One Time Dead Drop

Need to send some data securely? Password? Love Note? Haiku? This is the place.

This is available over TOR



Ok, drop made- you need to send the message below to the person you want to pick up this drop

Hi,
I'm sending you some secure information.
Copy this url, and paste it into your web browsers location bar:
The Drop is also available over the clear Internet here:
and use the password I sent you in the other email
This will ONLY work once, so be careful with the password, and make sure to copy the data immediately.
After you pick it up, the data will self destruct and this link won't work anymore.
This link will only work for 24 hours, so please check shortly.
Thanks!

THIS IS THE PASSWORD! YOU NEED TO COPY THIS AND SEND IT TO THE PERSON AS WELL->

Retrieve a the Drop

Entering the password and clicking 'Get The Drop' WILL delete the information on the server. Ensure you have correctly copied the password.


Success

Your Dead Drop

The Problem

Sending someone secure data is a real hassle. If they don't have GPG, or some such tool, then what do you do? Send a user name in one email. password in another most likely.
This isn't great.
That email sits on a server forever! If their email is EVER compromised, then so is your data.

Here we follow a couple basic steps.
  • Dead Drops are only stored for 24 hours, then they are deleted
  • We never send your data over the wire unencrypted–we do it all via javascript in YOUR browser
  • We can not decrypt your data, we simply don't have the password
  • We do not use cookies. THE END.
  • We do not log your I.P.–we log the visit for load calculations, but nothing ABOUT you
  • We don't do encryption–we leave that to the clever people at Stanford
  • We Err on the side of safety–if an incorrect password is entered, or if anything else goes wrong we delete the data. This is not a locker service

So, is this safe?

The possible security issues depend on what form of communication you're using, ie: text message, email, carrier pigeon, etc.
The issues are
  • someone gets the url/password before the intended recipient.
  • If their email is compromised, and someone is monitoring it, well your out of luck
  • you text the info, and someone else has the recipients phone
If these are deal breakers, you're probably a spy of some sort, and thus shouldn't be using anonymous services on the internet.
The security of the encryption used is handled by the Symmetric Encryption engine developed at Stanford
"SJCL is secure. It uses the industry-standard AES algorithm at 128, 192 or 256 bits; the SHA256 hash
function; the HMAC authentication code; the PBKDF2 password strengthener;
and the CCM and OCB authenticated-encryption modes."

What if you're lying?

Well, you're a clever person, have a look at the code.

Technologies in Use

MersenneTwister implementation in javacsript
Symmetric Encryption in javascript
Jquery 1.10.2
bootstrap 3.0.0.0
A local version of the merseen script referenced above

Suggestions? Ideas?


GPG Public key for bill@bigmojo.net