09.05.2023
8 min
1750
You will understand the differences between OneTimeSecret, Privnote and SecServ.me services, and which one is really worth trusting. You will learn how one-time links work, what are the strengths and weaknesses of each tool, what risks arise when transferring passwords or confidential data, as well as how to use such services correctly to prevent information leakage. The article helps you make an informed choice and increase the level of security when sharing secrets online.
The choice of private services is huge, but which ones won’t leak your secrets? We’ve “roasted” three popular services for “secret” correspondence — app.secserv.me, Onetime Secret, and Privnote.
The message self-destructs after viewing. The code is open – you can check what is happening “under the hood”, and this is a big plus. However, according to the results of an independent analysis in 2021, it was established: messages are transmitted to the server in the open, without full end-to-end encryption. There is SSL – a secure transmission channel, but this is more of a “door” protection, while the data itself remains trusted to the server.
Additional facts and risks:
The presence of an API allows for integration and code review, but at the same time expands the attack surface
IP address is logged — metadata about the sender/recipient appears
Browser and referrer data are collected — another channel for leaking contextual information
There is a passphrase option — only its bcrypt hash is stored
When entering a secret phrase, it is sent to the server (this is visible through the developer tools, F12) — not an isolated bug, but a systemic risk, as it allows the secret to be intercepted during server logging or server compromise
Screenshots and copying by the recipient are not blocked — “disposability” does not guarantee the absence of storage on the recipient’s side
And the icing on the cake — If you enter the secret phrase and open the developer tools (F12), you can see that it is sent to the server — this is not an isolated bug, but a system vulnerability that allows unauthorized access.
If we add a file size limit, we get a tool more suitable for storing grandma’s postcards than for transmitting serious secrets.
Privnote is a free web service for creating notes that automatically self-destruct after the first view; it does not require registration, provides a link to an encrypted note, and offers options (password, retention period, notification of destruction). The privacy policy states that the service operates over HTTPS and collects “log data,” which may include IP address, browser type, pages viewed, time of visit, and other statistical data. This means that the service may store session metadata along with the note itself.
The service architecture involves storing an encrypted record on the server and deleting it after the first viewing; however, the hash and timestamp/IP of the view may remain in the logs — this metadata is used, for example, to show that the note has already been opened.
“Self-destruct” on first view does not protect against the recipient being able to copy or take a screenshot;
providing a link in one channel and a password in the same channel reduces the usefulness of the mechanism;
trust in the service means trust in the operator: compromise or internal logging can reveal secrets or metadata.
Quick recommendations (ready to copy)
Check the domain (literally look at the URL and bookmark) to avoid clones;
Send the link and password through different channels;
Do not use the service for highly sensitive data without additional client-side E2E encryption;
Consider self-hosting or open source solutions for corporate use.
If necessary, you can convert this material into an article block (H2 + paragraph + bulleted list) or into a CMS-ready version (markdown / HTML) – I’ll do it right away.
But there are rumors that the service is friends with law enforcement and collects data. Researchers have already found problems, and now even ordinary users see suspicious pop-ups, redirects, and ads. Yes, Privnote has encryption. But the private part of the link is only 9 characters long. Theoretically, it can be picked up by brute force. It’s not cheap, but it’s real.
After comparing popular services, it becomes noticeable that app.secserv.me stands out with a thoughtful approach to confidentiality and technical reliability. Privacy is built into the platform’s architecture: there is no registration, no metadata collection, and files are supported in much larger volumes – up to 200 MB for free and up to 2 GB in the paid version. This makes the service suitable not only for short text secrets, but also for transferring full-fledged documents, photos, videos, and large archives.
The interface is modern and easy to use. There is an option to set the file or message retention time, which allows you to determine when exactly the data will be destroyed. A separate advantage is integration with Web3 wallets (MetaMask, WalletConnect, Wert), thanks to which you can sell digital content in USDC or by card payment without unwanted intermediaries. This approach opens up not only private, but also commercial usage scenarios.
No Google Analytics or third-party tracking
Full HTTPS encryption
Support for any file type
Password setting option
Decryption key is never sent to the server
One-time links
An additional random number generator is used in parallel with Fortuna PRNG to protect against potential hardware backdoors
After file destruction, data cannot be recovered because the server does not store keys
No telemetry that can identify the user
Final evaluation of services:
Onetime Secret — no E2EE, secrets are processed in the open, IP addresses are recorded, file restrictions apply. Suitable only for simple scenarios, but not for critical secrets
Privnote — convenient and fast, but has questionable transparency in operation and known cases of dangerous clones
app.secserv.me — a modern tool with thoughtful security, support for large files and minimal data collection, which makes it the best option for those looking for real privacy protection
Bottom line: the level of privacy depends on the user’s choice. app.secserv.me offers a comprehensive approach to protection, while older services are limited by their technical solutions.
