{"id":18090830,"url":"https://github.com/klml/msgsplit","last_synced_at":"2025-09-04T00:14:15.434Z","repository":{"id":139145662,"uuid":"210668843","full_name":"klml/msgsplit","owner":"klml","description":"message split allowes you to send messages (passwords etc.) to another person without having the message decrypted on the server or in the email.","archived":false,"fork":false,"pushed_at":"2025-06-20T08:21:24.000Z","size":91,"stargazers_count":3,"open_issues_count":5,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-20T09:28:53.198Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/klml.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-09-24T18:14:20.000Z","updated_at":"2025-06-20T08:21:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"2086a999-d160-4cc8-a2d3-5c6d1576c89a","html_url":"https://github.com/klml/msgsplit","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/klml/msgsplit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klml%2Fmsgsplit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klml%2Fmsgsplit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klml%2Fmsgsplit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klml%2Fmsgsplit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/klml","download_url":"https://codeload.github.com/klml/msgsplit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klml%2Fmsgsplit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273530418,"owners_count":25121993,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-31T18:08:06.009Z","updated_at":"2025-09-04T00:14:15.409Z","avatar_url":"https://github.com/klml.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# message split\n\nThis is _experimental_.\n\nmessage split allows you to send messages (passwords etc.) to another person without having the message decrypted on the server or in the email.\n\n## Workflow\n\n* msgsplit encrypts the message with a [one-time-pad](https://en.wikipedia.org/wiki/One-time_pad) in Alices browser into a _ciphertext_ and _cryptographic-key_\n* sends the _ciphertext_ to the server\n  * the server stores the _ciphertext_ in a prefixed environment variable.\n  * returns the _storage-key_ to Alice\n* Alices browser creates a hyperlink with the _storage-key_ as URL-query (''?'') and the _cryptographic-key_ as URL-Fragment (''#'')\n* Alices sends this link via email or messenger to Bob\n* Bob opens the Link \n* Bobs browser requests the _ciphertext_ with the _storage-key_ from server\n  * the server reads the _ciphertext_\n  * the server deletes the _ciphertext_\n  * now the server returns the _ciphertext_ to Bobs Browser\n* Bob decrypts the the message with _ciphertext_ from the server and the _cryptographic-key_ from the URL-Fragment.\n\n\n## security\n\nThere are several __security concerns__: \n\n* The link get caught on his way, the offender could steal your message. \n* If the server is compromised: \n  * the stored cipher is useless, but you could manipulate the javascript.\n  * if ciphers don't get deleted and the offender gets your mail, your message is disclosed   \n* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L6) the key for the message, if your browsers [Crypto.getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is compromised, everything is worthless.\n* Only the transmitted message is encrypted. The receiver is not authenticated. The first one who receives the link, has the message.\n* brutforce all ciphertexts (`for i in {1..99999999999} ; do curl -s -X POST http://msg.exmple.net:8080/writeread --form \"key=$1\" ; done ;`): a ciphertext is still useless without the cryptographic-key.\n\n## persistent storage\n\nToo be sure all ciphertexts stay out of every backup, log or any other datatrace, msgsplit needs the weakest persistent storage.\nThere should be no external dependency filesystemmounts, database or object store.\n\nSo msgsplit uses environment variables to \"store\" ciphertexts.\nThis is at the expense of usability: msgsplits data does __not__ survive a reboot.\n\n\n## disclaimer\n\nOnly transmit messages that can get disclosed (inital passwords, etc).\nDo not use msgsplit for current used passwords.\nIf the hyperlink gets stolen, this message is disclosed.\n\n\n## Build\n\ngolang\u003e1.20 is required\n\n```\nCGO_ENABLED=0 go build ./msgsplit.go\n```\n\n## Run\n\n```\n./msgsplit.go\n```\n\nAlternative:\nUse plain image `ghcr.io/klml/msgsplit:main` or with [msgsplit-kubernetes](https://github.com/klml/msgsplit-kubernetes).\n\n\n## demo\n\nWorking demo, you can use it, but there is no safety guarantee!\n\n[msgsplit.klml.de](https://msgsplit.klml.de)\n\nHostet on [uberspace.de](https://uberspace.de) with [supervisord](https://manual.uberspace.de/daemons-supervisord.html) as [web backend](https://manual.uberspace.de/web-backends.html), static files (index.html, css, js) as default apache and [access log is disabled](https://manual.uberspace.de/web-logs).\n\n```\n\n[msgsplit@erinome ~]$ cat ~/etc/services.d/msgsplit.ini \n[program:msgsplit]\ncommand=/home/msgsplit/msgsplit/msgsplit\nautostart=yes\nautorestart=yes\n# `startsecs` is set by Uberspace monitoring team, to prevent a broken service from looping\nstartsecs=30\n[msgsplit@erinome ~]$ supervisorctl status\nmsgsplit                         RUNNING   pid 7138, uptime 0:09:34\n[msgsplit@erinome ~]$ uberspace web backend list\n/writeread http:8080 =\u003e OK, listening: PID 7138, /home/msgsplit/msgsplit/msgsplit\n/ apache (default)\n\n[msgsplit@erinome ~]$ uberspace web log access status\naccess log is disabled\n```\n\n## better \n\nThere are better ways:\n\n* [ots.private.coffee](https://ots.private.coffee/) uses also a hash parameter and an expiration date.\n* [yopass](https://github.com/jhaals/yopass) \n* [horuspass.com/send](https://horuspass.com/send) uses also a hash parameter, an expiration date, but depends on `workers.cloudflare.com`.\n* [pwpush.com](https://pwpush.com/) Passwords automatically expire after a certain number of views and/or time has passed. Track who, what and when. But more complex.\n* [privatebin.info](https://privatebin.info) is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. But [requires](https://github.com/PrivateBin/PrivateBin/blob/master/INSTALL.md#minimal-requirements) a database.\n* and always [openpgp.org](https://www.openpgp.org)\n\n\n## Similar\n\n* windmemo.com was a service to send messages you [could read only once](https://www.sebastian-kraus.com/windmemo-nur-der-erste-kann-es-lesen/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklml%2Fmsgsplit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fklml%2Fmsgsplit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklml%2Fmsgsplit/lists"}