Author

Topic: Crosspass - a simple way to share passwords, encryption keys, banking info (Read 451 times)

sr. member
Activity: 980
Merit: 282
Catalog Websites
Quote
I can add to Crosspass an ability to save text into a file, or read from file, instead of relying on the clipboard.  Does that help you? You can work with files and your phone without Internet or LAN, by USB cable or NFC.

Frankly this is a welcome development in the tech space, particularly the Bitcoin space as it has tremendous impart in the way it is niched. I have heard of a network that is used to transact or transfer Bitcoin without the need for internet and this technology was used a few years back when there was a long protest somewhere in Asia, I can't remember the exaact country though. BUt I have not seen it mainstream yet but if it can be a regular tech, available to everyone, that will be great.
sr. member
Activity: 312
Merit: 265
I don't have g00gle play store installed, so I am getting this error when I try to create password and note:

Yes, I have added alerts to handle the case when Google Play services are either not installed, or Play Integrity returns an error.  Even if you install Play Services in the emulator, it won't pass the further checks, since Play Services verifies whether you have a real device (this is called Play Integrity API).


However, I still think you need to have usable option for desktop users...

I found a Python package that works on the Desktop which is similar to Crosspass in concept.  It is called Magic Wormhole and it was created in 2016.

https://github.com/magic-wormhole/magic-wormhole

The fact that it is not widely used is saying something, namely that it is too technical and too real-time.

I also began planning to add a feature to send images, not just text. This is useful if you need to send someone your driving license or a passport photo.
What's the difference from sending image with encrypted email or other encrypted chatting app?

This is a summary of advantages of Crosspass stated earlier, and they apply to images as much as text. The difference is that Crosspass enforces key verification as part of the natural flow, via the PIN which looks just like an OTP familiar to users. All other services rely on public keys being managed by an untrusted party (a server).  This allows the third party to MITM you at will.   The other issue is JavaScript backdoors which become a problem with webmail (ProtonMail), or anything inside a web browser.

Furthermore, if you are sending a driving licence or a passport, most likely the recipient is some clerk in some company. He will not jump through hoops to receive your encrypted image. He will not signup with ProtonMail. And he will not give you his private phone number for Signal or WhatsApp.






legendary
Activity: 2212
Merit: 7064
Update: I have released a new version of Crosspass for Android that fixes many stability issues it had.
I can no longer install and/or update Crosspass on android emulator so you probably fixed that as well.
However, I still think you need to have usable option for desktop users...

EDIT: wait a minute, I just installed Crosspass on emulator again.

I don't have g00gle play store installed, so I am getting this error when I try to create password and note:



I also began planning to add a feature to send images, not just text. This is useful if you need to send someone your driving license or a passport photo.
What's the difference from sending image with encrypted email or other encrypted chatting app?

sr. member
Activity: 312
Merit: 265
One thing I know that Crosspass has bugs currently:
...

Update: I have released a new version of Crosspass for Android that fixes many stability issues it had.

# Oct 9, 2023
- Auto-correction of text when composing notes
- Improved handling of Play Integrity verification
- Fix right-to-left language locale
- Improved handling of no Internet connection
- Bug fixes related to navigation within the app

I have also released an updated version for iOS, which primarily improved the Paste functionality.

I am now handling the case when the sending side has a bad cellular data connection or the sender is offline (e.g. on an airplane flight).

I also began planning to add a feature to send images, not just text. This is useful if you need to send someone your driving license or a passport photo.

If you want to see this take off, you can help by following me on social media:

https://twitter.com/entelecheia_inc
https://www.linkedin.com/company/entelecheia-inc
https://www.facebook.com/crosspassapp
https://www.instagram.com/crosspass.app

The problem is that people do not want to use the encryption. And they also do not need to share passwords, encryption keys and banking info. In the market you can sale only if you have customers.

A sender does not want to use encryption if it puts an out-of-proportion burden on the recipient to learn how to decrypt.  I tried to make Crosspass easy on the recipient. It's on the App Store and Play Store, it's free, and as soon as the app opens the user is asked to type the access code to receive a shared note.

