According to the API docs, I should be able to get the list of metadata keys for recent created secrets when I provide my authentication creds. As in:

curl -u 'USERNAME:APITOKEN' -d '' https://onetimesecret.com/api/v1/private/recent

but when I try this on the live site (https://onetimesecret.com/) it only returns:

{ "secret_key": "recent", "message": "Unknown secret" }

A brief stroll through the code seems to indicate that it should work. I know this is potentially an issue with the live server, but if it's supposed to work, there might be a code issue.

I can't find a mailing list or a forum so I'll just post this here.

Is it possible to install onetimesecret on a shared webhost where you do not have access to /etc and cannot create a user? For example, installing it with only an FTP account?

$ sudo apt-get install ntp libyaml-dev libevent-dev zlib1g zlib1g-dev openssl libssl-dev libxml2 libreadline5-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package libreadline5-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  libreadline-gplv2-dev

E: Package 'libreadline5-dev' has no installation candidate

So I think the instructions in the Readme should be updated...

One-Time Secret cannot be used on Android devices because the generated link of a secret cannot be copied to be shared.

Any interaction with the field containing the generated link is disabled. The link gets selected when it's tapped on it, but nothing more can be performed, nor copy it or anything else.

What do you think of HPKP or even DANE? (Although latter one is not (natively) supported by many clients currently.)

Also see: https://community.qualys.com/blogs/securitylabs/2015/06/08/introducing-tls-maturity-model

Hi!

I've used yall for a while now, and noticed you didn't have a cookbook on the supermarket, so i created a cookbook1 for yall. It's just an MVP release, but i wanted to know if you wanted to put it in yalls namespace or i can run it too. I havent published it to the supermarket till yall have made this decision.

Thanks again for creating this, I hope this deployment mechanism helps someone out in the long run!

PS: i'll change the repo name to onetimesecret-cookbook if yall do want it in your namespace.

As a privacy/security-focused service you should certainly not use Google Analytics. For obvious reasons…

It is used on all sites as far as I see.

If you really need these stats you might consider running something privacy-friendly alternative such as piwik.

In any case make these statistics configurable, so that self-hosted installations can disable (or adjust) the GA or Piwik integration.

Messages are truncated when the secret is created but it's not clear that a) the message will be truncated and b) where it will be truncated while typing the it.

Hello!
How can I change the default secret creation rate limit? I haven't been able to find the parameter in the config file.

Edit: I've only been able to change that limit by modifying the hardcoded value on line 4 of onetimesecret/lib/onetime/models.rb:

DEFAULT_LIMIT = 25 unless defined?(OT::RateLimit::DEFAULT_LIMIT)

Thanks!
David

Hello,

Running the line:

bundle exec thin -e dev -R config.ru -p 7143 start

Results in the following error:

bundler: failed to load command: thin (/etc/onetime/vendor/bundle/ruby/bin/thin)
RuntimeError: ERR invalid password
/etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:47:in call' /etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:24:in connect'
/etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:247:in ensure_connected' /etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:137:in block in process'
/etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:206:in logging' /etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:136:in process'
/etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis/client.rb:46:in call' /etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis.rb:273:in block in ping'
/etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis.rb:18:in synchronize' /etc/onetime/vendor/bundle/ruby/gems/redis-2.2.2/lib/redis.rb:272:in ping'
/etc/onetime/lib/onetime.rb:73:in block in load!' /etc/onetime/lib/onetime.rb:73:in times'
/etc/onetime/lib/onetime.rb:73:in load!' config.ru:28:in block in

I have verified that the password is set up in redis: (I'm using a very simple password for testing)

redis-cli -a 12345
127.0.0.1:6379> ping
PONG
127.0.0.1:6379>

My configured environment:

CentOS Linux release 7.3.1611 (Core)

ruby 2.0.0p648 (2015-12-16) [x86_64-linux]

Redis server v=3.2.3 sha=00000000:0 malloc=jemalloc-3.6.0 bits=64 build=672aed6eb816ad6c

I've reached the point of stumped with my installation.

Thank you

Hi
my question is really if there is anything planned to support also attached files ...
Thanks !

First of al great tool you created! I downloaded this Github repository to test it on our local server.
I have only one question about changing the texts. I did the following steps:

1. First edited the translations files in etc/local, but when i visit the local client with my browser nothing changed.
2. Second I edited the text directly in the .mustache files, by replacing the i18n translation tags with plain text.
   Both steps do not result in any changes because the browser keeps showing the old text.
   Even after I flushed the Redis Cache, restarted the Thin Client and the server.

