corgea / retriever Goto Github PK

First, this is a lovely solution!

Curious if you've considered adding a lifetime to the secrets. Today it appears as if the originating browser can decode secrets for a while, even after closing/opening the browser.

It would be nice to have some options around the time a secret will be able to get decoded locally. Like 1 hour or 1 day.

As I was trying to encrypt a long message (636 characters), I got Unable to encrypt error message. So I wonder what's the char limit for the secret?

it seems the entire concept of this tool is based on an invasion of privacy.

1. user A send URL
2. user B send URL
3. user A open URL in private window

then:

Unable to load private key

Could not find the private key associated to the public key in the url in the browser. Make sure this is the correct browser and the url is correct. Only the requester can decrypt the secret.

so the intended receiver cant even open the message specifically made for them. it just seems like this whole concept is flawed.

Thanks for this cool project!

Here's what I see on Firefox for Android with uBlock origin :

The pop-up cannot be dismissed. Not sure why uBlock origin is blocking some stuff here. It works fine if I disable the adblocker

This is a interesting and clever idea for sharing secrets. Thank you for publishing it and setting up a demo instance for people to try.

In the list of features visible in the readme it says "No data is sent to a server".

However in the instance of this page hosted at https://retriever.corgea.io/ it is actually sending data to a server including "fingerprint" information about the browser viewing the page and a distinct device ID.

The data in this POST request contains URL encoded JSON including: OS, Browser, browser versions, screen size, and distinct device ID.

In the code here it checks the host and initializes the mixpanel tracking:

I understand that this sort of tracking and analytics is common across the web, and I can see why you'd want that information for the instance of this tool that your hosting as a demo inside of Github. I do not feel there is inherently anything bad or wrong about the inclusion of this functionality.

But honestly It's a little off-putting that this is occurring when the project readme states plainly "No data is sent to a server".

It would be more truthful to rephrase that feature to "Your secrets and the private keys that encrypt them are never sent to a server by retriever"

I believe it would also be best to state explicitly within the readme that the demo instance of the tool does include an analytics tracker that sends data to a server, and in the interest of transparency I believe it would be good to state explicitly what information it does collect even if this information is routinely collecting by similar web analytics and tracking utilities.