Open MysteriousOrb2000 opened 8 months ago
Hi!
Files on pixeldrain are not encrypted. End-to-end encryption requires client-side software to manage the keys and to encrypt/decrypt the data. It is very hard to get that software running in the browser (as far as I know only Mega managed to get it working, but it's not perfect). Managing such a system would be too much work for one person. Server-side encryption would be more manageable, but then the server would also need to have the keys, which negates all benefits that encryption provides. Encryption at rest is something I would like to look into.
Have you looked into how CryptPad does their encryption on the browser? Their code could be a decent reference to at least take a look. Of course, if you get Sia working, this probably wouldn't matter.
There is an option to remove the download button on the download page here: https://pixeldrain.com/user/sharing/branding. But this does not actually prevent people from downloading the files. It only hides the button. If the user knows how to access the API it's still trivially easy to download the files.
Oh, so I would need to create an account, which explains why I didn't see it. For the API, maybe there could be a parameter or option to only allow access via the official pixeldrain frontend (or user-approved third parties with the upload's access token/password)? The download button hiding is definitely helpful though.
Have you looked into how CryptPad does their encryption on the browser? Their code could be a decent reference to at least take a look. Of course, if you get Sia working, this probably wouldn't matter.
CryptPad looks interesting. Maybe pixeldrain could be used for a storage backend for CryptPad. Another app like this that I have looked at is Vup. Vup already supports storing encrypted files on pixeldrain actually. You could also use rclone with an encryption backend.
While Sia itself is end-to-end, my servers would be the endpoint there. So I would still have unrestricted access to the data.
As long as pixeldrain is purely for sharing files end-to-end encryption does not add much value though. To share the files you to have to share the keys too. And the only convenient way to share the keys is in the URL (which is what Mega does too). But then the server will still have access to the keys. End-to-end encryption does not add anything to file sharing because the content will be public anyway.
Oh, so I would need to create an account, which explains why I didn't see it. For the API, maybe there could be a parameter or option to only allow access via the official pixeldrain frontend (or user-approved third parties with the upload's access token/password)? The download button hiding is definitely helpful though.
Yes, and this particular feature also requires a €8/m Patreon subscription or the prepaid plan. I do not plan to restrict the API any more than it already is. Things like this add extra complexity to the backend which increases both server load and maintenance burden. Since I am the only one maintaining the site I prefer to keep things as simple as possible.
Pixeldrain is a platform for sharing content. Restricting that functionality would also change the platform's purpose.
Hi, I have been watching and trying out PixelDrain for awhile now and do like it better than the other file sharing/media hosting sites I have tried out so far.
Is this project still connected with the Sia blockchain? I saw this article, but I noticed there's no mention of it on the website. I assume, based on the pricing section, you removed the blockchain storage aspect of it, but just wanted to confirm it with you.
Are the files stored End to End Encrypted? I see that this project is catering towards the privacy-oriented customers, but I don't see any mention of encryption on files on the back-end, so are you able to see whatever is uploaded to PixelDrain?
This is a feature request: I was wondering if you could make an option of only allowing the viewers to view the image/media within PixelDrain and not have the ability to download the file. For example, a teacher showing images of a test but not wanting students to download them or artists showing off they're work but not wanting people to download them for whatever reason.