I seems that the .mustache files are being build by another process, can someone shed some light how i can make my changes visible in the browser?

Can you make one available please?

I've just found this file: https://github.com/onetimesecret/onetimesecret/blob/master/public/web/googlebda449ae89dbf2e6.html

Seems to be your personal auth-code from Google which should not be included in a public installable version..

It would be nice if you could set link headers for pushing assets to the user. Especially the HTTP/2 server push is an efficient way of doing that and it really speeds up website loadings.

And you have a lot of assets, which are loaded always when accessing a pad, so this is a very good scenario for HTTP/2 server push.

Hi

I have the following server configuration:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.5 (jessie)
Release: 8.5
Codename: jessie

I use RVM
$ ruby -v
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-linux]

$ bundle install
Using addressable 2.2.6
Using highline 1.6.19
Using attic 0.5.3
Using bcrypt-ruby 3.0.0
Using crack 0.1.8
Using daemons 1.1.9
Using drydock 0.6.9
Using encryptor 1.1.3
Using eventmachine 1.0.4
Using multi_json 1.8.0
Using redis 2.2.2
Using storable 0.8.9
Using uri-redis 0.4.2
Using mime-types 1.25
Using polyglot 0.3.3
Using mustache 0.99.3
Using rack 1.4.5
Using yajl-ruby 1.1.0
Using bundler 1.12.5
Using annoy 0.5.6
Using gibbler 0.8.9
Using httparty 0.7.7
Using sysinfo 0.7.3
Using treetop 1.4.15
Using otto 0.4.1
Using thin 1.5.0
Using redis-dump 0.3.2
Using familia 0.7.1
Using mail 2.5.4
Bundle complete! 18 Gemfile dependencies, 29 gems now installed.
Gems in the group dev were not installed.
Bundled gems are installed into ./vendor/bundle.

$ whoami
web101

$ ls -l /etc/onetime/config
-rw-r--r-- 1 web101 client2 1886 Sep 9 15:47 /etc/onetime/config

$ bundle exec thin -e dev -R config.ru -p 7143 -D start
Error loading config: /etc/onetime/config

how to correct it?

I cloned the repository today and set up a machine running OTS. Everything is starting up smoothly but as soon as I access the application I get a 500 error back.

Did a wget to debug:
$ wget http://localhost:7143

All I get is the following error from OTS: https://gist.github.com/jethr0/c03d4b02a844e6d878b8

Not sure if this is really an issue on your side or if my setup is just broken, but since the error is basically "NameError: `@ipaddress=' is not allowed as an instance variable name" it looks kind of a code issue to me.

When I try to login, I get redirected to the homepage and it looks like I'm still logged out.

It would be great if we can be notified by email when a secret is revealed. Optionally the recipient could give its consent whether or not to send extra security information (basically its IP address).

Is the page down or a broken link?

Special characters such as German umlauts (ä, ö, ü) in the secret lead to this error message:

As a test content you can e.g. use däöüre

Error
Ups! An error occurred :[

Additionally I wonder whether the encryption is correctly done when such characters already lead to failures. Am I right that the secrets are de- & encrypted on the server?

Often I send various people passwords via onetimesecret, and I want those links to expire out when not opened for a while (say, 3 days). Of course I may visit my secrets page, monitor ages and crack open what I consider outdated, but it is definitely a feature that is not visible right now (I've not digged deep enogh into the code perhaps).

Thanks!

Obscuring the passphrase field when viewing a secret really has no point as it cannot be reused, and complicates manually entering long or complex passphrases.

Hi
what hashing is used and where do i configure/change the defaults ?
Thanks

One of my secrets on onetimesecret.com now says:

Expires in 7 days. (2017-12-06@08:15:57 UTC)

But it's 2017-12-14 01:22 UTC and it should be already expired, IMHO, but it's still there.
Is it a bug? Or am I wrong? Thanks.

Maybe I am not the target audience but I was wondering if the config file could be commented a bit more? IE the user/pass for the redis section or the incoming/emailer section. I have set up a test instance but I can't seem to control users/"customers" and I can't seem to log in or register an account.

Quoting from http://redis.io/commands/save:

You almost never want to call SAVE in production environments where it will block all the other clients. Instead usually BGSAVE is used.

So why do you recommend "save" for "light traffic"?

In your license file it still states this work is from 2011. So I think this is a bit outdated. 😄

I haven't seen any upper and lower bounds for ttl for secrets. The thing is, while there's no upper bound as tests showed, there's an implicit lower bound which is 7/14 days for anon/auth accounts.

