This project is intended to provide a simple mechanism for privately sharing small blobs of text (e.g. links). All encryption, decryption, key generation, and key sharing happen entirely on the client, ensuring the service is unable to decrypt any of the shared content. A two-factor scheme is employed to separate the capability of retrieving the encrypted message and the capability of decrypting the message.
- Sender: One who wants to send a secret
- Receiver: One who wants to receive a secret
- Service: The HTTP service/website
- Client: The software running (presumably in a web browser) local to the Sender or Receiver
- Payload: The content shared by Sender with Receiver
- Message: An encrypted Payload, Sender name, Receiver email or SMS, etc. stored by Service
- Id: An identifier used by Sender, Receiver, and System to refer to a message
- Nonce: A secret shared by Service with Receiver
- Message Link: A URL containing Id and Nonce that is a capability for retrieving a Message
- Passphrase: A shared secret between Sender and Receiver, unknown to Service, that allows decrypting the Message Payload
- Passphrase Link: A URL containing Id and Passphrase (as a fragment) to be used for decrypting a Message
- Sender specifies their name in Client
- Sender specifies intended Receiver in Client
- Sender specifies Payload to share in Client
- Sender Client generates Passphrase and encrypts Payload
- Sender submits create Message request to Service
- Service returns Message Id to Sender
- Service sends Message Link (Id + Nonce) to Receiver via email or SMS
- Sender shares Passphrase Link (Id + Passphrase) from Client with Receiver via different channel (e.g. email, SMS, chat)
- Receiver receives email or SMS from Service with Message Link, clicks Message Link
- Receiver Client sends request to Service to retrieve Message by Id and Nonce
- Receiver receives chat message directly from Sender with Passphrase Link, clicks Passphrase Link
- Receiver Client decrypts encrypted Payload and displays to Receiver
- AWS DynamoDB for all persistence
- AWS Lambda is used for execution of the service code
- AWS API Gateway is used for routing HTTP requests to Lambda
- AWS CloudWatch Logs is used for logging from Lambda
- AWS Route53 is used for registering the
basicshare.iodomain - AWS Certificate Manager is used for issuing SSL certificates
- AWS SES for sending emails
- Used "Rule Sets" for Incoming Email along with email verification and 'Domains" to allow sending from
notify@basichsare.io
- Used "Rule Sets" for Incoming Email along with email verification and 'Domains" to allow sending from
- reCAPTCHA to protect send API from abuse
- Client-side encryption/decryption via sjcl
- URL Fragments to share passwords as links without being sent to the server
- React via Create React App for front end
cd service
source env/bin/activate
env FLASK_DEBUG=true API_KEY=dummy RECAPTCHA_SECRET_KEY=dummy RECAPTCHA_OVERRIDE=dummy python server.py &
env RECAPTCHA_OVERRIDE=dummy API_KEY=dummy EMAIL=dummy@dummy SMS=+10000000000 URL_BASE=http://localhost:5000 MODE=moto pytest test/test_requests.pycd service
env RECAPTCHA_OVERRIDE=<override key> API_KEY=<api key> EMAIL=<email> SMS=<sms> URL_BASE=https://api.basicshare.io MODE=lambda pytest test/test_requests.pycd service
source env/bin/activate
env FLASK_DEBUG=true API_KEY=dummy RECAPTCHA_SECRET_KEY=dummy RECAPTCHA_OVERRIDE=dummy python server.pycd web
env REACT_APP_DEBUG=true REACT_APP_API_URL=http://localhost:5000 REACT_APP_API_KEY=dummy yarn startcd service
make
# Upload lambda.zip to Lambdacd web
env REACT_APP_DEBUG=false REACT_APP_API_URL=https://api.basicshare.io REACT_APP_API_KEY=<api key> yarn build
cd build
# Upload contents of build/ directory to S3 bucket
for f in $(find . -type f | tac); do aws --profile basicshare_web_s3 s3 cp $f s3://basicshare-web/$(realpath --relative-to=. $f); done