Closed adnm9 closed 3 months ago
Thanks for reporting this @adnm9. The random part of the URL after .onion is meant to stop other apps on the same device from downloading the files directly from OnionShare. I agree that it should be changed each time a new set of files is shared. I'll open a PR for this.
Appreciate it, thanks!
The app appears to use the same private key when doing a new upload (the part of the url after .onion stays the same), though it does change the tor address. There doesn't seem to be any benefit to this, and it poses a potential security risk if an old link gets leaked somewhere and has the private key in it. It seems like it would be trivial to have the app delete the private key along with the zip file when it is done sharing. A more complicated solution would be to generate multiple private keys from a master key, but this doesn't seem to provide any benefit. Thanks