, so if my criticisms come off as rude or are unwarranted, I truly apologize.

I&#x27;ll let someone else rant about browser Javascript encryption (it serves essentially no security purpose), but instead just comment to say that &quot;AES-256 in CBC mode&quot; is not a confidence-inspiring description of a cryptosystem.<p>Have you published the Javascript code you used for this anywhere? Can we see it? I was going to peek at it, but would apparently need to register for the site to do that.<p>You might consider hoisting your SJCL crypto code out of the DOM and sticking it in a Chrome extension.

Hello, I created some time ago <a href="http://secretdiary.org/" rel="nofollow">http:&#x2F;&#x2F;secretdiary.org&#x2F;</a> [now deleted]. It was basically the same idea but implemented server-side since that was what I wanted to learn at the moment, using the encryption MCRYPT_RIJNDAEL_256 from PHP [1]<p>I think that the double encryption is not needed, but since I am not an expert (just an enthusiast) I dig in the past about it and the experts and enthusiasts say the same [2][3]<p>I just re-bought the name so that no one could buy it when I made it public. If you want it, I have no problem in giving it for free since it reminds me a lot to my project and I think the name could be more suitable and you <i>are</i> indeed much more advanced that my project ever was and actively developing it (:<p>[1] <a href="https://github.com/FranciscoP/secretdiary" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FranciscoP&#x2F;secretdiary</a><p>[2] <a href="http://security.stackexchange.com/a/32260/9161" rel="nofollow">http:&#x2F;&#x2F;security.stackexchange.com&#x2F;a&#x2F;32260&#x2F;9161</a><p>[3] <a href="http://www.reddit.com/r/crypto/comments/1nhi4m/why_encrypting_twice_is_not_much_better/" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;crypto&#x2F;comments&#x2F;1nhi4m&#x2F;why_encryptin...</a>

Obligatory disclaimer: &quot;Javascript Cryptography Considered Harmful&quot;<p><a href="http://matasano.com/articles/javascript-cryptography/" rel="nofollow">http:&#x2F;&#x2F;matasano.com&#x2F;articles&#x2F;javascript-cryptography&#x2F;</a>

This is cool, but all that it takes to break down the fancy encryption is for the government&#x2F;law enforcement to take it over and add some tiny js in the page.<p>If you really need to be secure, never trust a third party.

I can&#x27;t see myself using this for journal, simply having a usb or some other way is preferable if I need privacy. However, this has potential as a very nice solution for encrypting entries of any kind. Some kind of secure evernote. Anyhow, if you decide to further develop, I think this can grow into very interesting solution.

Just curious, why the double encryption? if I trust the client-side encryption (thats a whole other discussion) then the server-side is redundant. If I don&#x27;t trust the client-side encryption, I&#x27;m entrusting all my security to your second round of encryption (and, you).

Very cool project! Would be interesting if you did something along the lines of facebook - asking a user to recognize a photo of friends after they connect their facebook account as an alternate encryption method. My bank also allows the upload of an image, which you need to choose and it&#x27;s paired with the password.

I&#x27;d rather keep any personal journal&#x2F;diary offline.<p>Even if Web technology was trustworthy in itself, I&#x27;d have to learn about exactly what is safe to do in a browser, if I trust the website itself and if I trust the person&#x2F;entity&#x2F;company behind the website. That is a <i>lot</i> of things to learn and be wary of for just being able to write a diary online.<p>A personal diary is the most private and uncensored thing that I could write. I would never consider adding any more complexity to the question of &quot;is this really for my eyes only?&quot;.<p>It might be fine for something like a technical journal though.