The question is, is this a bug? If not, what's the reason to forbid having secrets with smaller TTL? i'd say it's pretty convinient to be able to have, let's say, an 1-hour secret.

Also, what's the purpose of secret_ttl and metadata_ttl fields in "generate" api call?

Context:

Need to submit a batch of one-time secrets to a colleague.

Current workflow:

Create secret, receive link... Click bookmark to return to front page of https://onetimesecret.com .

Suggested workflow:

Create a secret, receive link, receive a button that references 'Create Another Secret'.

This way, I can secret chain my way to the cryptobank... without leaving the "cycle" of OTS.

I created some systemd unit files for my redis and OTS instances (using thin server in daemon mode + logging). Feel free to include them as sample unit files.

$ cat /etc/systemd/system/redis-onetime.service

[Unit]
Description=Advanced key-value store for one time secret
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/onetime/redis.conf
ExecStop=/usr/bin/redis-cli shutdown
Restart=always
User=ots
Group=ots

[Install]
WantedBy=multi-user.target

$ cat /etc/systemd/system/onetime.service

[Unit]
Description=Onetime secret backend service
After=network.target apache2.service

[Service]
Type=forking
RemainAfterExit=no
WorkingDirectory=/var/www/ots
ExecStart=/usr/bin/bundle exec thin -e dev -R config.ru -p 7143 -P /var/run/onetime/onetime.pid -l /var/log/onetime/onetime.log -d start
TimeoutStopSec=10
PIDFile=/var/run/onetime/onetime.pid
Restart=on-failure
User=ots
Group=ots

[Install]
WantedBy=multi-user.target

The README suggests that a global secret should be created by executing

history | openssl sha1

I don't know what this secret is used for, but the description makes it sound like it's used as part of encryption. Given that, this suggested generation method is terrible. Keys used for encryption should never base based on anything even remotely guessable. Even worse, not everybody keeps their history between shells. So your suggestion could result in someone generating a hash that's literally just the commands used for installing onetimesecret.

A key like this should be generated from random data. Just read 20 bytes from /dev/urandom.

hi
a suggestion
if we would have the ability to enter a destination mail and send the generated link to that address, and perhaps the password to slack or other, that would be greeeeeaaaaattttt

in great i mean it will take ots a step forward and much more easy to use,

thanks for the awesome job

Hi
i try to run bundle exec thin -e dev -R config.ru -p 7143 start
but it fails to load ...
i got:
bundler: failed to load command: thin (/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/bin/thin)*
*RuntimeError: ERR Client sent AUTH, but no password is set

on /etc/onetime/config ive changed the passwords but still not working.
would appreciate any assistance

ots@ip-10-210-9-109:~/onetimesecret$ cat /etc/onetime/config | egrep -i "key|change|pass"
NOTE Once the secret is set, do not change it (keep a backup offsite)

[email protected]
:account: CHANGEME
:password: mynewpassword
:from: [email protected]
:fromname: CHANGEME
:pass:
link is sent. Passphrase is used to protect the secret.
:passphrase: mynewpassword
:apikey: mynewpassword
:default_chart: CHANGEME
:failed_passphrase: 5
ots@ip-10-210-9-109:~/onetimesecret$ bundle exec thin -e dev -R config.ru -p 7143 start
bundler: failed to load command: thin (/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/bin/thin)
RuntimeError: ERR Client sent AUTH, but no password is set
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:47:in call' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:24:inconnect'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:247:in ensure_connected' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:137:inblock in process'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:206:in logging' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:136:inprocess'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis/client.rb:46:in call' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis.rb:273:inblock in ping'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis.rb:18:in synchronize' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/redis-2.2.2/lib/redis.rb:272:inping'
/home/ots/onetimesecret/lib/onetime.rb:73:in block in load!' /home/ots/onetimesecret/lib/onetime.rb:73:intimes'
/home/ots/onetimesecret/lib/onetime.rb:73:in load!' config.ru:28:inblock in

'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/rack-1.4.5/lib/rack/builder.rb:51:in instance_eval' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/rack-1.4.5/lib/rack/builder.rb:51:ininitialize'
config.ru:1:in new' config.ru:1:in'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/rack/adapter/loader.rb:33:in eval' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/rack/adapter/loader.rb:33:inload'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/thin/controllers/controller.rb:181:in load_rackup_config' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/thin/controllers/controller.rb:71:instart'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/thin/runner.rb:187:in run_command' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/lib/thin/runner.rb:152:inrun!'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/gems/thin-1.5.0/bin/thin:6:in <top (required)>' /home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/bin/thin:23:inload'
/home/ots/onetimesecret/vendor/bundle/ruby/1.9.1/bin/thin:23:in `<top (required)>'

Why don't use Javascript encryption to encrypt the text before it is sent to the sever? This way you would have real end-to-end-encryption.
An example service which does this already is img.bi (website, source).

