🆕 Software Suggestion | Hat.sh #1056
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1056
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: Hat.sh
Category: File Encryption - (AES-256)
URL : https://github.com/sh-dv/hat.sh or https://hat.sh
Description
hat.sh is a javascript app that provides secure file encryption using the AES-256-GCM algorithm in your browser.
It's fast, secure and Serverless, the app never uploads the files to the server.
in a small amount of code the app can encrypt any type of files at any size within seconds.
free and available in browser + windows/mac/linux.
Hey @sh-dv, just wondering why you closed the previous issue?
@nitrohorse yes , sure , it's my first time opening an issue on github and apparently i didn't know what i was doing. Sorry.
Question, is there anything preventing the admins of Hat.sh from inserting backdoored JavaScript when loading the webpage?
1.the app site is served statically directly from the github repository (sync)
2.the app is not linked to any 3rd party sites or scripts , it runs only on the bundled js file.(source and requirements are seen in the repo)
3.there is no connection to any network or server by any means , nothing is logged , nothing is saved , even in localstorage or cookies , we don't even run an analytics script.
4.there is no server side language in the app, everything runs locally.
5.everything can be checked from the developer tools .
6.my love and respect for privacy and crypto prevents me from doing such things.
-thank you for your question.
My point is, if you were to turn bad and tried to backdoor it, could you give specific users bad versions when they visit your website.
no.
Ive tested it out and works pretty smoothly, also using Wireshark, it seems like no communication is made with their web server once the webpage is loaded, which indicates everything does really stay inside the browser. I propose adding it as worth mentioning under the file encryption section.
It doesnt work with Tor Browser with safest security (mean No JS) , JS is needed to make this operation. Well JS services are the worst for security.
Suggestion: (if there is no way to get rid of JS)
libre your JS of the website by using these instructions:
https://www.fsf.org/campaigns/freejs
otherwise sorry but your service doesnt add anything new to security.
Tntbombom, will I appreciate that you think of the tor browser users among us, you should note that there are people with much lower threat models, and easy to use web based tools like these could really help them out.
its not about me , its about JS. allowing JS services into userspace is not real ideal security.
like i said , if there is no way but to use JS ok fine but use open source libraries. (same as what invidio.us done)
every line of js code in the app is opensource.
the app itself : https://github.com/sh-dv/hat.sh
password strength estimation : https://github.com/dropbox/zxcvbn
layout and design UI : bootstrap and fontawesome (icons)
in this page:
https://hat.sh/bundle.js
either proprietary/unlicensed can you check?
btw you can check your website JS easily using libreJS extension.
after completing the process (whether removing,replacing,checking the used JS license) list all JS used in the website with their licenses e.g same as invidious done:
https://invidio.us/licenses
by finishing this your website respect users privacy :) . ThX!
thank you.
the Bundle.js file is the file that cointains all the javascript codes put in one file, which are required in the app.js file in the top lines :
all these 5 are bundled in one js file called "bundle.js"
and i did as you said and listed them here : https://hat.sh/licenses.html
thanks.
I agree; I think this would be good to include. It works well, has good documentation, and can be used offline which is really helpful.
Thank you! although you have done all needed processes. One thing kept which is that AES-GCM is not ultimate which is secure as someone would just blindly using it, it has flaws like uses weak keys (GMAC) , needs uniqueness of IV.... Thus needs to be operated correctly.
Ref:
Note: This is just a side note not sure if there is any improvements to be added.