Suggestion - Configurable lifetime about ots HOT 5 CLOSED

Ideally, the exact expiration date and time should show in the "Secret Created" page.

from ots.

and I would argue that it would be also good information (exact expiration date and time of the secret) to present to the recipient before they click on [Show me the Secret !]

from ots.

Hmm showing to any user opening the page would mean we are fetching at least metadata about the stored secret and provide it to the person viewing the page. This would enable anyone to know whether a secret exists or not without invalidating it. Currently the only way to know whether a secret exists is to fetch - and therefore invalidate - it…

I a theoretical scenario this could be used to gain knowledge a secret exists and fetch it shortly before expiring. The user then would tell the provider "Hey, there is no secret" - "Ah, you let it expire, I'll put it on again…" not knowing the secret was copied.

Sure, with a randomized 20-digit password with PBKDF2-SHA512-300k-Iterations gaining knowledge about the contents wouldn't be worth the effort in most cases (at least I hope nobody uses OTS to send secrets worth that much effort) but hmm…

TBH I'd be more comfortable not implementing the "presenting the expiry to the recipient" part.

from ots.

OK, I agree. We'll include the secret expiration date time info in the communication to the recipient, in addition with the OTS link.

from ots.

Please have a look at #93 - There are some screenshots of the new feature… What do you think?

from ots.