Security/Audit

[vertigo220]

I came across this on Reddit looking for a way to securely send files to someone with basic computer skills. Encrypted 7z files on their own wouldn't work because both of their email providers reject encrypted archives, which I get from a malware-protection standpoint but it sucks because it really makes secure sending difficult, and Drive wouldn't give them access to the files even though they were shared (in fact, in one spot it said they weren't shared and in another it said they were, gg Google). I used hat.sh to encrypt the encrypted 7z files, which then allowed them to pass through the email filters, and the recipient was able to decrypt the outer shell with hat.sh but is having difficulty with the 7z files. So hat.s(h) off to the developer for making something desperately needed: an easy to use, (hopefully) secure method for sharing encrypted files that works on any OS.

So I'm left contemplating only using hat.sh for encryption, but I'm not sure if I can/should trust it. Not trust as in trust in the developer to not be malicious, but trust as in whether the code has any flaws. I've searched and have only found a few mentions of it, and none regarding how secure the code is. It hasn't undergone any formal audits, obviously, but I'm curious if many people that are knowledgeable about crypto and coding have done an informal audit. There have been many cases where well-intentioned developers made crypto software, sometimes home-rolled and sometimes not, where it was found to have serious flaws, and while @sh-dv may know a lot, they're just one person, and it's very possible, and even likely, they've missed things. In fact, there was one issue where a user pointed out just such a thing with cross-site scripting (XSS) vulnerabilities. While I'd love to find something that's actually both easy to use and secure, I'm hesitant to jump right in and trust that files I encrypt with it will actually be secure.

On another note, one issue (#69) asked for key files, which should obviously help increase the security significantly, and the issue was closed as completed, but I don't see an option for their use. Am I missing something, or were they added then removed, or never added? And if not, is it still planned?

[sh-dv]

Hello @vertigo220,
Hat.sh hasn't been officially audit, although I would love that to happen but security audits are expensive and require a lot of opensource funding which is difficult. For example, KeePassXC and age have not been audited.

Regarding security vulnerabilities, there is an email in the repository under the SECURITY.md file where valid vulnerabilities can be reported and proper fix can be put in place.

About key files, yes, it is planned in the upcoming version (3.0), you can add suggestions here.

Thank you.