Open realpixelcode opened 1 month ago
garritfra
commented
1 month ago That's a great point. Essentially "only share your key information over a channel you fully trust".
Although it's hard to convince non-techy users why they should use this tool if they share the keys over a trusted channel anyway.
Do you have time to formulate this out into a PR?
realpixelcode
commented
1 month ago Maybe something like this?
How should I share my key information?
Using something like an encrypted messenger is always a good idea, but it's not absolutely necessary for sendpasswords.net because your key information is not confidential. However, always make sure you're texting the right person. Depending on how you're communicating with your friend, double-check their user name, e-mail address, phone number etc. Only share your key information over a channel that you trust not to be tampered with.
Do you have time to formulate this out into a PR?
I'm not that familiar with React tbh 😅
Alice wants to send a password to Bob, so Bob creates a PGP keypair and sends his public key to Alice, meaning the channel they use doesn't need to be secret.
However, if the channel is not authenticated, Mallory could swap Bob's public key with her own one during transmission, acting as a MITM. That's a small but important detail that should IMO be mentioned.