There are already services for sharing passwords and text notes. Most of them are web-based and therefore insecure. But the fact that they exist, shows that there is demand.

privnote.com
onetimesecret.com

Found these guys recently: sharepass.com

If you can send a password, you can send anything, because you can Zip files with AES encryption using 7-zip. No special software is needed on the receiving end to unzip.
It might be nice if you can create a Offline App that can be used to import private keys for paper wallets. Imagine if you can encrypt the private key offline, before you use it and when you go online to import it.. then it quickly decrypt it before you import it. (It does not give the hacker the time to capture and use it, before you use it)  Wink

Many people have malware / Clipboard hacks etc... that collect private keys, when you paste it in text ... and if the hacker is fast enough, he or she can exploit that.... but if the private key are encrypted "offline" and then decrypted just before you use it online to import, it will help you to prevent that exploit.

Do I understand correctly that you want to send your paper wallet key to someone else? Further, is it the case that you don't want you or him to use the clipboard?
Does his wallet software have an ability to import a key from a text file?

I can add to Crosspass an ability to save text into a file, or read from file, instead of relying on the clipboard.  Does that help you? You can work with files and your phone without Internet or LAN, by USB cable or NFC.


legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
It might be nice if you can create a Offline App that can be used to import private keys for paper wallets. Imagine if you can encrypt the private key offline, before you use it and when you go online to import it.. then it quickly decrypt it before you import it.
That's called BIP38 encryption.

Quote
(It does not give the hacker the time to capture and use it, before you use it)  Wink
That's a huge gamble! Chances are "the hacker" is just a piece of automated malware, and chances are it's a lot faster than you are. That is of course what you should assume, and take measures to prevent it. So instead of risking everything by decrypting your private key on an online computer, it's much better to sign the transaction offline and never expose your private key to an online machine.

Quote
Many people have malware / Clipboard hacks etc... that collect private keys, when you paste it in text ... and if the hacker is fast enough, he or she can exploit that.... but if the private key are encrypted "offline" and then decrypted just before you use it online to import, it will help you to prevent that exploit.
You seem to think hacks happen when someone is manually monitoring your computer.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
It might be nice if you can create a Offline App that can be used to import private keys for paper wallets. Imagine if you can encrypt the private key offline, before you use it and when you go online to import it.. then it quickly decrypt it before you import it. (It does not give the hacker the time to capture and use it, before you use it)  Wink

Many people have malware / Clipboard hacks etc... that collect private keys, when you paste it in text ... and if the hacker is fast enough, he or she can exploit that.... but if the private key are encrypted "offline" and then decrypted just before you use it online to import, it will help you to prevent that exploit.

Good luck with "Crosspass"... once you can get the source code independently verified and you received a "green" light for the trust aspect, then things will change for you.  Wink
member
Activity: 112
Merit: 37
The problem is that people do not want to use the encryption. And they also do not need to share passwords, encryption keys and banking info. In the market you can sale only if you have customers.
sr. member
Activity: 312
Merit: 265
The Crosspass app requires a real device, not a simulator. Here is an excerpt from the white paper that explains the reason,

--snip--

Although the number is very small, people who use custom Android ROM is likely unable to pass such check.

I can make it that if the device does not pass the Play Integrity check, the server will request a CAPTCHA. However, the sender's device still needs to receive Push Notifications and to be online. For an emulator on a desktop this will not be reliable since people shut off their laptops, or laptops go to sleep.

My idea for desktop use of Crosspass is to make a Blitz mode. The whole exchange must take within a few minutes and both the sender and recipient need to be online at the same time.  This will remove the need for Push Notifications and allow to anonymize both sides via VPN.  The same kind of Blitz mode can be made on the phone too. (It is possible to hold an open socket for a brief time, without relying on Push notifications.)
sr. member
Activity: 312
Merit: 265
The Crosspass app requires a real device, not an emulator. Here is an excerpt from the white paper that explains the reason,

Quote
Crosspass verifies device authenticity and throttles accesses by IP address.

The Crosspass API checks Alice’s device authenticity when her device wants to share a new item. For iOS, it relies on the Device Check and App Attest APIs. For Android, it relies on the Play Integrity API.

