I just launched secure.shrib.com, a new iteration of the secure alternative to shrib.com. shrib.com is used by millions of people around the world. The following is an invitation behind the scenes.
Historic Background
I have been running the online note-taking app shrib.com for many years. At first, it was a purely personal tool. One of my dayjobs at the time involved working on lots of different devices, and I wanted a barebone textpad that I could access without any advanced technology or login.
By now, millions of internet citizens have been using the site. We (me and my millions of users) are taking personal notes, sharing texts, collaborating to edit an article, organizing a party, keeping our to-do lists, collecting code snippets, saving links, or doing our research with shrib.com.
While not having to log in and still being able to access the notes on any connected device is a very convenient thing, it has an important drawback. Some people are not aware of the fact that all notes on the plain shrib.com are accessible for anyone.
Early Encryption Feature
Hence, the original shrib.com seamlessly integrated a highly secure, client-side encryption feature. This means that a user could encrypt her notes with the click of a button, and no-one on earth could read her note without her password – not me, not the NSA, no-one else.
I was pretty proud of it. I had used the robust and open source «Javascrypt» library by John Walker. I tweaked it just a bit to fit into the context of shrib.com, and I made it blend into the overall shrib.com user interface seamlessly. For example, I thought that «encryption» was too intimidating for normal users, and used «locking» instead (with the result that people did not realize that this was rock hard AES encryption).
In fact, so seamless that hardly anyone noticed. As shrib.com started to evolve, I always adapted the encryption feature to fit the new situation. I spent countless hours dragging that feature along. This means: if I implemented a new shrib.com feature in 2 hours, it may have taken another 4 hours just to adapt the encryption (or «locking») mechanism.
One day, I ran some statistics on my database, and realized less than 3% of my users even used encryption at all. Duh!
Fanning Out
It took me many years to draw the right conclusion: fan out to a special edition of shrib.com. Just for those who really care about privacy. First, I just separated all encryption vs. plain text features and created i.shrib.com. I could finally remove all the encryption mechanism from the main shrib.com site.
Now, shrib.com is much leaner, new features can be implemented much more rapidly, and a lot of code could be cleaned out.
At the same time, now the privacy features can be tailored much more to the few – but still many – users who actually appreciate privacy online.
Redefining Secure Online Notes
So I started thinking hard about what I would like. Here are my requirements:
- Simple, plain text – and fast. I want no rich text formatting, no long load times for lots of Javascript and CSS.
- No login. I don’t want to have to remember yet another login pair – or save yet another one to a password safe I depend on.
- Client-side encryption. I want no plain text to get out of my browser window. No plain text in the air, on the wire, or on the server.
- A standard, open-source, peer-reviewed encryption algorithm without any customizations.
- A way to make it a lot harder for an attacker to even get to the encrypted version of my note. Think two-factor authentification (or three, or many…).
The Result
I am happy to have released a first iteration of secure.shrib.com. Here is how it meets the requirements:
- Simple, plain text – and fast. The interface is kept super simple. I learned to know that people who really appreciate actual privacy also appreciate straight, simple, and no-nonsense interfaces.
- No login. Not only does secure.shrib.com not need you to log in: there is no cookie, no «local storage», and no tracking whatsoever. No jquery, no google analytics, not third-party scripts or resources.
- Client-side encryption. Your notes on secure.shrib.com are only in plain text in your device’s memory as you work on it. As soon as you perform any other action, it is encrypted inside your browser. In order to make it harder for an attacker to forge the encryption algorithm, everything is served over SSL («https»).
- A standard, open-source, peer-reviewed encryption algorithm without any customizations. As opposed to the «customized» version of Javascrypt that I used before, I have now switched to the well-known, trusted, and tested Stanford Library. And no customization. If you look at secure.shrib.com’s source, you will see the original sjcl.js is included without changes. Industry-standard AES algorithm at 256 bits is used.
- A way to make it a lot harder for an attacker to even get to the encrypted version of my note. If you are willing to sacrifice convenience for added layers of protection, you can require email or phone verification for your note. This means that everytime you want to access your note, you will have to receive and confirm a token sent to either your email address or your phone – or both.
