Sending someone secure data is a real hassle. If they don't have GPG, or some such tool, then what do you do? Send a user name in one email. password in another most likely.
This isn't great.
That email sits on a server forever! If their email is EVER compromised, then so is your data.
Here we follow a couple basic steps:
- Dead Drops are only stored for 24 hours, then they are deleted.
- We can not decrypt your data, we simply don't have the password.
- We do not log your I.P.–we log the visit for load calculations, but nothing ABOUT you.
- We don't do encryption–we leave that to the clever people at Cripto-JS.
- We Err on the side of safety–if an incorrect password is entered, or if anything else goes wrong we delete the data. This is not a locker service.
So, is this safe?
The possible security issues depend on what form of communication you're using, ie: text message, email, carrier pigeon, etc.
The issues are:
- someone gets the url/password before the intended recipient.
- If their email is compromised, and someone is monitoring it, well your out of luck.
- you text the info, and someone else has the recipients phone.
If these are deal breakers, you're probably a spy
of some sort, and thus shouldn't be using anonymous services on the internet.
The security of the encryption used is handled by the Symmetric Encryption engine developed at Stanford.
"Crypto-JS is secure. It uses the industry-standard AES algorithm at 128, 192 or 256 bits; the SHA256 hash
function; the HMAC authentication code; the PBKDF2 password strengthener;
and the CCM and OCB authenticated-encryption modes."
Technologies in Use
CodeIgniter Framework 3.1.5