Verifications are necessary to prevent a sender’s Denial of Service attack on the availability of lookup IDs. (The lookup ID consists of four case-insensitive letters, therefore the maximum number of reserved lookup IDs are less than half a million.) Verifications are also necessary to avoid a recipient’s attack causing too many Push Notifications to senders’ devices.

In future versions of Crosspass, whenever device verification is insufficient to prevent DoS attacks on lookup ID reservation, a CAPTCHA would be shown. This would be limited only to users who have a public IP from which unusually many requests originate.

legendary
Activity: 2212
Merit: 7064
Re bugs, I have now hired a QA. Hopefully we will reproduce this bug and will catch new bugs before users do.  I plan to release an update by Oct 15.
Am I getting any special reward for catching the first bug? Wink
I already replied to message you sent me, so you know situation about no-code review, but I will try to test Crosspass app again on different device when I have more free time.
Cheers.
sr. member
Activity: 312
Merit: 265
Crosspass discussed on Reddit:

https://www.reddit.com/r/crypto/comments/16fntuc/crosspass_a_mobile_app_to_exchange_passwords_and/

Re bugs, I have now hired a QA. Hopefully we will reproduce this bug and will catch new bugs before users do.  I plan to release an update by Oct 15.
legendary
Activity: 2212
Merit: 7064
We are working on the bug found by @dkbit98 to improve error message, so that we can see what actually happened (I suspect it was related to app permissions).
I am glad I was the first one to publicly find a bug without actually doing a code review  Cheesy

Known bugs are likely UI only and have no security implications.
Maybe, but result is that app is currently not usable for me.
Security implications is secondary if you don't have any usability.
sr. member
Activity: 312
Merit: 265
Moreover, the id system that you use is actually not very convincing for people because someone could guess a random id and log into someone's account (even if the attempt fails up to 3 times, this is still vulnerable) and this application is paid which for some people is quite annoying .

Please note that Apple is using the same 4 digit code system to end-to-end encrypt your iCloud data, when it is synched with your phone. It is not using OPAQUE, it is using Secure Remote Password (SRP) protocol which is conceptually just like OPAQUE but has an extra leg of communication and does not have a security proof. I could have used SRP too, but I chose to use the newer OPAQUE which is still in an RFC draft, now in 11th iteration.

See page 35,36 of this document, which describes Apple security in 2014:
https://www.apple.com/mx/privacy/docs/iOS_Security_Guide_Oct_2014.pdf

One thing I know that Crosspass has bugs currently:

- Crosspass is still Beta.
- The iOS version is more stable than the Android version.  
- We are working on the bug found by @dkbit98 to improve error message, so that we can see what actually happened (I suspect it was related to app permissions).
- Known bugs are likely UI only and have no security implications. The protocol encryption itself is implemented in Go and is plugged into both iOS and Android apps as a library.  Doing it this way allows to test the encryption by unit tests, offline and outside the app.

Here's a list of public dependencies from go.mod:

Quote
       filippo.io/edwards25519 v1.0.0 // indirect
        github.com/borisreitman/crypto v1.0.1 // indirect
        github.com/cronokirby/saferith v0.33.0 // indirect
        github.com/mtraver/base91 v1.0.0 // indirect
        github.com/pylls/basket2 v0.0.0-20161221160633-eafbfb819e44 // indirect
        github.com/twystd/tweetnacl-go v0.0.0-20210413205227-681aa97ec383 // indirect
        gitlab.com/yawning/edwards25519-extra.git v0.0.0-20220726154925-def713fd18e4 // indirect
        golang.org/x/crypto v0.0.0-20221012134737-56aed061732a // indirect
        golang.org/x/mobile v0.0.0-20220928052126-fa6bcb076835 // indirect
        golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e // indirect

legendary
Activity: 2212
Merit: 7064
For testing purposes I installed Crosspass app and I was contacted by frisco2 for testing.
He sent me codes but I could not receive anything and all I got was some error message, that was later confirmed by developer.
I wanted to hire my developer friend for doing a review of Crosspass, but he is not so good with Swift and Kotlin.