So it is not impossible and it may improve the security of the service.

Hi,

I tried using OTS using an Apache with mod phusion passenger version 4.0.53-1 (from debian jessie), but I kept getting this error:

App 31239 stderr: [ 2017-08-28 13:50:34.2233 31282/0x00000000b865f0(Main thread) request_handler.rb:227 ]: Request handler main loop interrupted by NoMethodError exception
App 31239 stderr: [ 2017-08-28 13:50:34.2234 31282/0x00000000b865f0(Main thread) request_handler.rb:230 ]: Exiting request handler main loop
App 31239 stderr: /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `block in process_request': undefined method `each' for nil:NilClass (NoMethodError)
App 31239 stderr:       from /var/www/onetimesecret-20170828/vendor/bundle/ruby/2.1.0/gems/rack-1.4.5/lib/rack/utils.rb:398:in `block in each'
App 31239 stderr:       from /var/www/onetimesecret-20170828/vendor/bundle/ruby/2.1.0/gems/rack-1.4.5/lib/rack/utils.rb:397:in `each'
App 31239 stderr:       from /var/www/onetimesecret-20170828/vendor/bundle/ruby/2.1.0/gems/rack-1.4.5/lib/rack/utils.rb:397:in `each'
App 31239 stderr:       from /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:99:in `process_request'
App 31239 stderr:       from /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:141:in `accept_and_process_next_request'
App 31239 stderr:       from /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:109:in `main_loop'
App 31239 stderr:       from /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler.rb:455:in `block (3 levels) in start_threads'

Passenger on this server works properly with other apps, but not with onetimesecret, is it supposed to work ?

Cheers
Loïc

Is there a way for force SSL traffic?

With NGINX you might have something like this:

location / {
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;

At the moment I wanted to put OTS behind a load balancer (Amazon ELB), but it was not clear how to inform (thin?) to force a redirect back to https from http

https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/

Thoughts or suggestions welcome.

Upon trying with a wrong password to see what happened, I eventually got the error:

Oops! Apologies dear citizen! You have been rate limited.

What does that exactly mean? Has the secret been burned?

Either session data isn't getting saved or POST isn't happening as all form submissions just reload the current page, including "Create Secret Link." It could be something else. I'm a PHP developer in Ruby land right now so I'm stabbing in the dark.

PM me if you'd like a link to my running installation.

Hello,

Currently, is it possible to :

• Restrict registering ?
• Restrict usage to registered users only ?
• Delete user or temp link through the admin menu ?

Thank you for this useful tool.

Anthony

I can see this being very handy for IT organizations distributing for example small updates with a video that shows the how to stuff instead of a long message etc.

And then of course there are the hundreds of perverts that would love to send stuff to their mistress etc like that ;-)

I am trying to run it behind a reverse web proxy. In my case: nginx. The special thing is that the URL is in a subdirectory.
So I adapted my config from a Etherpad, but all JS and CSS requests still go to /css or /jsinstead of /mysubdir/css or /mysubdir/js.

So how can I fix this?

Seems to be related to the cookie that remembers which value you entered. It will probably need to be reimplemented.

This kind of defeats the purpose no? Am I missing something?

I got the local installation working (http://mydomain.de:7143) but I can't use https (https://mydomain:7143).

ots@host:~/onetimesecret$ bundle exec thin -e dev -R config.ru -p 7143 start
>> Thin web server (v1.5.0 codename Knife)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:7143, CTRL+C to stop
!! Invalid request

I guess I need to include the certificate somewhere?

:site:
  :host: mydomain.de:7143
  :domain: mydomain.de
  :ssl: true

Can you please give me a hint what I am doing wrong?
Without https the application does not make any sense.

When you generate a secret and you get the page where it tells you the link you can share and your secret link, the "Share this link" box is editable and because the text is pre selected, if i tap any key the link i just made will be overwritten with my keypress. I would say that the box should not be editable so the link can't be changed or overwritten by the user.

Is there an SVG version of your logo available?

SVGs are usually just smaller than PNG images.

Not an issue, but would you be able to create a Docker version of this?

Looking to retrieve a secret from code