You did in fact provide a key. See that bit after the # in the URL? This is the beauty of Up1. It makes the crypto as transparent to the user as possible.
That part is not sent to the server by your browser. That's a seed, it's run through sha512 then split into parts, including a key, iv and filename to fetch from the server.
Now, as I said, in this instance, since I distributed the link on a public website, it's pretty pointless. But when I link my friends and colleagues on a private XMPP server or via textsecure, it's a pretty nice feature to have, as I can very easily share private screenshots.
> Giving a foreign entity control over your data and key is not "privately".
Yeah, if you have this concern strongly, well, we're working on browser extensions which will prevent any potential risk here. However, like I said to someone else, unless you reverse engineer every update to your OS, you really shouldn't be commenting. This is just as much "giving a foreign entity control over your data" as using an OS provided in binary form is giving a foreign entity control over your CPU, which would be far, far worse really. Unless you're manually validating the code in all cryptography products you use, there's really no argument to be made here.
> Encrypt the image with the public key of your friends and send it to them, that is privately.
When you do this, say using PGP, PGP generates a static key, encrypts that key to their public key and encrypts the message using the static key.
This is essentially the same thing, the only difference being that the Up1 does only the static key portion and does not provide the public key portion, which you can do out of band using whatever method you prefer, be it PGP, SSL to a private server, OTR, TextSecure, etc.
And it allows the transfer of images and small files in this secure form to be incredibly simple and fast. Pipe into a command line tool or use ShareX, paste that link over a secured protocol and you've securely shared a file.
Of course, if you don't trust the public Up1 instance, feel free to run your own, it's all open source, server included.
> And, worse, I have to activate JavaScript, which decreases security by a lot.
It's a trade-off, privacy for a slightly increased risk of security, these days you're more likely to get exploited by a fucking web font than by a script though.
Worst case, like I said, don't trust the public instance if you don't want to (well, if you're the type who doesn't trust their OS provider at least). You can always run it yourself or wait for the browser extensions.
I’m the type that only runs arch because I can’t be bothered to run Gentoo ;)
Anyway, for posting on a public forum it’s pretty useless, as it provides no benefit and requires the users to have JS enabled, which is, especially on Hacker News, not really a given.
Even the mods complained when an up1.ca link was used as submission link recently.
Using a standard protocol would be an advantage here most definitely.
That part is not sent to the server by your browser. That's a seed, it's run through sha512 then split into parts, including a key, iv and filename to fetch from the server.
Now, as I said, in this instance, since I distributed the link on a public website, it's pretty pointless. But when I link my friends and colleagues on a private XMPP server or via textsecure, it's a pretty nice feature to have, as I can very easily share private screenshots.