One thing I know that Crosspass has bugs currently:

full member
Activity: 868
Merit: 202
what your application offers is actually simple, namely offering an easy and secure way to share passwords, but in line with what other users have said, most people are more interested in using popular applications such as protonmail or whatsapp which use an encryption system and have trusted for a long time to send their sensitive texts.

moreover, the id system that you use is actually not very convincing for people because someone could guess a random id and log into someone's account (even if the attempt fails up to 3 times, this is still vulnerable) and this application is paid which for some people is quite annoying .

but even so, what you build needs to be appreciated. starting from the design, whitepaper, and faq, you explained it well. maybe if you improve the quality of the system there will be more people who trust to use your application.
sr. member
Activity: 312
Merit: 265
Most notably the fact that it is a black box for the user what happens under the hood. Too much trust required. For me to ever consider something like this, it would have to be open source.

If I wanted to share private information, I would likely use OnionShare which is open source and rather easy to use.

If you want an open source tool, then you can use this free Diffie-Hellman exchange tool I made three years ago. It is a webpage that can be run locally as `file://`,  thereby protecting from Javascript backdoors. Simply use "Save As (Webpage, Complete)" in the browser and save it. It's designed to be run locally.  The code is simple to review fully, since it merely wraps browser's native libraries.

https://borisreitman.com/privacy.html

I have made Crosspass because as simple as that tool is, it is still too difficult for non-techies.
legendary
Activity: 2018
Merit: 1108
I am going to agree with LoyceV that there are too many potential issues to consider using it.

Most notably the fact that it is a black box for the user what happens under the hood. Too much trust required. For me to ever consider something like this, it would have to be open source.

If I wanted to share private information, I would likely use OnionShare which is open source and rather easy to use.

Your service does seem simple to use. The requirement to download an app is slightly annoying. Having the secret expire after 3 incorrect attempts seems like enough for sharing secrets that are not super sensitive. Expiring the secret after it has been viewed is another good thing. Setting asides problems that I have with it personally, someone might find it useful although I would still warn anyone to trust their secrets with a third-party.
sr. member
Activity: 312
Merit: 265
That's different than what you said on your website:
Quote
note that the Lookup ID is not secret, so you can make it public without any loss of privacy.
This makes it look like you can post the Lookup ID on social media, while it's something to be kept a secret.


By "public" I meant an insecure channel, i.e. a private exchange which someone determined enough could eavesdrop on. However, I am not suggesting tweeting the lookup ID on Twitter. If it were tweeted, then some jerk could try to access it with 3 invalid PINs and lock the note.

The Crosspass server knows the lookup ID, since it issued it. From the cryptographic theoretical perspective it is not private because there is at least one third party which knows it.

LoyceV, thank you for raising this. I now have updated the website with a clearer explanation to the question "Do I need to send the PIN by another channel?"  This is the new copy,

Quote

You can send both the Lookup ID and PIN together. However, if you are communicating over an insecure channel and you need to refer to the share, you can refer to it by the Lookup ID.

For example, Alice writes in an email to her cat sitter Bob:

Quote
Hey Bob,

Thanks again for agreeing to feed my cat Luna. You are a lifesaver!

I am sending you the WiFi password in note XYZC, and the gate code in note QCTY.
You will need to use the Crosspass app to get them. Text me when you are at the gate.

Feel free to hang out at my place, Luna could use the company.

Hugs,
Alice

Then, once he arrives at the gate and texts her,

Quote
I am at the gate and I have Crosspass. What’s the PIN?

She texts him,

Quote
XYZC 1935
QCTY 0382
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The problem is still the same: there will be a 3 in a million chance for someone to find the private key I sent. That's an unacceptable risk.
Not just any someone, it would have to be someone who is a MITM. Otherwise, you will know the key was stolen if your friend has not received it. Crosspass will release the shared secret only once, and expire the PIN.
That's different than what you said on your website:
Quote
note that the Lookup ID is not secret, so you can make it public without any loss of privacy.
This makes it look like you can post the Lookup ID on social media, while it's something to be kept a secret.
sr. member
Activity: 312
Merit: 265
Again: I'd much rather trust Protonmail than installing unknown software. If Protonmail ever compromises their core principles, they won't survive.

Lavamail chose to shutdown instead of fooling its users and being silent under a gag order. It was a USA corporation. Can't this happen in Switzerland? I think it can, because USA forced Swiss banks to close American accounts and to reveal all account activity to American authorities.

