HackerTrans
トップ新着トレンドコメント過去質問紹介求人

imgopaal

no profile record

投稿

[untitled]

1 ポイント·投稿者 imgopaal·2 か月前·0 コメント

Show HN: I built a universal clipboard that syncs realtime on multiple devices

quickclip.space
40 ポイント·投稿者 imgopaal·6 か月前·79 コメント

コメント

imgopaal
·6 か月前·議論
Hi, I'm a solo developer trying to build and learn new things along the way, and I appreciate your responses, about the QuickClip, I've been making some improvments along the way also I've updated my landing page about how we manage data and how users should not add their senstive data and it should be just used for moving your usual stuff, I've removed all the writings where I was mentioning that we're using "e2ee", its mentioned much more clearly that how we handle your data in the FAQs. Kindly have a look at the quickclip.space again. Let me know what you think
imgopaal
·6 か月前·議論
I went with PBKDF2 mostly because of its wide support and compliance history, but I’d love to hear your take on what you’d recommend.
imgopaal
·6 か月前·議論
Thank you to everyone who took the time to review QuickClip and give honest feedback. I spent the day going through everything and fixing the issues that were pointed out, especially around security.

You were right. The concerns were valid, and they’re now addressed.

1. Shared encryption key (Retr0id's main issue): Problem: All users shared one encryption key, so any user could decrypt any other user's data. Fix: Each user now has a unique encryption key derived via PBKDF2 from master key + user ID (10,000 iterations). Old items encrypted with the shared key are detected during decryption and automatically re-encrypted in the background with the new per-user key. Backward compatibility is maintained during the migration.

2. Public image access (Retr0id's second issue): Problem: Images were publicly accessible without authentication. Fix: Images now use signed URLs that expire after 1 year. The app automatically converts any public URLs to signed URLs. Storage bucket policies restrict access to user-specific folders.

3. Storage enumeration (foltik's issue): Problem: Could enumerate all user uploads with a sign-up token. Fix: Storage policies now restrict folder access by user ID. Still reviewing listing permissions to prevent enumeration.

4. E2EE misrepresentation: Problem: Marketing claimed "end-to-end encrypted" but it wasn't true E2EE. Fix: Added a /data-security page that explains: It's server-side encryption with per-user keys, not true E2EE Why server-side encryption was chosen (seamless cross-device sync)

5. Transparency issues: Problem: No information about how data is handled before signup. Fix: Added /data-security page with details. Link added to footer. Removed the footer joke that hurt trust.

6. Other fixes: Rate limits adjusted for encryption/decryption operations Background re-encryption for old items Proactive signed URL conversion for images What's still being worked on: Storage bucket listing permissions (enumeration prevention) Adding screenshots to landing page FAQ section Considering open source (evaluating) I appreciate the security review. The app is more secure now, and I'm committed to transparency about what it does and doesn't do. Check /data-security for the full explanation.
imgopaal
·6 か月前·議論
Added https://quickclip.space/data-security with encryption details. FAQ coming soon. Thanks for the feedback—explaining encryption clearly is important.
imgopaal
·6 か月前·議論
Keys are derived server-side using PBKDF2 (master key + user ID). Each user gets a unique key. Keys never leave the server. Details at https://quickclip.space/data-security. Thanks for asking—this is exactly the kind of question that matters for security.
imgopaal
·6 か月前·議論
Clarified: it's server-side encryption with per-user keys, not true E2EE. Added https://quickclip.space/data-security explaining the approach. Open source is under consideration. Thanks for pushing for transparency.
imgopaal
·6 か月前·議論
still working on it. Storage bucket policies now restrict folder access, but listing permissions need tightening. Will update bucket policies to prevent enumeration. Thanks for the detailed curl examples—they helped identify the exact issue.
imgopaal
·6 か月前·議論
Also Fixed. Images now use signed URLs with 1-year expiration. Public URLs are automatically converted to signed URLs. Storage bucket policies restrict access to user-specific folders. Appreciate you flagging this.
imgopaal
·6 か月前·議論
Fixed. Each user now has a unique encryption key derived via PBKDF2 from master key + user ID. Old items are being re-encrypted in the background. See /data-security for details.

Thanks for catching this critical issue.
imgopaal
·6 か月前·議論
Thanks for reporting this. I'm working on it
imgopaal
·6 か月前·議論
I also use localSend. Amazing tool
imgopaal
·6 か月前·議論
Really appreciate your insights. Thanks
imgopaal
·6 か月前·議論
fixed, thanks you for comment
imgopaal
·6 か月前·議論
Yeah fair point. QuickClip does store data in database, otherwise syncing between devices not possible. But here is how it works:

- Data is encrypted when sending and also when sitting in database. - Stored only so your devices can fetch it, not for me or anyone else. - When you delete, it’s gone. I don’t keep logs of clipboard stuff. - I don’t look at your data, only your devices can see it.

I know trust is big thing for clipboard app. I’ll write small “how it works” page so it’s more clear. Appreciate you asking this, makes sense.
imgopaal
·6 か月前·議論
exactly
imgopaal
·6 か月前·議論
thanks, I would work on that
imgopaal
·6 か月前·議論
cool
imgopaal
·6 か月前·議論
yup, thats still a nightmare for a lot of people
imgopaal
·6 か月前·議論
Yes, It works smoothly with texts and images both
imgopaal
·6 か月前·議論
great