this post was submitted on 05 Nov 2024
129 points (98.5% liked)

Open Source

31560 readers
617 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] peregus 8 points 1 month ago (25 children)

Send lets you share files with end-to-end encryption

How is this possible if the only thing that is shared between sender and receiver is just a link (that is provided by the website)?

How can we trust https://send.vis.ee/? Who are they?

[–] [email protected] 5 points 1 month ago (15 children)

@peregus @dl007

Wiki End-to-end encryption:
> The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.

You don't have to trust the server.

[–] peregus 1 points 1 month ago* (last edited 1 month ago) (1 children)

The recipients retrieve the encrypted data and decrypt it themselves

Ok, but how can the recipient decrypt it if he doesn't have the key? The only thing that's shared is the URL and if the key is in the URL, well, I don't know what's the use for it since the server knows it.

[–] [email protected] 1 points 1 month ago (1 children)

@peregus Apparently some of your assumptions must be incorrect

[–] peregus 1 points 1 month ago (1 children)

Do you mind sharing with us what's incorrect? I'm here to learn.

[–] [email protected] 1 points 1 month ago (1 children)

@peregus It's explained in other threads here. The key is in the url but behind # and that part is invisible to the server. protocol://host:port/path?query#fragment, server will only see ..?query, so both participants can decrypt, but server can't => E2EE

[–] peregus 1 points 1 month ago (1 children)

But it's the server that creates the URL in the first place, so it must knows it, right? ...or wrong?

[–] [email protected] 2 points 1 month ago (1 children)

@peregus No that would be created by javascript in the sender's browser.

[–] peregus 1 points 1 month ago (1 children)

Oh, ok, now I get it. So it could be checked by a third party if that code is really created by the browser and if it's not sent to the server, correct?

[–] [email protected] 1 points 1 month ago (1 children)
[–] peregus 1 points 1 month ago (1 children)

@[email protected] but the owner of the server could change it, could it be checked directly on the webpage of the service? Not that I will do it (I can't, I can't read that code), I'm just curious.

[–] [email protected] 3 points 1 month ago (1 children)

@peregus yes, well the javascript on the site is minified, but I found this place even in the minified code. At this level it would be easier to take the source code and compile your own, host your own instance, then you know exactly what code is running there. And their minified code could be directly compared with your minified code... the beauty of open-source software.

[–] peregus 2 points 1 month ago (1 children)

@[email protected] Thanks a lot for your time explaining that to me!

[–] [email protected] 2 points 1 month ago

@peregus You're welcome, stay curious!

load more comments (13 replies)
load more comments (22 replies)