Also, as much as I value privacy, I value and respect the judicial system. The reason? Civilized society is setup to protect private property and privacy, at least in principle. So if police wants data on someone and they come to me with a court order, it is my principle to respect the law and to comply with the request.  However, if I simply can't help because of the way the protocol is implemented, I do well by both the law and by privacy of clients.  In contrast, Protonmail, Signal, WhatsApp, et. al. could MITM any user by issuing rogue public keys. Crosspass is safer because in order for the Crosspass server operator to MITM a client, he would have to guess the PIN, which is as hard as guessing 11 coin flips.

Quote
Quote
Guessing 3 out of 10,000 is like 1 out of 3333, and that's harder than guessing a sequence of 11 flips of a coin. It's good enough for a bank apparently.
The difference is that a bank also requires a piece of hardware to go with the PIN. If the Lookup ID is public, that's like handing out your bank card to random strangers to try their luck.

What's the difference, if in total only three attempts are permitted? Does it matter which three people use up these attempts? The bank is happy with a 4 digits PIN because it can limit the number of attempts.  Long passwords are needed only when a brute force attack cannot be prevented (when password hashes are leaked).  

Crosspass is relying on the OTP model for authentication. In common usage OTPs are short and yet they unlock a person's account. Why is this safe? The time limit on the OTPs prevents theft through shoulder surfing or internet traffic harvesting.  The limit on tries prevents brute forcing. (You can achieve the former with Crosspass by deleting a share after 5 minutes.)

Quote
If you've installed malware, it's safe to assume it's still there after you try to delete it. That's why I don't like installing unknown software outside a controlled environment (such as a VM or spare laptop). I've setup my spare laptop to wipe and reinstall it in minutes, and I use this when dealing with untrusted Forkcoin wallets. I can't do that on my phone, and even spare phones are less easy to properly wipe and use again.

I understand this, but the person to whom your are sending sensitive stuff (or receiving from) most likely will not. It takes two to tango. If the recipient is a busy accountant, realtor, or a doctor, he will not do all this work. So if we are to have any adoption of secure practices, we need to package it in a form-factor he will use without friction.

The other issue is: are you willing to keep your laptop online until you establish a shared key by Diffie-Hellman? The choice to put Crosspass on a smartphone was made because it is always online, like a personal server in a pocket. Twenty years ago people kept their desktops online, serving a website from it. With the prevalence of laptops this ended while computers which are always online had moved to the cloud.

Quote
The problem is still the same: there will be a 3 in a million chance for someone to find the private key I sent. That's an unacceptable risk.
  • Not just any someone, it would have to be someone who is a MITM. Otherwise, you will know the key was stolen if your friend has not received it. Crosspass will release the shared secret only once, and expire the PIN.
  • Then send a public key, not a private key: establish a private key by Diffie-Hellman (DH) and verify the public keys by Crosspass to ensure that there was no MITM in the Diffie-Hellman exchange. (You can do this in practice with the Signal app by sending Signal's Safety Numbers by Crosspass.)  

    In any case, if you do transfer a private key by Crosspass and it is used to initialize a Signal protocol chat, then one chat round (e.g. "Hello Alice" and "Hello Bob") are sufficient to establish a new Diffie-Hellman key, essentially using the original private key only for authentication.


Quote
I've never used Google's app payment system, and I never will. Again, I guess I'm not the average user here, but I refuse to pay for small pieces of software on a small screen when I have complete open source operating systems with loads of software at my disposal free of charge.

Crosspass one day will be a free of charge CLI which you can install with Apt or Brew, from source. That will cover the cool cats, but what about the laymen they have to deal with? As mentioned above, most other people who receive or send stuff to you will not be able to use it in this form.

End-to-end encryption was almost non-existent in adoption until WhatsApp. In order to make encryption habitual, it must be put into a form that everyone can use. This was my design goal with Crosspass.

P.S. If you want to support Crosspass, please give some love to @entelecheia_inc Twitter account which I just created.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
End-to-end encryption in web browser is not possible. Protonmail, Hushmail etc. are subject to Javascript backdoors.
Still, I trust Protonmail's reputation and transparency.

