'We currently use the AES encryption algorithm combined with strong password hashing to ensure your data is secure as possible.'
They don't mention cipher mode, hash algorithm, hash tuning parameters, or if they are even using authentication of some form alongside the encryption.
Complete transparency in terms of crypto ensures you aren't holding a steaming pile of shit if the service becomes popular and it is found that you were using ECB and SHA1.
Seems to work but I was surprised to see the "Uploading" message. For me to trust it with secret files I'd at least want it to work locally with nothing being sent to the server.
Even if it did it in-browser and didn't show you an upload message, you still need to trust the JavaScript that gets downloaded when you load the page. It could upload behind your back. Or, it could embed your password in the image, encrypted with a known key.
You MUST trust the software you feed your unencrypted data to. And if that softare is downloaded each time from the web, it's rather hard to do.
To all the naysayers: You're right that you have no reason to trust ANY online tool or channel with your secret documents. Open source is best, etc. But, this crypto tool is more about hiding data than securing it. So, for instance, maybe you don't care if this site "steals" your resume as long as your boss doesn't see it. So, relying on their encryption works for that. Still, if you want to keep secrets from everybody, just encrypt your files before hiding them with this. Either way, pixelator is still a viable (and kind of fun) tool to use.
So there are two way I can see how they did this encoding, either way they still store some data on their side. It would be useful as an offline app for sure.
Everlag|10 years ago
They don't mention cipher mode, hash algorithm, hash tuning parameters, or if they are even using authentication of some form alongside the encryption.
Complete transparency in terms of crypto ensures you aren't holding a steaming pile of shit if the service becomes popular and it is found that you were using ECB and SHA1.
tagawa|10 years ago
deathanatos|10 years ago
You MUST trust the software you feed your unencrypted data to. And if that softare is downloaded each time from the web, it's rather hard to do.
flashman|10 years ago
jones1618|10 years ago
To all the naysayers: You're right that you have no reason to trust ANY online tool or channel with your secret documents. Open source is best, etc. But, this crypto tool is more about hiding data than securing it. So, for instance, maybe you don't care if this site "steals" your resume as long as your boss doesn't see it. So, relying on their encryption works for that. Still, if you want to keep secrets from everybody, just encrypt your files before hiding them with this. Either way, pixelator is still a viable (and kind of fun) tool to use.
empressplay|10 years ago
That said it looks like it does it all client-side (but I'm not 100% sure -- could we get a confirmation on that?)
recoleta|10 years ago
A search for steganography on github lead to projects like darkjpeg that are open-source.
https://github.com/yndi/darkjpeg
oxplot|10 years ago
[1]: http://steghide.sourceforge.net/
grumblestumble|10 years ago
alanmorph|10 years ago