1

We don't have an internal Gist for fast sharing snippets and logs extracts with co workers.

Is it safe to use this web service?

quote from GitHub site:

CryptPad is private, not anonymous. Privacy protects your data, anonymity protects you. As such, it is possible for a collaborator on the pad to include some silly/ugly/nasty things in a CryptPad such as an image which reveals your IP address when your browser automatically loads it or a script which plays Rick Astleys's greatest hits. It is possible for anyone who does not have the key to be able to change anything in the pad or add anything, even the server, however the clients will notice this because the content hashes in ChainPad will fail to validate.

The server does have a certain power, it can send you evil javascript which does the wrong thing (leaks the key or the data back to the server or to someone else). This is however an active attack which makes it detectable. The NSA really hates doing these because they might get caught and laughed at and humiliated in front of the whole world (again). If you're making the NSA mad enough for them to use an active attack against you, Great Success Highfive, now take the battery out of your computer before it spawns Agent Smith.

Still there are other low-lives in the world so using CryptPad over HTTPS is probably a good idea.

Sybil
  • 1,435
  • 2
  • 15
  • 29

2 Answers2

4

Disclosure: I'm a developer of CryptPad.

The answer to your question is based on how much assurance you need. The idea of CryptPad is to be verifiably ethical, we can prove that we are not doing mass data collection because if we were, somebody would catch us eventually. Therefore we are verifiably better than almost every other service available because with CryptPad, you are not blindly uploading your data and trusting us never to go in the database and read it.

We cannot (at this point) prove that we are not going to leak your data, if for some reason we were very interested in you, we could conceivably take the risk of being caught serving evil javascript in order to get access to your data.

tl;dr it is better than virtually any cloud server available but not better than hosting on your own infrastructure. However if you do choose to host something on your own infrastructure, you may still want to use a Zero Knowledge solution such as CryptPad unless you really trust your system administrators.

Caleb James DeLisle
  • 56
  • 2
2

If you install CryptPad for yourself it is probably safe. If you use an existing public service you have no control over the Javascript which is used to handle the unencrypted data in the local browser which means that you have to fully trust the providers of this service that they have no malicious intent and that nobody is able to hack their server and change the Javascript.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424