poof! Simple Secure Secret Sharing

Frequently Asked Questions

What is poof!?

poof! is a secure, time-constrained, one-time secret sharing serivce.

What does that mean?

Basically, poof! allows you to share a secret, such as a password, with someone else without it being silently intercepted.

Rather than sending credentials directly to someone, which would risk exposure in transit or in the future if someone got access to your messages later on, poof! allows you to send a link which will allow the reciever to uncover the secret with two restrictions:

1. The message can only be viewed once
2. The message can only be viewed within a time limit set by the sender

If either the time limit has passed, or the message has been viewed the link will not work.

This means that if someone intercepted the message and stole the secret before you saw it, you would not be able to retrieve it and therefore you would know it had been intercepted and should be considered compromised.

How does it work?

The full technical detail is available on github but the main concept is as follows:

• You enter the secret in your browser.
• The browser creates a randomised encryption key and encrypts the secret.
• The browser sends the encrypted secret to the server (NB not the key, nor the unencrypted secret so the server cannot reveal the data on it's own.
• The browser creates a link with a token returned from the server and the encryption key. (NB the key is put in the "hash fragment" of the link, which will never be sent to the server.
• You pass the link to the person you wish to share it with.
• They follow the link, and click the "check and reveal" button.
• Their browser sends a asks the server for the encrypted message using the token.
• If the token is expired, or the server has deleted the encrypted message, an error is displayed to the reciever.
• If the token is valid, the server deletes the message from it's store and sends it to the browser.
• The browser decrypts the message with the key from the link.
• The browser displays the secret.

Why should I use it?

Because you care about leaking sensitive information in instant messages and want a safer way to share the information.

Way not LastPass or another password service?

Well yes, most password manager services allow sharing passwords — so that is a good use case. If you or your organisation has such a service, then do use it instead. However sometimes you might want to share with a 3rd party without access to the password manager and in such cases, poof! might be useful.

Why should I trust it?

You shoudn't!

Well, I reckon you can trust me, but don't take my word for it. If you want to be sure please check the source code or build and run your own version! I want this project to be useful to as many people as possible, so feel free to run your own version — it's the most secure way!