I’d like to build a simple privnote-type clone for fun. The idea is this:
- User A writes a note in their browser, browser encrypts it client-side
- Server saves the pre-encrypted note without knowing the decryption key
- User A then sends a link like
abc.hidden/mynoteid#mydecryptionkeyto user B
- User B decrypts the message on a local browser
The question I’m struggling with is this – should the server allow anyone to fetch
abc.hidden/mynoteid? Server being able to decrypt messages (I’d like this to be entirely immune to logging of any sort and all encryption/decryption happening clientside) defeats the entire purpose.
Because the notes are one-time-use-only, a fetching of the note must destroy it. But how can I know that a correct decryption key was supplied without decrypting the message server-side exposing it to logging?
Lastly, would a React app and a generic REST server with Redis to store messages suffice for this task? (Supposing that messages have a TTL, Redis seems an ideal choice) What happens if a malicious actor gains access somehow (without knowing the decryption keys which should be generated on the spot and only just once)
What encryption algorithm is best suited for this task? I don’t think we need 10 seconds of
I understand that sending sensitive info over the internet is yucky but it happens a lot and if it does happen in a proverbial “marketing department”, having a tool like that could ease some worries about PII.
Plus, I think it’s a fun project either way.