Product & Engineering Blog

At Onetime Secret, we believe privacy and simplicity go hand in hand. While many services collect extensive user data, we've chosen a different path focused on what matters most: secure, reliable secret sharing. You can learn more about our guiding principles in our documentation.

We're jazzed to introduce our new US locality, enhancing our data privacy options and expanding user choice. The US instance is now available at us.onetimesecret.com, complementing our existing EU site at eu.onetimesecret.com.

Discover why Onetime Secret uses imperfect AI-generated images in our blog posts and how it aligns with our values of transparency and security.

Welcome to our comprehensive series on setting up and installing Onetime Secret. In this first installment, we'll walk you through the process of installing Onetime Secret as a standalone web application using the latest methods and best practices. Whether you're a seasoned sysadmin or just getting started with self-hosting, this guide will help you get Onetime Secret up and running smoothly.

Onetime Secret v0.18.0 brings significant improvements to our secure, one-time sharing platform. This release focuses on enhancing performance, security, and user experience.

Continued from the previous post (Sept 12th, 2024): Denial of Service (DoS) Attack: Continued Adventure.

Continued from the previous post (Sept 9th, 2024): Denial of Service (DoS) Attack: A brief summary.

See the follow-up posts:

With a few improvements to our UI particularly in regards to font rendering, we now support ASCII QR codes. Actually UTF-8, but no one says "UTF-8 Art". Or maybe the do now and I'm just way behind. In any case, we now support ASCII and UTF-8 QR codes.

I introduced a bug that prevented new users from verifying their accounts. Verification emails went out fine but the link wasn't setting the `verified` flag on the account record.

The current landscape of user interface design faces challenges similar to those of the late 1990s. Dial-up speeds, small screens (desktop included), and limited browser capabilities were the constraints of that era. Today's constraints, however, are not technical limitations but data privacy regulations like GDPR and CCPA. These regulations provide an opportunity to improve UI design.

Some recent updates. I'm still working on the new design, moving the UI from purely old-school, server-rendered mustache templates to Vue 3 components. I've been making some incremental improvements here and there.

So the new design has been up for about a month now. In my rush to get it out, I forgot to check the custom font in Safari. It's not loading. It's a bit of a whoopsies. I'm not sure what's going on. I'll have to look into it.

This release focuses on foundational improvements and technical debt reduction. While maintaining the core functionality and user experience, v0.17.0 introduces substantial backend enhancements that set the stage for future innovations.

At Onetime Secret, we believe in transparency and community-driven development. Our open-source first approach ensures that all new features and improvements benefit our entire user base, from individual developers to enterprise customers. This post outlines our development model, its benefits, and how it shapes our business strategy.

This major update brings significant modernization to Onetime Secret's technology stack and user interface, while maintaining its core functionality as a secure, one-time sharing platform for sensitive information.

When we first launched in 2012, we never anticipated the widespread use and trust that our platform has gained over the years. To put it simply, we've been really fortunate to have a product that people have stuck with for more than a decade.

All of times I've found myself in a situation where I need to get a little bit of data on to or off of a server somewhere. Copy & paste works in some cases but not always. Another option is a service like Pastebin but it's not cool for sensitive info like config files because even though you can easily forget to delete them when you're done.

Keep sensitive info out of your email & chat logs.

I worked on a new UI over the weekend and pushed it live today. Thanks to Twitter's Bootstrap v2 framework it's cleaner, easier to use, and works great on small (mobile) screens too. Here are a couple comparisons (old vs new):

One of my pet peeves about security is people who advocate for 'strong' passwords. Everyone knows these people; they're the tech support person who tells you your password must have a minimum number of characters that you only use when censoring expletives. Even worse, some of them use a random password generator to assign a password to you that you're unable to change. The argument for this is that if you have a wider range of characters in your password, you have greater entropy and therefore it is harder for your password to be hacked. While there is some truth to that, there are numerous flaws in the logic when using it to determine a good security policy:

We now have a perl client library for our API thanks to Kyle Dawkins. The code is available on Github and CPAN. Here's an example: