Our birthday week was the perfect timing for an Hackathon with Whitesmith's family. Four teams had 24h to launch something new!
Gonçalo had the idea, Beatriz, Ricardo and I, joined him to develop Hawkpost, a simple and secure way to share secrets.
How many times did you send or receive a password through email? Or through social media? Chat maybe? Probably more times than you wanted, right?
Sending passwords through this type of channels is not safe and if it falls into the wrong hands, it can be used to access your personal info, photos or anything else you use that password for.
The right way to do this is to encrypt the password before sharing so that only the intended recipient can see it. However, encrypting text is not trivial for non-technical people.
At Whitesmith, some of our clients, and even some of our team members struggle to be able to share confidential information in a safe way. Some of us know how to encrypt information or use programs to share passwords safely. However, that's not so easy as it looks, adding lots of friction to everyone's work. This was the motto to develop Hawkpost!
Hawkpost is the place where anyone can easily submit and send delicate information securely to you. How? Easy:
- Register your PGP key;
- Generate a unique link to receive the confidential information;
- Share the link with the person who wants to send you that information, which just has to write it down on a web form;
- Receive the information in an encrypted and safe way in your e-mail.
This is one of the easiest ways to securely receive delicate information from people who don't know how to use encryption tools. They don't even need to install anything!
You share the link you created and the person who receives it just needs to submit the information. Then with your PGP key, you will be able to read the submitted information.
How we do it
To achieve our purpose we knew we had to remove the major pains points of non-tech savvy users, when they try to secure their content, which is to deal with non-friendly encryption tools and dominate the concepts of public key cryptography.
With Hawkpost, you no longer have to teach the sender how to do it. When someone visits the unique link you just created and shared, Hawkpost uses a cool library called openPGP.js. In the background, and before any information leaves the user's computer, it goes through the standard PGP encryption protocol and seals the contents in the user's browser. All this without requiring the installation of any software.
After this step, the user is free to go. The hawk packages everything up and forwards it to your email, never knowing or storing anywhere the data that the user just submitted.
To avoid confusing the user with some technicalities, like checking for expired and revoked keys, Hawkpost handles that as well, disabling all boxes when a given key is invalid to avoid using compromised keys and alerts the owner that he needs to update his public key.
Where it falls short
Of course, this doesn't solve all the problems neither works for every situation. One of the drawbacks is that the receiving end must already know how to use PGP. Even though Thunderbird (Enigmail), Evolution, Mailvelope automatically decrypt the content sent through Hawkpost, there must be an initial setup. The tool was created with one use case in mind: "How can I get those keys securely if the other end doesn't know how to encrypt them?".
We know the other way is also important but we are tackling this problem first.
In the hackathon, we developed a really simple version (with no design) just to test the service. We shared it in different communities to understand the strengths and the weaknesses of our idea. The feedback we received allowed us to improve some features and create new ones.
So, what are we preparing for the next weeks?
On the next week we are preparing some changes in the UX/UI since you deserve a more attractive page, right? We will improve the copy and the content adding some information about PGP and why this is a safer way of sharing information.
Regarding features, what will be new:
- You can choose if the box will accept just one submission or an arbitrary number of them;
- The expiration date will also be according to your timezone;
- Users will receive email and announcements.
We also have other ideas planned like multiple recipients and the ability to submit files (we will give more news about these features later).
If you have other ideas join us and help us improve Hawkpost, the project is open-source, meaning you are free to fork and deploy it on your own server. We would also appreciate having your feedback, so don't be shy and tweet @whitesmithco!
UPDATE 19th October:
We are no longer an hackathon project, we have a new design and implemented the features that we mentioned above. Check it out!
Please share your feedback with us through github and twitter @whitesmithco.