Apple and Google do not allow this for mobile apps. They also don't allow cheating (i.e. charging off the app and then using some kind of coupons).  But if they will eventually add a feature to pay for in-app purchase by crypto, then you will be able to.
I've never used Google's app payment system, and I never will. Again, I guess I'm not the average user here, but I refuse to pay for small pieces of software on a small screen when I have complete open source operating systems with loads of software at my disposal free of charge.
sr. member
Activity: 312
Merit: 265
Quote
Can we pay this $1 with Bitcoin or only with fiat currencies?

Apple and Google do not allow this for mobile apps. They also don't allow cheating (i.e. charging off the app and then using some kind of coupons).  But if they will eventually add a feature to pay for in-app purchase by crypto, then you will be able to.

This won't be an issue when Crosspass is released as a desktop app, and in this case it would accept directly a crypto payment.
Quote
If I had to receive Bitcoin address from someone and this guy told me that first I have to install new app on my phone, I would immediately think that this guy is a scammer.
I have seen way to many real life cases of people getting scammed like this with fake apps, so I would probably refuse to install anything.

This happens rarely in iOS and with time Play store will up its game.

Quote
There is a chance I would use something like this if Crosspass was integrated in some messenger used for private conversation.

Yes, I am also exploring this direction. But the standalone app will continue to exist in any case.

Quote
Is Crosspass using any servers, and what would happen if app or servers are down?

Crosspass client is talking to a Crosspass server. The job of the server is:
 
- to send out Push Notifications to wake up phones so that they resume talking with the server.
- to reserve lookup IDs
- to prevent someone triggering too many Push Notification to the same phone.

If the server is down, the tunnel won't be established between the sender and recipient, so notes won't be able to be retrieved while it is down.

I am prepared to move to serverless infrastructure as soon as I observe any scalability issues.  Currently, an MQTT handler is being integrated into the mobile apps. This allows to decouple everything and go serverless without the need for users to update their apps. (Note: "serverless" still is a "server," but the server is e.g. all of AWS.)

Let's see what happens if the mobile app of the sender is down. Because the exchange is peer-to-peer (with the server acting to establish a tunnel), the protocol fails if the sender's device doesn't respond to a Push Notification or if Push Notification takes too long to arrive. Normally it arrives within 2 seconds, but I have observed a 30 minute delay on rare occasions. The currently published version of the app will just show an error to the recipient upon a timeout of 30 seconds. However, I am making a UX improvement now for this rare case. The recipient's phone will place the request on hold and resume normal operation. When the sender's phone comes back to life, the server will send Push Notification to the recipient's side to resume the protocol.
legendary
Activity: 2212
Merit: 7064
The second. You only pay once a $1 for lifetime use. This way the app is free to receive and removes a potential friction on the recipient's side.
Can we pay this $1 with Bitcoin or only with fiat currencies?

Every time you post your bitcoin address, or email it, mass surveillance associates it with you and records how much money you have received. That's why ZCash went to so much trouble to hide the identity of the sender of crypto. By sharing a Bitcoin address via Crosspass, you become essentially anonymous. Watch a 5 minute Doodly video: https://www.youtube.com/watch?v=NK-P_g6gKlI
Sorry but I don't like anything about Zcash  Tongue
If I had to receive Bitcoin address from someone and this guy told me that first I have to install new app on my phone, I would immediately think that this guy is a scammer.
I have seen way to many real life cases of people getting scammed like this with fake apps, so I would probably refuse to install anything.
There is a chance I would use something like this if Crosspass was integrated in some messenger used for private conversation.

Anyway, for testing purposes I installed Crosspass to see how everything works.
Is Crosspass using any servers, and what would happen if app or servers are down?
sr. member
Activity: 312
Merit: 265
I was hoping the site itself would be enough, but it asks me to install software on my phone.

End-to-end encryption in web browser is not possible. Protonmail, Hushmail etc. are subject to Javascript backdoors. Hushmail actually backdoored itself and documented it. https://www.wired.com/2007/11/hushmail-to-war/


This is a lot more complicated than using Protonmail to send an password to another Protonmail user. Protonmail uses end-to-end encryption by default without sending codes and passwords, and can also set an expiration time.

