/pomf/

There is nothing wrong with that.

Coming soon at the next release near you!
Encrypted file storage. Can't file abuse that quickly, because the hoster does not know anything about passwords n' stuff.

>there is nothing wrong with making a website which is vulnerable to a XSS
Are you retarded?

pomf.download/a/4Fscr1ot

dumb anime poster

a-user, i'm a bit slow. mind pointing out what exactly is happening?

Reload the page and check your console/network log.

my console is empty. what is the meaning of this?

there's a word to describe people like you that want to show off their latest meme project without getting any feedback first. It starts with an 'R' and ends with 'D'.

You might know it.

i'm not op, dumbass.

this.
I also wanna know !

owasp.org/index.php/Cross-site_Scripting_(XSS)

this isn't appearing to me. is the entire network log.

What about the link in ?

you probably want to share your cookies though? seeing as your xhr is working, it seems this needs the password to be set in the cookies, so that the filename xhr works.
post your "document.cookie" in the js console.

no, neither that link.

I see. So it's only a self-XSS then.
OP should still be sanitizing the image filenames' he's using though.

Fixed it in the current build. Not on the public git, but in the binary. Try it out :')

sent you a pr :^)

Try again.

Fixed it now. It's fixed now. I will clear all previous uploads rn.

What did you fix exactly?

the check that you made for an existing uuid on upload was wrong. i think the pr is broken because you are force-pushing shit to master. pls stop that.

Sorry. This whole thing is a bit weird because the original repo is in a private github repo.

Please make something like Pomf with an account so you can delete uploaded shit any time of the day.

You can do that. Didn't you see the gigantic "delete" button in the file view?

It's not with an account, and you can't do this shit on Sharex.

rebased the pr, i think it's working now. or not, i hate git anyway.

It is supposed to work without any account. The server just holds the encrypted data. No other data is supposed to stay on the server.

Implemented it in the latest push. Gonna build and push again

I mean an account so you can use it on Sharex and when you want to delete something, you login on your website and delete it. Simple, efficient and elegant. Like Puush.

Then continue to use puu.sh. This service is not meant for general files. You don't need AES encrypted files without ip logging on fucking screenshots. Use puu.sh for that.

So, what the fuck is the point with the site you're trying to shill so badly on Sup Forums lately? To upload pedophile shit? Enjoy the van you fucking retard.

No, I don't want you to upload illegal shit on that site. The point is I don't have the ressources puu.sh has.

>login
>Like Puush.
[pic related]

Also,
>Simple, efficient and elegant.
it's not.

Add a fallback to upload files without Javascript.

I think I will do that.

>encryption on server side
>does not work without js
>HMAC instead of a proper hash function
???

What encryption algo do you use? What KDF?

Cancer, just keep a list of the files and their passwords locally.

You can use CURL to upload files and get files. Retard. HMAC is better than MD5 because it includes the crypto key. The algorithm is AES with SHA256

That's what the JS is all about. I'm also working on a CLI so that you don't need any browser.

>HMAC is better than MD5
HMAC is not a hash algorithm, MD5 is.
HMAC is a construction that is built on top of a hash function, it can use MD5 if you want.
How do you use HMAC even? For what reason?

>The algorithm is AES
How big is the key? 256 bits?
Why not use an actually good cipher instead of this bullshit?
Also, what mode of operation do you use?

>with SHA256
For KDF? Is this a joke?

>You can use CURL to upload files and get files
I don't have curl installed nor am I willing to install it just for a single shitty site.
Moreover it does not mention it anywhere on the site so how am I supposed to know it?

Can one have a different key for deletion (or disable it entirely)?

>You can use CURL to upload files and get files. Retard.
Which means the server logs are enough to decrypt the file again. Great.
>HMAC is better than MD5 because it includes the crypto key. The algorithm is AES with SHA256
What the fuck?
AES alone means weak guarantees unless you also use a reasonable mode of operation. ECB would be terrible news.
I have no idea where HMAC or SHA-256 even become relevant in this context unless you're doing authenticated encryption, in which case you really should be using a library doing authenticated encryption for you rather than shoehorning your own encrypt-then-MAC (or worse, MAC-then-encrypt).

MD5, hash, encryption...one better than the other.

Both of you are off a HMAC is a hash message that's signed encrypted with the sender's private key. For integrity and non-repediation....HMAC's make use of has functions from MD5 to SHA512.

He's not using any KDF.
bibinator.club/null/pomfcrypt/src/master/pomfcrypt.go#L97

Why are you using CFB mode?

>Both of you are off
Wut? You are replying to one person.

>HMAC is a hash message that's signed encrypted with the sender's private key
What the fuck? Don't talk about shit you have no idea about please.
HMAC is a specific algorithm that uses symmetric keys.

>CFB
>the key is the zero-padded password
Read Schneier's Cryptography Engineering and don't come the fuck back until you're done reading it.

>bibinator.club/null/pomfcrypt/src/master/pomfcrypt.go#L97
What the fuck, he is not even hashing the message.
Just, what?

Why are you spending your precious NEETbux on providing a host service for autistic manchildren?

