smallwat3r/shhh smallwat3r/shhh

  • Stars
    star
    370
  • Rank 115,405 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created about 5 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
smallwat3r/shhh
github

smallwat3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Share sensitive info without leaving a trace in your chat logs or email accounts.

Keep secrets out of emails and chat logs.

What is it?

Shhh is a tiny Flask app to create encrypted secrets and share them securely with people. The goal of this application is to get rid of plain text sensitive information into emails or chat logs.

Shhh is deployed here (temporary unavailable until new deployment solution), but it's better for organisations and people to deploy it on their own personal / private server for even better security. You can find in this repo everything you need to host the app yourself.

Or you can one-click deploy to Heroku using the below button. It will generate a fully configured private instance of Shhh immediately (using your own server running Flask behind Gunicorn and Nginx, and your own Postgres database, for free).

Deploy

Also, checkout shhh-cli, a Go client to interact with the Shhh API from the command line.

How does it work?

The sender has to set an expiration date along with a passphrase to protect the information he wants to share.

A unique link is generated by Shhh that the sender can share with the receiver in an email, alongside the temporary passphrase he created in order to reveal the secret.

The secret will be permanently removed from the database as soon as one of these events happens:

  • the expiration date has passed.
  • the receiver has decrypted the message.
  • the amount of tries to open the secret has exceeded.

The secrets are encrypted in order to make the data anonymous, especially in the database, and the passphrases are not stored anywhere.

Encryption method used: Fernet with password, random salt value and strong iteration count (100 000).

Tip: for better security, avoid writing any info on how/where to use the secret you're sharing (like urls, websites or emails). Instead, explain this in your email or chat, with the link and passphrase generated from Shhh. So even if someone got access to your secret, there is no way for the attacker to know how and where to use it.

Is there an API?

Yes, you can find some doc here.

How to launch Shhh locally?

These instructions are for development purpose only. For production use you might want to use a more secure configuration.

Launch it natively

Deps

Make sure you have make, yarn, and obviously [email protected] installed on your machine.

Postgres

You will need a Postgres server running locally in the background. Create a database named shhh.

CREATE DATABASE shhh;

Flask

You will need to set up a few environment variables. We use them to configure Flask, as well as the application connection to the database.

Rename the file /environments/local.dev.template to /environments/local.dev and fill in the missing variables (these are the variables needed to connect to your local Postgres database).

Once done, from the root of the repository, run:

make local

This command will make sure a virtual environment is created and that all the needed dependencies are installed, and finally launch a flask local server.

You can now access the app at http://localhost:5000

Launch it with docker-compose

Deps

Make sure you have make, docker and docker-compose installed on your machine.

The application will use the development env variables from /environments/docker.dev.

Docker

From the root of the repository, run

make dc-start  # to start the app (or dc-start-adminer to use adminer)
make dc-stop   # to stop the app

Once the container image has finished building and has started, you can access:

  • Shhh at http://localhost:5000
  • (and access the database records using Adminer on port 8080 if you launched Shhh with adminer)

Note: When started with the docker-compose set-up, the application is running with Gunicorn.

Run development checks

You can run tests and linting / security reports using the Makefile:

make checks  # run all checks

make tests   # run tests
make pylint  # run Pylint report
make bandit  # run Bandit report
make mypy    # run Mypy report

Environment variables

Bellow is the list of environment variables used by Shhh.

Mandatory
  • FLASK_ENV: the environment config to load (testing, dev-local, dev-docker, heroku, production).
  • POSTGRES_HOST: Postgresql hostname
  • POSTGRES_USER: Postgresql username
  • POSTGRES_PASSWORD: Postgresql password
  • POSTGRES_DB: Database name
Optional
  • SHHH_HOST: This variable can be used to specify a custom hostname to use as the domain URL when Shhh creates a secret (ex: https://<domain-name.com>). If not set, the hostname defaults to request.url_root, which should be fine in most cases.
  • SHHH_SECRET_MAX_LENGTH: This variable manages how long the secrets your share with Shhh can be. It defaults to 250 characters.
  • SHHH_DB_LIVENESS_RETRY_COUNT: This variable manages the number of tries to reach the database before performing a read or write operation. It could happens that the database is not reachable or is asleep (for instance this happens often on Heroku free plans). The default retry number is 5.
  • SHHH_DB_LIVENESS_SLEEP_INTERVAL: This variable manages the interval in seconds between the database liveness retries. The default value is 1 second.

Acknowledgements

Special thanks: @AustinTSchaffer, @kleinfelter

License

See LICENSE file.

Contact

Please report issues or questions here.

Buy me a coffee

More Repositories

1

docker-nginx-gunicorn-flask-letsencrypt

Boilerplate code for setting up Nginx + Gunicorn + Flask + automated LetsEncrypt certificates (https) using docker-compose.
Dockerfile
178
star
2

synonym

CLI tool to find synonyms in 15 different languages.
Shell
115
star
3

tubestatus

London Tube live service status from the terminal.
Shell
36
star
4

droid-sans-mono-sw

Customised version of the Droid Sans Mono font.
33
star
5

vim-mono-sw

A simple grayscale vim color scheme with a little touch of red
Vim Script
9
star
6

jailed-sftp-users

Jailed SFTP user management scripts.
Shell
9
star
7

dotfiles

My dotfiles
Emacs Lisp
9
star
8

vim-efficient

Minimal grayscale monochrome-ish vim color scheme.
Vim Script
9
star
9

sketch

Draft files on the go from your terminal in your favourite text editor.
Shell
6
star
10

emacs-simplicity-theme

Minimalist dark theme for Emacs.
Emacs Lisp
6
star
11

shopify-webhook-receiver

Flask app to catch Shopify webhooks and trigger actions.
Python
5
star
12

untappd.el

Display your latest Untappd feed in Emacs 🍻
Emacs Lisp
4
star
13

vim-simplicity

Extremely minimal vim colorscheme.
Vim Script
4
star
14

tubestatus.el

London Tube live service status from Emacs.
Emacs Lisp
3
star
15

shopify-webhook-router

Boilerplate code to process Shopify webhooks with Flask and Celery
Python
3
star
16

github-antibot

Block Github users using bots to mass-follow me.
Python
3
star
17

shhh-cli

Golang CLI to interact with Shhh
Go
2
star
18

sweep-cat

A 30 keys keyboard based on the Ferris Sweep 2.2, featuring the purr-fect code reviewer.
2
star
19

pyavatar

Generate default user avatars from a given string input
Python
2
star
20

homebrew-scripts

Personal Homebrew tap 🚰
Ruby
1
star