Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show a confirmation dialog before revealing the secret message in a one-click link #2154

Open
smokris opened this issue Feb 16, 2024 · 2 comments

Comments

@smokris
Copy link

smokris commented Feb 16, 2024

When we enable "One-time download" and send a Yopass "One-click link" by email, sometimes the recipient sees "Secret does not exist" instead of the actual secret message.

I believe this is because the recipient is using an email service that automatically visits all links in the email to scan them for malware — when the email service automatically visits the Yopass one-click link, it causes the secret to self-destruct before the recipient can actually see it.

To work around this, when viewing a one-click link, Yopass could show an in-page confirmation dialog before revealing (and self-destructing) the secret message:

one-click-confirmation

Details

Show the secret message now?

The secret message will be automatically deleted after you view it, so make sure you're ready to use its content.

[Show the message] [Not yet]

@ethrgeist
Copy link

I second this, GET should not be destructive, so there should be a kind of confirmation to prevent issues with preview fetchers, link checkers in mails and such.

Snappass does it similar: https://github.com/pinterest/snappass

I like the file upload and seperated decryption key features, but i'll stick with snappass for now, because i can see issues for users that have their shared content randomly deleted.

@vbakke
Copy link

vbakke commented Nov 1, 2024

Yes, This is important. A lot of email antivirus will visit links in emails, and destroy the one-time secret.

I think all other similar services does this, privnote, snappass, cryptogen, etc, etc.

I recommend increasing the priority on this.

There is onw workaround, in the meantime. It is not send the short link, with the decryption key on the next line in the email.
Not ideal, but antivirus might not yet be clever enough to past in the key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants