Don't know the complete inner workings of Cryptpad. But it appears Purplix uses more modern encryption, uses more modern frameworks & has more safe guards against MITM attacks. Also additional options like captcha, proxy block, account required etc.
Not 100% sure what you mean, but the encryption key for questions are only known by users who are shared the link & is never transmitted to the server. Answers are encrypted by the survey's public key what only the creator of said survey knows the private key. The public key is also encrypted by the secret key in the URL so the server can't even submit answers.
s/64b185662c74e7c40cac5e66 - This is the survey ID, transmitted to server.
/KfcrkxiR-4nomGbEqNos0dyhEBsgiUAqPpZiRQt5syE - This is a hash of the survey's signing public key, this is to stop MITM attacks from the host & validation of the survey questions.
#oAnQnjWhxq2IFTZBvrylVSHxg92HoWQr2mJQ-qZwvPY - This is the secret key for decrypting questions, this is also used to decrypt the public key for encrypting answers. This key is never transmitted to server.
All encryption & decryption happens locally, so the server never sees any plain text. It is possible for the host to modify the frontend to expose keys, but this is true of any web app & Purplix is hosted from Vercel straight from our Git repo, so it would be quite obvious if this happened.
No not currently, not comfort taking funding for any of my projects right now, until I establish some sort of expensive breakdown and transparent fund use. But even with funding a decent audit from a company who knows what they are doing would probably be 7k USD minimum.
Encrypted at rest doesn't always mean E2EE. For example if data is transmitted in plain text to the server and then encrypted before storage. This is still encrypted at rest.
No, survey questions and answers are encrypted & decrypted locally. At no point does the server or any other actors can view that plain data said from whom the survey is intended for.
E2EE meaning survey questions and answers are encrypted locally & decrypted locally. The server or any other actors can't view survey questions aside from users its shared with and survey answers are only readable by the owner of such survey.
This means on a data leak, nothing is readable.
Yea Purplix.io is still in development, so it isn't live yet. Hense the fail DNS lookup you show.
Using a KDF for stateless passwords is a interesting concept. It isn't prefect tho. What if you want multiple passwords for one site, lack of any 2FA, KDF has to be somewhat fast (bcrypt or scrypt what takes under a second) & once your master password gets leaked your screwed (compared to cloud stored passwords with 2FA, key rotation etc)
Realistically stateless password managers suffer from the same attacks cloud based ones do, MITM attacks. If the client is open to being tampered with, your keys can always get leaked.
Fundamentally F-Droids design and infrastructure is outdated (admitted by F-Droid developers too.) F-Droids security scanning may be faster but also less robust then Google in terms of detection of harmful apps.
And the paaster github even says you have to run your own instance for security and privacy.
It says a "instance you host or trust" this is true of any web app (including Proton etc.)
Even if you self host data leaks can occur.
The fact you don't see the need for a encrypted pastebin only speaks to your limited imagination.
Matter of facts are, people share data not wanting it to be indexable or open to data leaks by the server, data in pastebins can be sensitive & people are using E2EE pastebins.
Here is a use case what matches all your arbitrary requirements. "User wants to share sensitive data over a insecure channel (like discord), they can send a Paaster link what deletes after view, so if Discord ever tries to view it in the future they cant see the data."
E2EE now labeled security theater 🤣
Maybe your specific use case doesn't benefit off E2EE, but can't believe I have to explain this. You aren't the center of the universe and use cases of E2EE pastebins aren't limited to your specific use case.
Even pastebin.com sees the benefit of "private" pastes, but according to your logic this shouldn't even exist too!
Anyways this conversation has lost any sense of productivity & obviously your care or understanding of privacy is minimal.
As a final question (what I don't want a response to) is, should every paste ever always be accessible by everyone?.... Hopefully your answer is no & you can put 2 & 2 together.
Have a good day & use any data collecting, raw text, insecure platform you want!
We'll obviously people are finding / needing a use for a service like this. Paaster has 340+ stars & a similar project Privatebin has 5.1k stars.
Sometimes you want to share data briefly with others or to only a specific groups of people (private forums, game lobbies etc) so being able to do so quickly and securely can be extremely useful.
Also this is a privacy page, why should your Pastebin data be stored in raw text and easily indexable by the host? Obviously pastebin data has the potential to be sensitive (look at the amount of people leaking things on pastebin.com)
Also data leaks do occur! Why should all your pastes be publicly viewable when you only intended to share it with people XYZ platform etc.
The fact your unable to imagine use cases and benefits of such services / projects honestly amazes me.
Paaster doesn't assume the users intent for the service. People can share a wide range of data in pastebins and users don't always want this to be public.
For extremely basic video editing Simple Gallery is a good option.
https://github.com/SimpleMobileTools/Simple-Gallery
Also I'd avoid f-droid due to security concerns.