Show HN: DropLock – E2EE secret sharing web app with no backend
5 hours ago
- #Secret Sharing
- #Key Management
- #Browser Security
- Creates a public/private key pair in the browser, with the public key in the lock box link and the private key stored non-extractably in the same browser profile, preventing export and allowing secret opening only in that profile.
- Uses the receiver's public key and a one-time key to generate an AES-GCM key via HKDF-SHA-256, locking secrets locally and placing the result in a link fragment not sent to the web server.
- Does not include fingerprint checking; vulnerable to link replacement attacks in transit, so recommends verifying lock box links across two channels or using a trusted channel for security.
- Not yet reviewed by a security expert, indicating potential risks and the need for caution in usage.