Privnote's developers are confused

Privnote is a new web app making the rounds on Digg and other social networking sites. It allows you to post a note at a unique URL which you can then share with someone. The note is deleted once the URL is viewed. It’s a simple premise that, if used for sending love notes or other inconsequential messages, is cute and harmless. However, the developer of Privnote has irresponsibly crossed into dangerous territory by claiming on his blog that Privnote is secure enough to be used for sending “credit card information and root passwords”.

He goes on to claim that not even Privnote’s developers can read your secret notes:

What about the site administrators, you may ask, those ones who always seem to have “full power” over your data. Well, with Privnote, those cannot read your note either. The explanation is a bit more technical, but here it goes: When the note is received by the server, a note ID is created (the same ID you see in the link to read the note). The note contents is then encrypted and saved in the database but (and here’s the magic) the salt to encrypt the note is not the note ID but a hash of the note ID. Hashes “one way” so you cannot go back to the note ID from the hash. So the note gets stored in the DB encrypted with a token that only the person which has the note link can read it. Oh, and we also have web server access logs disabled which makes impossible for any administrator to decrypt the note contents. So, as you can see, the only person who has the key to decrypt it is the one who has the link to the note.

These are the excited hand-wavings of someone who either has a very poor understanding of logic or is maliciously trying to trick people into disclosing sensitive information. Either way, it’s a big red flashing warning that Privnote is a toy and should not be used for anything even remotely sensitive.

According to the developer’s description, each note has a unique id. The contents of the note are encrypted using a salt consisting of a one-way hash of this id. The id is also used in the URL to identify the note. Here’s where the hand-waving comes in: he claims that, since Privnote doesn’t store access logs and can’t see the URLs, they can’t figure out the decryption key and thus can’t decrypt the notes.

Unfortunately, this is nonsense for the following reasons:

  1. If a URL containing only a note id can be used to retrieve a note, then that note id must be stored in the database in order to be used for lookups.
  2. Since the note id is stored in the database, anyone with access to the database and knowledge of the hashing algorithm used can recreate the hash value used to encrypt a note and can then decrypt that note.
  3. The claim that Privnote doesn’t keep access logs is puzzling; why would access logs even matter if the notes are deleted once they’re accessed?

In other words, anyone with access to both the Privnote database (to retrieve note ids and encrypted contents) and the Privnote source code (to know which hashing algorithm is used) has full access to the decrypted contents of any note sent via Privnote, regardless of the developer’s claims.

It’s one thing for someone to provide a service like Privnote and say, “Your notes are secure as long as you trust us.” It’s another thing entirely for them to claim that even they can’t read your notes when, in fact, they can.


Update (July 06, 2008 @ 07:11 PM): The developer has posted a much more detailed followup correcting the mistakes in his original description of Privnote’s security measures.

As it turns out, they are indeed encrypting notes using cleartext note ids and then only storing the hashed id in the database. This ensures that someone in possession of the database cannot recover the note ids and thus cannot decrypt the notes, and is a much better implementation than the one described in the original post. However it still doesn’t guarantee that Privnote’s developers aren’t executing additional code to intercept notes before they’re encrypted.

I have no reason to believe they’re doing this—I get the impression they’re naïve rather than malicious—but as long as they continue to claim that they can’t possibly read the contents of the notes being passed through their system, they’re lying.