gigamick / burnernote Goto Github PK

1. Create database (on your favorite DBMS e.g. MySQL/MariaDB/PostgreSQL/SQLite3)
2. clone this repository.
3. cp .env.example .env
4. Edit .env
5. composer install --no-dev
6. php artisan key:generate
7. php artisan migrate
8. php artisan storage:link
9. npm install
10. npm run production
11. Point web server to repository path/public

Would be nice to add an option to self-destruct the message after a period of time. Is great that the message is destroyed after opening it, but if nobody opens it would stay on the server forever.

I get this message every time while trying to share notes with others when we haven't password protected it.
Works fine when a password is given.
Neither of us nor others opens the note beforehand.

Burnernote is not end-to-end encrypted, allowing a malicious server or MitM on TLS to read contents of notes. This is not solvable with the current design of performing encryption on the server. However, the required APIs are available in WebCrypto.

Proposal

Create Secure Note

In the client:

1. Generate an AES key
2. Encrypt the contents of the note with that key
3. Export the key and encode (hex or base64url is fine)
4. Upload the encrypted note contents to the server
5. Provide a URL with the AES key as a fragment. Fragments are not sent to the server when a URL is visited

Read a secure note

In the client:

1. Download the encrypted note from the server
2. Decode and import the AES key from the URL fragment
3. Decrypt the note

Optional Improvements

The above is sufficient for end-to-end encryption, but could be improved at the cost of additional complexity.

Protect Ciphertext

The proposal above keeps the plaintext and key secret, but still allows an external attacker to download the ciphertext with only the URL (no fragment). This allows an offline attack of the ciphertext. It also leaks metadata about the plaintext (e.g., it's length) even if the attacker is unable to decrypt it.

An additional shared signing key can be generated. This key is shared with the server when a secure note is created, but not shared when a note is viewed.

The rough idea:

• Client generates a signing key
• Client uploads the signing key with the encrypted note
• On view, when fetching the ciphertext, the client uses the shared secret to sign a token containing the note id and a timestamp.
• The server uses the shared secret uploaded previously to verify the signature on the token. It additionally checks that the timestamp is within a tolerance. Only after validation does it provide the ciphertext.

This could also be done with an asymmetric key (e.g, RSA) to prevent the sharing secret from being sent to the server. But, in practice this doesn't provide any benefits:

• An attacker that is able to see the signing secret in transit could see the ciphertext at the same time
• Someone that is able to view the signing secret in the database could also view the ciphertext

The site is vulnerable to a XSS attack.

This can be tested by writing:

<script>alert(1)</script>

As the given input

I'm not that experienced with php but running the message through something like htmlspecialchars (if you already don't) is strongly recommended

hi, just wondering: why not $note->delete() 😏

pardon, am i missing something here ? 😏

Can something like that be implemented?
curl -kL -X POST https://burnernote.test -H "scheme: https" -H "host: burnernote.test" -H "filename: /create-note" -d '_token=aR60oCubDJsBqjeXlTeHe0SNYJX3hIZdbo20M71Q' -d 'note=aabbcc' -d 'password=' -d 'expiry=1'

Today, PHP 7.4 reached end of life status. Active support ceased a year ago, now they won't even fix security issues.

But I have to have a VM running Ubuntu 20.04 to host my burnernote website because I could not make this package work in Ubuntu 22.04. The newer Ubuntu includes PHP 8.1, which has been out for a full year. The 8.0 version was released two years ago. There are a number of other PHP applications I have that did not support PHP 8.x as of a few months ago, but in those cases I was able to figure out how to modify the code to get it working. I am not a PHP developer, and don't even play one on TV. I do have experience in other programming languages.

There seems to be NO documentation about how to install this. I finally figured out where to put an app key, and where to configure the app to talk to my database ... but I can't find any instructions for initializing the database with the required structure. At this point, the main page for the app loads, but I get a 500 error when I try to create a note, and despite enabling the display and logging of errors in PHP, I see no details about what happened.

I am able to create an Empty Note but, even after setting a password, I am redirecting to this.

I think we should not allow users to create an Empty Note (it is just an unnecessary computation)!

Could you provide guidance on the process for switching the domain to a local one and importing an SSL certificate rather than generating one?

I was looking for something exactly like that, but I can be 100% that the open-source code is running on your server. To remediate that would be nice to offer a Dockerfile that way everyone could self-host the service.