My anniversary project - a privacy friendly popl clone

Project Crypto Popel

(Not many will get the joke, but whatever.)

I often say things like this, but usually the idea doesn’t stick with me.
This time was different… I actually did something :slight_smile:
I’m not even remotely “done” yet, but I already missed my 1 year anniversary if we include the lurking and I wanted to share something today.

There are tons of contact sharing sites, what’s special about this?

TL;DR I can not read your data. It’s the most private way to share my contact via a url.

The goal of my project was that really only people who scanned your NFC chip can read the data, not me, not the NSA.
Other services like popl try the same, but as people here noticed, if you put a /r at the end of a poplme link, it will show the private data.
That’s their whole privacy mechanism…
Add a /r to Test to see what I mean.

My service only stores AES encrypted data, and the password never reach our servers, all cryptography is done in the browser: I literally CAN NOT read your data.
Only you and people you let scan your chip can read your business card.
The only thing I would be able to log is which static files you downloaded.

How does it work?

The hash part of a url is special, it will never be sent to the server.
If you go to example.org/foo#bar the server will only see example.com/foo.
That’s perfect for security, as we can store a password there!

The data is encrypted in your browser before uploading, and it is decrypted on the phones of people who scan your chip.

More details

Another cool thing about this is the “edit” functionality.
There is no normal password check, instead the secret is the filename where the encrypted data is stored.
That’s placed in the edit link that should be saved when creating the business card.
I like this idea, I should probably encrypt those parts of the link tho.

The server is written pure golang, the frontend in js, no frameworks.
The frontend will be heavily changed tho’, so who knows.

Status

This is work in progress, a proof of concept, as I’m writing this I have a prototype frontent that decrypts the data and builds a ugly business card. I’m currently implementing the backend.
That being said, all the thinking is done, it’s just a lot of coding left to do.
There’s even more work to do in the frontend, as it does basically everything.
Btw, anyone interested in helping? Mainly CSS help needed.

I’d like to show some screenshots, but it’s extremely ugly right now… can’t do that.
I’ll probably host it somewhere SOON™

Naming

And lastly, do you have ideas for names?

7 Likes

So I was bored and remembered this exists.
But the frontend sucks ass, don’t tell me I didn’t warn you.
This is not even an alpha, but you can take a peek here.

And here’s an example link: http://disbe.me:8080/YeKa#betFyZ0OGKBsLOPOgQfOz4

Ofc I need to add lots of “entries” like other social media, and the vCARD download.
But idk, I suck at frontends, I need a proper editor and some CSS before this gets usable.

1 Like

Very cool concept

Dangerous Info
or
Dangerous Information

:man_shrugging:

3 Likes

Dangerous Information - I really like this name!
I’d just need to convince amal to let me use this logo and maybe give me a redirect from dngr.us/info/

:speaking_head: :loudspeaker: Amal

Ah dont wanna bother him with this. I’d consider asking once it looks like a website and not like the few lines of pure html that it is and has some more features than image, twitter and email.

1 Like

I don’t actually @ Amal unless I really need to get his attention, I know he will see it, but I imagine his notifications and inbox get flooded

I’m sure he can use his imagination

spongebob-squarepants-spongebob

Will you look at having editable fields, and/or only show selected info

For those of who don’t do Social Media etc.

I noticed that later haha.

What exactly do you mean?
You can put a custom link in there , I just don’t have it in the editor yet.
You also have freely editable text already.

If you mean custom icons next to custom urls, yesh that’d be possible.

I wanna add a image editor anyways, so they automatically use data: urls and thus end up encrypted in card.

Yeah, as you answered, plus

If you don’t fill in :bird: Tweeter, it doesn’t display an empty Tweeter Field

Ah yeah god no, there are more entry types than I have in the example, and they aren’t empty there.
Technically the frontend supports multiple entries of the same type and in different order, the “editor” is just some inputs though :confused:

1 Like

I pretty much knew you wouldn’t do that. You’re far better than that

So I have a TLS cert now. https://disbe.me

So technically it’s actually safely useable now.
View this as public beta. As long as my server is safe, no one can get your data.

There’s a preview of the card now and I’ve also added a vcard download.

Selecting contacts is not possible in all browsers and you can’t easily export as vcard… this sucks.
Even generating a vcard won’t work cuz I do not have the details in my model e.g. no name and last name, I just have 1 string called title.

This project gets worse the more I do :wink:

4 Likes

I’m really liking this.

1 Like

have you got a github for this? can I contribute?

2 Likes

Yes dm me your username and I’ll invite you.
It’s under my real name so it’s not public yet.

Wow already got the first bugfix merged!
Anyone else interested in joining just dm me.

3 Likes

Looks great.
Tried this and it is scannable by iphone but when i click on popup safari says it is not safe.
Site has no certificate.
cannot go further.

1 Like

Can you not just acknowledge and accept the risk and proceed? I mean it is your phone!
Who is the boss? You or your phone?

I can on my phone

Oh yeah, you have an iPhone, never mind, that answers my question…

Tumblr_mdrg02Z9ju1qz9y4ko1_500

when i go further it says: No password found, scan the nfc again to see this buisiness card.
I get same screen as you do.

@yeka will be the guy to help you out, This is his brilliant solution, he will have the answers for you

What?! But it does have one…It can not even serve content unencrypted. I have this certbot thingy actively renewing the cert, so this shouldn’t happen.

Weird…

This should only happen once you’ve reloaded the page. It’s so that people you give your link can’t easily safe it forever. There’s a hidden checkbox to disable that.

I’ll check this when I wake up, I probably ducked something with the certificate.