Search by Algolia
5 considerations for Black Friday 2023 readiness
e-commerce

5 considerations for Black Friday 2023 readiness

It’s hard to imagine having to think about Black Friday less than 4 months out from the previous one ...

Piyush Patel

Chief Strategic Business Development Officer

How to increase your sales and ROI with optimized ecommerce merchandising
e-commerce

How to increase your sales and ROI with optimized ecommerce merchandising

What happens if an online shopper arrives on your ecommerce site and: Your navigation provides no obvious or helpful direction ...

Catherine Dee

Search and Discovery writer

Mobile search UX best practices, part 3: Optimizing display of search results
ux

Mobile search UX best practices, part 3: Optimizing display of search results

In part 1 of this blog-post series, we looked at app interface design obstacles in the mobile search experience ...

Vincent Caruana

Sr. SEO Web Digital Marketing Manager

Mobile search UX best practices, part 2: Streamlining search functionality
ux

Mobile search UX best practices, part 2: Streamlining search functionality

In part 1 of this series on mobile UX design, we talked about how designing a successful search user experience ...

Vincent Caruana

Sr. SEO Web Digital Marketing Manager

Mobile search UX best practices, part 1: Understanding the challenges
ux

Mobile search UX best practices, part 1: Understanding the challenges

Welcome to our three-part series on creating winning search UX design for your mobile app! This post identifies developer ...

Vincent Caruana

Sr. SEO Web Digital Marketing Manager

Teaching English with Zapier and Algolia
engineering

Teaching English with Zapier and Algolia

National No Code Day falls on March 11th in the United States to encourage more people to build things online ...

Alita Leite da Silva

How AI search enables ecommerce companies to boost revenue and cut costs
ai

How AI search enables ecommerce companies to boost revenue and cut costs

Consulting powerhouse McKinsey is bullish on AI. Their forecasting estimates that AI could add around 16 percent to global GDP ...

Michelle Adams

Chief Revenue Officer at Algolia

What is digital product merchandising?
e-commerce

What is digital product merchandising?

How do you sell a product when your customers can’t assess it in person: pick it up, feel what ...

Catherine Dee

Search and Discovery writer

Scaling marketplace search with AI
ai

Scaling marketplace search with AI

It is clear that for online businesses and especially for Marketplaces, content discovery can be especially challenging due to the ...

Bharat Guruprakash

Chief Product Officer

The changing face of digital merchandising
e-commerce

The changing face of digital merchandising

This 2-part feature dives into the transformational journey made by digital merchandising to drive positive ecommerce experiences. Part 1 ...

Reshma Iyer

Director of Product Marketing, Ecommerce

What’s a convolutional neural network and how is it used for image recognition in search?
ai

What’s a convolutional neural network and how is it used for image recognition in search?

A social media user is shown snapshots of people he may know based on face-recognition technology and asked if ...

Catherine Dee

Search and Discovery writer

What’s organizational knowledge and how can you make it accessible to the right people?
product

What’s organizational knowledge and how can you make it accessible to the right people?

How’s your company’s organizational knowledge holding up? In other words, if an employee were to leave, would they ...

Catherine Dee

Search and Discovery writer

Adding trending recommendations to your existing e-commerce store
engineering

Adding trending recommendations to your existing e-commerce store

Recommendations can make or break an online shopping experience. In a world full of endless choices and infinite scrolling, recommendations ...

Ashley Huynh

Ecommerce trends for 2023: Personalization
e-commerce

Ecommerce trends for 2023: Personalization

Algolia sponsored the 2023 Ecommerce Site Search Trends report which was produced and written by Coleman Parkes Research. The report ...

Piyush Patel

Chief Strategic Business Development Officer

10 ways to know it’s fake AI search
ai

10 ways to know it’s fake AI search

You think your search engine really is powered by AI? Well maybe it is… or maybe not.  Here’s a ...

Michelle Adams

Chief Revenue Officer at Algolia

Cosine similarity: what is it and how does it enable effective (and profitable) recommendations?
ai

Cosine similarity: what is it and how does it enable effective (and profitable) recommendations?

You looked at this scarf twice; need matching mittens? How about an expensive down vest? You watched this goofy flick ...

Vincent Caruana

Sr. SEO Web Digital Marketing Manager

What is cognitive search, and what could it mean for your business?
ai

What is cognitive search, and what could it mean for your business?

“I can’t find it.”  Sadly, this conclusion is often still part of the modern enterprise search experience. But ...

Vincent Caruana

Sr. SEO Web Digital Marketing Manager

How neural hashing can unleash the full potential of AI retrieval
ai

How neural hashing can unleash the full potential of AI retrieval

Search can feel both simple and complicated at the same time. Searching on Google is simple, and the results are ...

Bharat Guruprakash

Chief Product Officer

Looking for something?

