Lockbin... test away...

[matchoo]

Hey there,

 

http://lockbin.com

 

Whenever I have sensitive information I need to send to someone via email, I Google 'encrypt mail message' looking for solutions, but everything would be too complex for my potential recipients.

 

So I built something to take care of the problem.

 

Now, I can send people credit card numbers, or login credentials to my server, or whatever, and I don't have to worry about it being sniffed by some jerk in an Internet Cafe.

 

It seems to work well for me, and for other folks, but one user in particular keeps telling me that her messages come back empty. Can't reproduce.  Anyhow...

 

Go ahead and test it.

 

One nice thing about it is that you can read the JavaScript in your browser and see that nothing is ever sent to the server without being encrypted by your own "Secret Word" - thus, I can't read your messages even if I wanted to.  Plus, the messages get deleted as soon as they are picked up.  It is also using HTTPS.  Nothing is fool proof, but this seems to be a good layman's alternative to S/MIME.

 

-Matchoo

[micah1701]

what other info do you have from the user who's getting blank messages?  what is she using as her "salt" password?

 

is this just a sneaky plug for your product?

[agentsteal]

Cross Site Scripting:

https://lockbin.com/test.php?m=<marquee><h1>vulnerable</marquee>

 

Full Path Disclosure:

https://lockbin.com/test.php?m[]

Warning: urldecode() expects parameter 1 to be string, array given in /home/.labyrynthwasherkiln/lockbin/lockbin.com/test.php on line 35

[matchoo]

Micah...

 

Well, it's a plug, but it's also sincere. I want you to break it. I'll ask her what she used as a salt. I figured it was nothing too complicated as she's not very computer savvy.

 

Agentsteal...

 

Hey, nice find! Gonna keep reporting errors, though, until I get them all. Nobody's using this stuff for now.

 

Soon I'll shut off error reporting, and kill that silly test page.

 

Do you have a program that runs through commonly used pages or somethin? Or are you clairvoyant?

[DeeCee]

matchoo i like the design and the ajax type thing on sign up. The only thing i would suggest is that you make <div class="HL"> a little bigger somthing like 650px. And then i would have the margins setup to auto so main wrapper would move to the center of my browser.

 

EDIT: I searched for a example for you: http://bluerobot.com/web/css/center1.html

[matchoo]

Ok, I changed the layout.

 

I gotta say I miss the rounded corners though. Nifty corners coming soon.

[LiamProductions]

I found a typo on the index page:

view rhis code

[tommyboy123x]

typo:

The nice thing about the Web is that you can browser code by viewing the HTML source.

 

or i just dont understand it.

 

Also as a recommendation - allow the user to change the security code.  I got one that i can't figure out what it is...

 

 

Even if other people can figure it out, the person using it could not, and finds it a burdon... if that makes any sense.

 

 

 

 

Sending long messages don't store in the database correctly.  You might want to alert the user if the ENCRYPTED version of the message is too long or change the type of storage on the messages.

[matchoo]

Cool, thanks.

 

I'll put a refresh on the Captcha, and test the database storage on long messages.

[roopurt18]

Nice layout and the site worked well.

 

Beyond adding a refresh to the CAPTCHA, I think you should make it more legible, perhaps with a different font.  I have excellent vision and even I had a hard time making them out.

 

I didn't really try and break the site as that's not really my specialty, but an idea occurred to me that you may want to consider.  I can see this site becoming very popular as a means to transmit illegal data.  I have a feeling you'll be forced by legal requirements to be able to decrypt the information on your end, which sort of defeats the purpose, but not entirely.

[matchoo]

Ok, I added the refresh captcha.

 

I'll change the font later tonight.

 

As for sending illegal info. Perhaps, but if the government wants me to decrypt, they would have to issue warrants and such, and I could likely take down the site altogether. But I am hopeful that criminals are not the ones interested in this stuff. They would be better off talking on Cell phones as usual.

[source]

criminals on the internet are using complex encryption methods..

 

 

[matchoo]

ok,

 

I think it will take super long messages now.