#SecureScribeFriday Introducing: Retriever(open-source project by Corgea) – Securely request secrets browser-to-browser
Corgea (YC S23)
Corgea is security platform that finds, and fixes insecure code such as business logic flaws, broken auth, etc using AI.
Why did Corgea build Retriever?
Adam from our team realized that there was no way to request secrets from someone. Most people share passwords, but what if you could ask for a secret? What if it could also be done without a server in the middle. Shouldn’t secret sharing really be secret? I think we all saw the news on LastPass.
This is why we developed Retriever, an open-source project to help users receive secrets and sensitive information. Retriever is a peer-to-peer secrets-receiving platform that allows anyone to request secrets without needing a server needed in the middle. Here’s what makes Retriever unique.
Interestingly, most services don't offer a way to request a secret from someone. Most secrets sharing happens with the person initiating the share has to have a password manager to do so. This system fills that gap. It allows users to send a link to someone to receive a secret. The recipient can then send a new URL with the encrypted?secret. The requester can then decrypt the secret in their browser, ensuring a seamless and secure exchange.
Another big issue with most open-source projects is just because a project is open-source doesn't mean it's hosted openly. This new system ensures that while the codebase is open for everyone to see and contribute to, the hosting remains secure, ensuring the integrity of the shared data. Additionally, retriever.corgea.io is actually hosted by Github pages (do a CNAME check to see).
Traditional methods of sharing secrets often involve a third-party server that orchestrates the transfer. While this might seem convenient, it poses a significant risk. Users have to trust that the third party will delete their data after the transfer. This new system ensures that data is transferred directly between the sender and receiver, reducing potential points of failure. Retriever has no data store to save or log any of the secrets or the parties sharing data.
One of the most significant challenges with current systems is the exposure of URLs. If someone gets hold of a secret URL, they essentially have access to its secret. This new system acknowledges this flaw and encrypts the secret within the URL. Only the intended recipient, with the decryption key, can access the secret, ensuring an added layer of security.
Finally, the system's backbone lies in its use of standard web cryptography. These are widely recognized for their robustness and security features. By leveraging these standards, the system ensures that the encryption and decryption processes are not only secure but also fast and efficient. Who are we? The team at Corgea are a passionate bunch of engineers, designers, and product builders who like to tackle the most urgent and stimulating problems in security. In our prior roles, we designed, secured, and built software products for Coupa, Autodesk, and PlanGrid.
Want to Try Retriver: https://lnkd.in/gCaRjdsM
RPA AI - CTO & Head of Intelligent Automation, Data & AI ML |FX| Blockchain | Web3 | Digital Assets | HFT | Quantum | Algorithmic Dev | Ultra Low Latency | Systematic Trader | Wealth Management | UHNW | Fintech | Defi
1 年Please don't waste peoples time Ahmed. I booked a demo extremely interested. It was 8PM uk time. He was more interested in my background, linkedin, email, what I looked like, as prerequisite to demo of Corgea. Ultimately, i didn't see it, a demo, without a demo, really!!! neither would I recommend it. Its not professional wasting people’s time.