Besides the web issue, the same critique I have in the FAQ on WhatsApp applies to Protonmail. You have to trust the public key that Protonmail gives you for the recipient, and so it can easily position itself as a MITM.  That, unless you check key fingerprints against the recipient's. But if you have to do this, it is no longer an easy process. (How would you check them? You would need something like Crosspass for that.)

Quote
..
If I really, really have to share something encrypted online, I'd prefer Protonmail.
...
If someone tells me to install an app to receive a code, I'll tell them to use something else. I don't even install apps from my bank.

Yet, you would expect the recipient to sign up with Protonmail? I think that a recipient is more likely to install an app than create an account online somewhere. He knows that he can easily delete it as soon as he is done using it. Also, you would need to wait for the recipient to sign up with Protonmail before you can compose a message to him.

Quote
So if someone knows your Lookup ID, there's a 3 in 10,000 chance they can read your message. I wouldn't trust that for sending a credit card number, and it's much worse when dealing with Bitcoin private keys.

Guessing 3 out of 10,000 is like 1 out of 3333, and that's harder than guessing a sequence of 11 flips of a coin. It's good enough for a bank apparently. I could have made the PIN 6 digits long and it would still be user friendly because OTPs now are commonly a pair of 3 digits. But I am not convinced it's necessary.  (If there is real demand for a six digit PIN, I could incorporate it as a future feature.)

Quote
If it's not going to be open source, you can always add a backdoor later.

Every version will be reviewed just before it's published to the App store and Play store. There would not be a need to review everything from scratch, just need to review the changes to source code since previous release.

Crosspass does not compete with WhatsApp, Signal, Telegram Secure Chat or Protonmail, Hushmail.  Keep using those systems whenever convenient, but use Crosspass to verify the public keys in order to secure those systems.

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
See crosspass.app for details.
Tor: "Unable to connect". I had to try a few new Tor circuits before it loaded. I was hoping the site itself would be enough, but it asks me to install software on my phone. I'm not going to do that, basic OPSEC is installing as few apps as possible.

I can tell you when I needed to do that,
- sharing an online wallet at blockchain.info with a business partner, for arbitrage
Web wallets are not recommended, and sharing a wallet at least doubles the risk of losing your funds.

I can let you review the source code, provided you report back in this thread that here are no intentional backdoors or data leaks.  In fact, I will pay $200 each to the first three people of Legendary status who would review the code.
If it's not going to be open source, you can always add a backdoor later.
The second. You only pay once a $1 for lifetime use. This way the app is free to receive and removes a potential friction on the recipient's side.
There's a problem with this: if someone tells me to install an app to receive a code, I'll tell them to use something else. I don't even install apps from my bank.



From my perspective, I don't see a reason to use this. But then again, I'm not the average user so maybe there's a market for it.
sr. member
Activity: 312
Merit: 265
I know you'll tell me it's safe and that it's "encrypted end to end" But how can I be confident that the program does not store passwords and encryption keys and keep them in the database after sharing them?

As you know there was a major incident related to this particular point and sensitive user data was seized due to it being saved and not deleted.

I have just open-sourced the code that deals with persistence of data locally on the phone. All sensitive data is stored in encrypted form. The encryption key never leaves the device because it is stored in Secure Enclave.  This is necessary so that the data doesn't leak through iOS / Android recovery backups.

https://github.com/entelecheia-inc/ios-excerpts
https://github.com/entelecheia-inc/android-excerpts

Of course these excerpts do not guarantee that I call these functions consistently, but it will give you an indication of what is going on.

Also, I blank the screen when the app is swiped so that displayed text doesn't leak via screenshot grabbed by the OS.

About deleting data: when note is transferred from sender to recipient, then the sender deletes records in local database on the device. (First dictionary value is set to empty string, then the dictionary key is deleted).  On the recipient's phone data remains for one day, then gets deleted.

When the app starts up it deletes all records older than 2 weeks.  On the server, any stored state older than 2 weeks is deleted.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I really don't understand how Crosspass is related with Bitcoin  Roll Eyes

I see that the patent for Crosspass lists a figure at the end which can conceivably be used to generate detatched bitcoin addresses. But it reminds me of the Silent Payments idea. But in any case, I think the main use for this is to be sharing passwords in an easy way.