>hashing the message
*hashing the key.

>hashing the key
For what purpose? The whole point of HMAC would be integrity in this context. If the HMAC mismatches, you already know you've got the wrong key.

Are you retarded?

Key gets put with the filename into the crypto payload. In front of the payload is the signed HMAC. When getting the file AES gets decrypted and then verified using the HMAC. If it is correct, the file gets delivered. There is no need of hashing the fucking key.

Exactly.

You would not hash the key for integrity, you would hash a password of any size in order to get a uniform pseudo-random key of a constant size to use for the cipher.

Moreover by using a KDF you would add entropy to the key.

Just stop, please.

What is the specific problem you are seeing in this procedure?

Who are you quoting and what the fuck are you talking about you mouthbreathing little shit?

That's something else entirely, though.

key = argon2i(password, 100MB, 3 iterations)
ciphertext, tag = AES-256-GCM(key, plaintext, random counter)
Write counter || ciphertext || tag to file.
Store file identifier in URL and the key in the URL fragment (the thing that starts with #) and use client-side JavaScript crypto because otherwise you have this: the key's in the URL and the URL's in the server log, making it all pointless anyway past the first download.
This is not a difficult concept. Why are we going over this again?

I did the same thing some time ago OP, but I used the query string for the decryption key.
bitbucket.org/alex108/erio-cabinet
I host it but I'd rather not run out of HDD space posting it.

Feel free to contribute your Knowledge to this project :')

fuck off FBI

1: Passing the password directly to the cipher instead of using a password KDF
2: Using CFB
3: Using HMAC + SHA256 instead of a proper MAC algorithm
4: Using AES

How is this relevant to my post at all?

>counter
I think you mean IV

Expiry times work well enough. They're pretty rare already, though.

You are right. It is not very secure to put the key into the URL. I will try to change the implementation.

>1: Passing the password directly to the cipher instead of using a password KDF
retarded
>2: Using CFB
questionable
>3: Using HMAC + SHA256 instead of a proper MAC algorithm
HMAC is a fucking MAC algorithm. It even says so in its name.
>4: Using AES
There is literally nothing wrong with AES, which is one of the most studied algorithms there is. Take off your tinfoil hat for ten seconds.

It's not secure to do the encryption anywhere other than locally in the first place.

Why not just use github.com/mozilla/send

Nobody forcing you to use the service, shill ;)

>HMAC is a fucking MAC algorithm
Did I claim otherwise? All I said is that it is not a proper MAC algorithm. Just like DES is not a proper encryption cipher.

>There is literally nothing wrong with AES
Other than the known faster-than-bruteforce attacks?
Other than the fact that it was not designed to be secure against side channel attacks?
Other than the fact that it's complex?
Other than the fact that it has low security margins?

It's really not questionable.
OP could be using an authenticated encryption mode instead of CFB.

You can surely share the optimal way to build such a project. Tell us which method of integrity check you would use and which encryption algorithm. And then a way to implement it server-side in golang.

Post actual papers, burden of proof is on you.

>Tell us which method of integrity check
For a MAC I would use Poly1305 or SHA3/SHAKE256/KMAC. Even GCM + GMAC would be a better idea.

>which encryption algorithm
Chacha20 or any of the future winners of the Caesar competition.

>And then a way to implement it server-side in golang.
Not willing, find a way yourself.
NaCL has been ported to most languages.

>Post actual papers
On the attacks? Try "Improving the Biclique Cryptanalysis of AES" by Tao, Biaoshuai and Wu, Hongjun.

Thank you, user.
I am new to cryptography, as you can clearly see. I appreciate your critic and I will try my best to implement these algorithms in the near future.

The other domain
waifu.trade
Sounds much better

Yeah, I still need to configure HTTPS redirect for that. It kinda seems broken.

>waifu.trade
Fixed it. It is not usable just as pomf.download.

>not
now* :D

Here you go godoc.org/golang.org/x/crypto, you probably want to use chacha20poly1305

But poly1305 is a one-time key algorithm. I want users to be able to download the file multiple times.

This just means that it will break iff you encrypt multiple times using the same nonce. Same goes for chacha20 and every stream cipher (or cipher in a stream-like mode of operation).
You can decrypt and verify the tag as many times as you want safely.

LAMOOOOOOOOOOOOOOO

Not a crypto person so I don't understand what's happening.

Because the textbox is editable, I thought I could put in anything I want in there.

Now that page loads just fine but the password that I entered when uploading that file isn't even recognized.

>ciphertext is too short

Site?

>HSTS
Bad meme

observatory.mozilla.org/

Implemented all relevant security measured. HSTS and security headers are now present on pomf.download.

This is a bad test.

Please use a fucking key derivation function as well instead of using the key directly.
PBKF2, Bcrypt and Scrypt are available in Go's supplementary crypto repository.

github.com/golang/crypto

I am in the process of implementing that right now.

The problem with a KDF is that they are long as fuck. Which KDF is short and efficient? I mean it's included in the URL.

>calls someone a shill
>while shilling his own website

dumb weeb poster