A Simple, Secure Tool for One-time (Self-Destructing) Messages
facebookfacebooklinkedinlinkedintwittertwittermailmail

It is a very common practice and a very bad idea to send sensitive information over Slack or email. No matter how much you trust Slack or Gmail, there are types of company information (for example, SSH keys, certificates, security tokens…) that warrant an extra layer of security.

The challenge, then, is to create a more secure platform that is also easy to use in order to invite adoption.

A complicated way to tackle the issue

Being part of the security team, I send secrets and passwords on a daily basis. Existing ways of sending secure messages were quite cumbersome: you had to first ask the receiver to create a private and a public key, have them publish it somewhere like a web site, MIT’s public key service, or KeyBase, or send it directly to our squad. Only then we could start sending secure messages to each other.

While operations engineers are used to (if not happy with) this level of effort, asking other teams— dev, sales, marketing, execs — to indulge in such a procedure is simply not practical: I could already see employees reverting back to email or Slack.

Experience has shown us that the best way to mandate security measures is to make them as simple and easy to use as possible. Hence, I started racking my brain to find a new solution.

“This tape will self-destruct in five seconds. Good luck, Jim”

A solution is emerging

While working on a different project in our continuous efforts to make Algolia security top notch, I started using Hashicorp Vault. Vault “secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing through a unified API”. Through Vault, Hashicorp changed the way companies store their secrets.

Digging a little deeper inside the Vault API and engine, I stumbled upon the concept of Response Wrapping. “Response Wrapping” is using Vault’s cubbyhole backend. Cubbyhole is a short-term storage place where you can put a secret that will be consumed by a user or a service who is holding a specific token. No token can access another token’s cubbyhole, whether to read, write, list, or for any other operation. When the token expires, its cubbyhole is destroyed.

So, a Vault token has all the features we need to create a self-destructing message service:

  1. TTL – a time during which the token will be alive
  2. Number of uses – the number of times you can use the token
  3. Cubbyhole – a special place where we can save secrets

Let’s put all of these features into use and create a secret message service workflow:

  1. User inputs secret message
  2. Create a token with TTL=24Hours and NumberOfUses=2
  3. Write the secret to the “cubbyhole”
  4. Token NumberOfUses – 1 = 1
  5. Give the token back to the user
  6. User sends token to relevant recipient
  7. Recipient uses token to open the secret message in cubbyhole
  8. Token NumberOfUses – 1 = 0 ; hence the token and secret are deleted
  9. Success!! \o/

Yet Another Secret Messaging Service?

Now, before building the final tool, I did some research to make sure I am not reinventing the wheel. I decided to look for a self-destruct messaging software, and found a couple of candidates, but they all had at least one of the following issues:

  • They didn’t allow the option of self hosting, which made security an issue, thus defeating the purpose
  • Not simple enough to use
  • They required a complex deployment on the user’s part, such as installing Redis, Node and other dependencies
  • The backend storage is typically not that secure
  • They are not open source

Side note: I don’t explicitly list the tools because the “domain” of secret messaging services is so tiny, that I believe your own research will take only a few minutes to come to the same results as I have. You can see a list of some nice projects here: 
https://github.com/Kickball/awesome-selfhosted#pastebins

The research justified building a new tool with the following requirements:

  • Hosted on our server (aka super secure) easy to deploy
  • Ease of use
  • Using Hashicorp Vault (nust as an experiment)

All I had to do now is create a very simple API with 2 public methods:

  • SetSecret – which puts the secret in Vault and returns a token
  • GetSecret – uses the token and gives back the secret

On top of that I built a very simple web UI:

  • You insert your secret, submit it

Secret One-Time Self-Destruct Messaging Tool

  • You get a URL with the one time token

Secret One-Time Self-Destruct Messaging Tool

  • You send the URL to the happy recipient via Slack or email

  • She opens the secret message

Secret One-Time Self-Destruct Messaging Tool

  • If you try to open the message again

And that’s all there is to it!

While this was at first just an experiment in using Hashicorp Vault for a secret messaging tool, it has really caught on at Algolia, where I see many coworkers using it for all kinds of secrets sharing.

If you like the tool, you can try it yourself on GitHub. It is open source, and we put on ProductHunt so it can be found easily (and of course, we’d love your vote 🙂

Let us know what you think!

About the author
Eran Chetzroni

Recommended Articles

Powered byAlgolia Algolia Recommend

Algolia's Checklist for Selecting a Critical SaaS Service
engineering

Julien Lemoine

Co-founder & CTO at Algolia

The Faces of Algolia: Meet Marie-Laure Sin
algolia

Marie-Laure Sin

Good API Documentation Is Not About Choosing the Right Tool
engineering

Maxime Locqueville

DX Engineering Manager