The tool is online, and I look forward to your response!
Doing god’s work
Been using it for a while now, really appreaciate the no bs approach.
How do I change password?
Tap on the «Change Password» button, enter a new password, and tap «Set New Password».
Thank you for creating this tool. I love it.
Just felt it appropriate to stop in and say thank you for putting together and maintaining this site. I used to try and manage folder upon folder of bloated or under performing password managing apps along with scattered .txt files that had gone rogue and hidden themselves around my devices before finding this service. I’ve since freed myself of the stress and mess of my old ways, and it only required memorizing 1 short & simple URL and 1 password. Thanks a bunch!
Thanks a lot for your feedback! I will improve the presentation on the home page so more people grasp the power of the extended locking mechanisms through email («two factor authentication») and even mobile phone («three factor authentication»).
«Your session has expired. The note below was saved one last time.»
What does this mean?
Thanks for reaching out!
This is part of an advanced security measure that obviously cannot be detailed here.
From the user perspective, it simply means you will have to log back in to continue updating your secure note.
If you encounter problems, please use the support page.
Hi Luzi,
I have come across your site today and I have spent few hours navigating it. I truly loved it. I love the security side with the AES encryption.
One draw back in my view is that the pad is not long enough and there is no option to expand it for the benefit of users who may need for a large document, that being my case. Otherwise you have done a tremendous job and I personally thank you for that.
Regards,
Michael
Thanks Michael for your feedback!
Actually, there’s a special treat for you: the text area can be resized horizontally with an optional «w» parameter – for «width».
Add «&w=[number of pixels]» to your note’s web address (URL) and watch what happens! If you bookmark your note, just bookmark it with the w-parameter. Remember secure.shrib.com doesn’t use cookies…
Example: if you note were MichaelSecret, then the wide variant (1000 pixels) of your note would be https://secure.shrib.com/MichaelSecret?w=1000
Vertically, you can use the handle in the lower right corner in most browsers.
Let me know what you think!
Thanks for asking, and cheers,
Luzi.
A very amazing and well-thought out service. I hope this stays around forever because it’s so useful. I love everything you described in this blog post.
I agree with Michael that the width is way too narrow for today’s screen resolutions. It was the first thing that I noticed how the textbox was too narrow and it was almost unusable that way. So it’s good that there is the ?w= url option to set a custom width. But I think it should be by default at least 800-1000. I think the small size you have now will be hard for a lot of people. I can speak for myself that I had the same problem as Michael. So I’m glad someone else noticed that because now I’m not the only one. So other than the default width, everything is really amazing. Thanks for creating this.
Thanks Goody
Actually, I added yet another «height» parameter to make it even more customizable: you can go to secure.shrib.com/GoodySecret?w=1000&h=700 to get a text area 1000 pixels wide and 700 pixels tall.
Cool. That height option could be useful. Thanks for adding it. Although for me the height is a non-issue. The width is the most important one so I’m glad the option for that is available. Many thanks.
Hi Luzi,
I seem to forget the email and phone number used for my secure shrib note. Is there a way to recover them?
Thanks Charles
I am afraid this is the exact point of secure.shrib.com – none of the credentials (or «locks») on your note can ever be «recovered». Otherwise, anyone else could find ways to get around your locks way more easily.
If you do want a secure note, make sure you know what you lock it with. Otherwise, I recommend you use shrib.com or shrib.co instead.
If you were a security expert, I may assume you are testing me — test completed successfully, I guess… 😉
Best regards,
Luzi.
Thank you Luzi. It is not a test. I actually forgot my credentials. Since I moved from i.shrib.com to secure.shrib.com, I’m still having some of the notes but it is not up-to-date. This kind of thing happens when I use different email accounts and phone numbers for my online activities. I will try some combination and see if I’m going to get lucky.
Good luck!
Very good tool. easy and no-nonsense interface.
Thank you very much Luzi..
Thanks, I was so sick of random people somehow finding my notes and locking me out of them! I like the shrib.com design better, but it looks like I have no choice.
Thank you for your feedback!
As for the design: the offer is on: bring on your suggestion! I’ll be glad to improve the design!