What Is NoteShred
The idea behind NoteShred is simple. You create a note, assign it a password and then select how and when you
like the note to "shred" itself.
The note has a unique URL that you can send to a recipient along with a password for them to open the note. You decide when the note will destroy or "shred" itself.
We email you once your note is shredded or deleted so you can rest easy knowing that sensitive information is no longer just laying around in someone's inbox.
Your notes are secured using a strong AES 256bit encryption algorithm with a variable encryption key based on your own password combined with random data. This means that only the people with the password can decrypt the note. We are not able to decrypt your note or your attachments in anyway.
Have you ever needed to send someone a password or some other bit of personal information over the internet? Did you do it securely, or was it over email?
What happens to your information once it arrives at the destination? Can you be sure it will be deleted after
been read? Who may have been watching this information as it was in transit to the recipient and has your
information been logged in plain, clear text on mail or message servers? Who knows where it has been
NoteShred offers a secure way to send these one-off, private bits of information without the hassle of having
configure confusing encryption software. NoteShred can provide a simple way to get your information from A to
B and ensure it is destroyed after being used
without having to worry about information lingering around after it's no longer needed.
Details of NoteShred's security measures can be found here: NoteShred Security
Here's what we recommend for the best possible security:
- Use longer, more complex passwords. The more characters the better, make sure no one can guess it. Using a sentence instead of a single word can help remember long passwords.
- When sending the note URL and password out to people, don't send them both within the same message or email. Split them up and send them through different means to make it harder for anybody listening to get your information. ie, Send the note URL through email and the password over instant message.
- Don't set long periods of time before shredding. Of course you're free to create a note that doesn't shred itself for years, but if it is sensitive information, we recommend you keep the lifespan short.
Frequently Asked Questions
You can find the most commonly asked questions here: NoteShred FAQ
Security is our priority. Here's a little information on how we do it
One Way Password Hashing
When a new note is created, the password is processed using a strong one way hashing algorithm with a random salt value before being stored in the database. The password itself is never recorded. This hashed string cannot be reversed to reveal the original value. When someone attempts to view your note, they submit a password which is hashed in the same way as before and compared to the existing hash to determine if the correct password was entered or not.
Variable Encryption Keys
Each note is encrypted using AES-256-CBC with a hashed and expanded version of your own password as the unique key. There's no private or centralized encryption keys that can be leaked. Once your note is encrypted, there's no way to decrypt it without your original password which is not stored anywhere, except for in your head. Each and every note is encrypted using a unique key and not even we can decrypt it.
Client Side Encryption
Client side encryption is an optional second layer of encryption with one important difference, the encryption
is performed locally, within your browser and the private key (which is basically just another password) is
never transmitted to the server.
Your note is converted to an encrypted string within your browser and sent up to the server after which the string is encrypted all over again using the regular NoteShred AES256 encryption functionality.
Think of it like a russian doll, one encryption wraps around the other with different keys to decrypt at each
level. If you include the SSL/TLS transfer, it's 3 layers of encryption.
Read more about NoteShred client side encryption here: Client Side Encryption
Short Life Server Side Session Cookies
All session and authentication data is stored on the server. No session information is ever passed down to the browser except for the session ID. All session data is encrypted and has a life span of 2 minutes (of inactivity), after which a new session is initiated and authentication is required again. The expired session data on the server is purged every few hours.
All notes have a fixed 5 login attempt limit. If 5 failed attempts are made to view a note, the note is locked for 5 minutes before another attempt can be made to view the note. This is locked at the note level, not the session level which makes distributed brute force attempts impossible.
NoteShred.com enforces domain wide SSL/TLS connections. Every page is transferred over an encrypted 256bit connection.
Amazon S3 Encryption
Attached files are encrypted and stored in Amazon S3. NoteShred uses the AWS SDK and enforces client side 256bit encryption. When attaching a file, the attachment is encrypted on the server using an expanded and hashed version of your own password before being pushed as an encrypted blob onto Amazon S3. When retrieving an attachment, the encrypted blob is pulled down to the NoteShred server and decrypted on the fly with your password before being sent back to the browser to download. The decrypted file only has a lifespan of a few seconds before it is cleared.
Data Center Security
NoteShred is hosted with Amazon Web Services to securely store your notes.