jhaals / yopass

Secure sharing of secrets, passwords and files
https://yopass.se
Apache License 2.0
1.87k stars 291 forks source link

Show a confirmation dialog before revealing the secret message in a one-click link #2154

Open smokris opened 9 months ago

smokris commented 9 months ago

When we enable "One-time download" and send a Yopass "One-click link" by email, sometimes the recipient sees "Secret does not exist" instead of the actual secret message.

I believe this is because the recipient is using an email service that automatically visits all links in the email to scan them for malware — when the email service automatically visits the Yopass one-click link, it causes the secret to self-destruct before the recipient can actually see it.

To work around this, when viewing a one-click link, Yopass could show an in-page confirmation dialog before revealing (and self-destructing) the secret message:

one-click-confirmation

Details > **Show the secret message now?** > > The secret message will be automatically deleted after you view it, so make sure you're ready to use its content. > > **[Show the message]** [Not yet]
ethrgeist commented 4 months ago

I second this, GET should not be destructive, so there should be a kind of confirmation to prevent issues with preview fetchers, link checkers in mails and such.

Snappass does it similar: https://github.com/pinterest/snappass

I like the file upload and seperated decryption key features, but i'll stick with snappass for now, because i can see issues for users that have their shared content randomly deleted.

vbakke commented 3 weeks ago

Yes, This is important. A lot of email antivirus will visit links in emails, and destroy the one-time secret.

I think all other similar services does this, privnote, snappass, cryptogen, etc, etc.

I recommend increasing the priority on this.

There is onw workaround, in the meantime. It is not send the short link, with the decryption key on the next line in the email. Not ideal, but antivirus might not yet be clever enough to past in the key.