Although doing that using the internet is kind of an exclamation mark because of all the snooping middlemen such as the NSA tapping fiber optic overseas cables and ISPs and so on. I would think it would be much safer for two devices to share it over a private LAN.



I can let you review the source code, provided you report back in this thread that here are no intentional backdoors or data leaks.  In fact, I will pay $200 each to the first three people of Legendary status who would review the code.

Sign me up. I read your whole patent and it looks neat. Smiley
legendary
Activity: 1848
Merit: 1982
Payment Gateway Allows Recurring Payments
One's finances should be private.

Every time you post your bitcoin address, or email it, mass surveillance associates it with you and records how much money you have received. That's why ZCash went to so much trouble to hide the identity of the sender of crypto.
Yes, I liked the idea of hiding the Bitcoin address. In this way, privacy can be increased by sending the Bitcoin address out of sight.

But the thing I didn't like about sharing the password or encryption key, I know you'll tell me it's safe and that it's "encrypted end to end" But how can I be confident that the program does not store passwords and encryption keys and keep them in the database after sharing them?

As you know there was a major incident related to this particular point and sensitive user data was seized due to it being saved and not deleted.
sr. member
Activity: 312
Merit: 265
 Another thing, would I have to pay $1 each time I send something (after I spend my three free sends), or this is $1 paid for lifetime use?

The second. You only pay once a $1 for lifetime use. This way the app is free to receive and removes a potential friction on the recipient's side.

...having Crosspass app as closed source and not really knowing what is happening under the hood... this is not exactly my cup of tea.

I can let you review the source code, provided you report back in this thread that here are no intentional backdoors or data leaks.  In fact, I will pay $200 each to the first three people of Legendary status who would review the code.

Also, (a) I will have it reviewed by a reputable pen-testing company, and (b) I will open source Crosspass once it gains enough installs to have market advantage over any clone.

 I really don't understand how Crosspass is related with Bitcoin  Roll Eyes

One's finances should be private.

Every time you post your bitcoin address, or email it, mass surveillance associates it with you and records how much money you have received. That's why ZCash went to so much trouble to hide the identity of the sender of crypto. By sharing a Bitcoin address via Crosspass, you become essentially anonymous. Watch a 5 minute Doodly video: https://www.youtube.com/watch?v=NK-P_g6gKlI
legendary
Activity: 2212
Merit: 7064
I've made a new app called Crosspass that makes end-to-end encryption for dummies.  It is better than Signal et al. because it forces users to authenticate (keys) via a natural flow.
I understand why someone would use this, but having Crosspass app as closed source and not really knowing what is happening under the hood... this is not exactly my cup of tea.

Another thing, would I have to pay $1 each time I send something (after I spend my three free sends), or this is $1 paid for lifetime use?

PS
I really don't understand how Crosspass is related with Bitcoin  Roll Eyes
sr. member
Activity: 312
Merit: 265
Why would I want to share passwords and bank info?

I can tell you when I needed to do that,

- receiving wires to my bank account
- sharing an online wallet at blockchain.info with a business partner, for arbitrage
- sharing an encrypted Cryptomator cloud drive with a business partner
- giving Netflix password to my mom
- encrypting ZIP file with AES and sending the ZIP by Dropbox, while password by another method
- obtaining the password to an encrypted hard drive which was mailed after it was recovered by recovery service

However, the "password" here is a euphemism for an encryption key. If I were to call the app "Transfer Encryption Key" it would suffer the same fate as PGP and Keybase. No one knows what is a key or a fingerprint, but everyone knows what is a password and understands that it requires privacy and care.

“What's in a name? That which we call a rose by any other name would smell just as sweet.” -- Shakespeare
hero member
Activity: 1659
Merit: 687
LoyceV on the road. Or couch.
Why would I want to share passwords and bank info?

I'll check out your site when I'm on my laptop again.
sr. member
Activity: 312
Merit: 265
Finally Johnny can encrypt!  

I've made a new app called Crosspass that makes end-to-end encryption for dummies.  It is better than Signal et al. because it forces users to authenticate (keys) via a natural flow.

- Based on a US patent which I have received this summer.
- Available on the App Store and Play Store.

See crosspass.app for details.

I would like to hire influencers in crypto space to blog about this.  Please PM me if you are one of them.



Jump to: