A: Passwords are never sent to our servers. We only store encrypted text - which is useless data once a password is lost. Also, we don't know who this text belongs to.
A: Some characters aren't allowed in URL addresses, that's why your URL is redirected to a URL that has some characters replaced with dashes. You can always type in "Mark's notes" and you'll be redirected to the same URL.
We'd like to create a file storage and sharing service with a similar security approach.
In case of legal prosecutions, we can't hurt users because we don't know anything about them, and we can't decrypt their notes. If needed, we'll relocate servers to another country or start implementing easy-to-use self-hosting solution.
A: You don't have to, but it's recommended. The longer the password, the harder it is to guess it. Note that your text is protected by both the URL and your password.
A: Yes. Your password (or password hashes) are never sent over the network, and all data that's sent or received is always encrypted. Your data is decrypted only on your device, and encrypted before it's returned to us.
The server doesn't know anything about authentication; that's all handled in your browser. There are no users on ProtectedText.com, just sites. Passwords are never saved; not even within encrypted text.
Decryption of a page will fail if the password is incorrect, so whoever can decrypt the page must have used the correct password. The idea is that we don't have to know the password; we just have to make sure that the password is correct - and one way to check that is to try decrypting some well-known text using the provided password. The "well-known" text we're using is the URL of the current site (which is different, but known, for each site).
Once a user creates the password, we store the encrypted URL, and each time the password needs to be tested, we just try decrypting the encrypted URL. If we get the expected URL, we try using the same password for decrypting the whole site (it's possible -- but very unlikely -- that two different passwords correctly decrypt the same URL, but using that wrong password for decrypting everything else will result in gibberish).
A: Overwrite protection prevents you from saving any changes if text was changed in the meantime. (The server stores the hash of the newest content, and sends the hash to the client together with the content. The client has to return that same hash when trying to save updated content. The server compares both the stored and received hashes to determinate whether client was served with the latest changes.)
You can save your site together with any referenced resources by manually downloading each file, and use that directly (the page doesn't need to talk to the server once it's sent to the user). The saved site will have all your data in encrypted form, so it's safe.
Data for each site is stored in a single -- very long -- line near the end of the HTML page, right after page URL (it's very long; you can't miss it). The only difference between two different sites is in that very long line and URL.
A: The title of each tab consists of up to 20 characters from the first non-empty line of text.
We haven't opened the server code, for now. We'd like to provide perfect security to everyone, not just tech users. So we've created this approach where server side is irrelevant - that's the beauty of this service.
Nobody should be forced to trust anyone in order to be secure; that's why all security is provided from the client side (which users can verify). Even if you knew the server code, you couldn't confirm whether that unmodified code was running or if it was replaced by something else. In other words: whenever a server's code is responsible for providing security, you have to trust whoever runs it.
A: Sites are never deleted. We'll keep them forever, unless you delete them yourself.
A: The current maximum length is a bit more then 750 000 chars per page.
A: We don't keep (and can't know) anything about you. All we have are encrypted versions of notes that users store on our servers, so once you delete your notes, that's it; there is nothing more to destroy.