smol share

smol share is for sharing small ephemeral encrypted snippets of text or links

smolshare screenshot

screenshot of https://smolshare.cblgh.org

The idea is to make it easy to share a large amount of links / text by typing a short password and the share name. Share names use proquints to make them easily verbally transmitted without having to give up having an extremely large search space (64bit) for share names. For sharing to a smart phone each page generates a scannable QR code with the full link. QR codes are generated locally in the browser session (no server interaction) and the server only stores encrypted payloads and passwords are never transmitted to it.

Uses I have had of it so far:

Sharing links from phone to laptop without risking distractions (email, group chat “note to self”)
Getting shopping research links from tabs to phone without having to register for an account to use the site specific “wishlist” functionality
Sharing a lot of links in a workshop setting with many people so that they can easily access them on their phone (scannig QR) or laptop (typing share name)

Origin

I originally came up with the concept because I had researched a bunch of stuff on my phone and wanted to get the links over to my laptop. The laptop doesn’t have any chat client installed and as it’s usually booting up from scratch I am often not logged into any email. I made smol share to make it easy to gather all the links in one place and easy to type the needed info to access the links. I’ve already used it for unexpected use cases, like getting tabs of gift ideas out of my desktop and onto my phone for when I walk into town :)

Web cryptography

shared data is encrypted with the user-provided password. the password can be very short thanks to using the PBKDF2-HMAC-SHA256 key derivation function (rounds=600000). this expands a short input (the password) into a longer encryption key. the data in turn is encrypted using AES-GCM with salt and IV generated anew for each encryption operation using a secure cryptographic random generator.

In making this I also wanted to explore the state of web cryptography; all the encryption operations happen client-side using built-in browser functionality. The about page has more info. I also wanted to take a holistic approach to security, and make as many aspects of it as possible resilient. I will continue to update it and use it as a base to further explore security-by-design practices.