Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The private keys are in the requester's browser. So if anyone gets a hold of the URL, they'll see nothing.

For example, here's a secret I just put into Retriever. Are you able to see it? https://retriever.corgea.io/#eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJ...




This is essentially client side TLS, which browsers cut because the ux was bad? Only now you can backdoor/mitm/typosquat a website, rather than attack the major browsers or the os?

And as I understand it, there's no way to verify you're talking to the right person, so sharing a secret via signal is strictly better?


Share the URLs via Signal, then you have a validated identity, and the secret won't pop up in your notifications or be retained in your chat history.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: