Show HN: Entropy – Sharing screen is scary in SaaS age
entropysec.ioSharing screen is really scary today with all PIIs and secrets sprawling around your screen, so I built Entropy, a small Chrome extension that spots API keys, tokens, emails, and throws a blur overlay on them in real time.
The goal is to make screen-sharing feel safe again without adding steps to a demo.
Everything runs locally—regex + entropy heuristics compiled to WASM—and the extra CPU cost averages ~1 ms per mutation on my M1.
Custom rules can be added with a JSON file for teams that have proprietary token formats.
visit https://entropysec.io
Feedback please <3
Congrats! Launching is hard. Feedback:
- I can't tell what this is until I scroll "below the fold" (ie, below the first visible screen). I think your tagline just needs to be clearer. Even your first sentence in the post here could be a decent description ("Entropy, a small Chrome extension that spots API keys, tokens, emails, and throws a blur overlay on them in real time")
- I'm not very comp-sec minded. I've never in my life worried about leaking API keys, tokens, email addresses, etc via screen share. I have worried about leaking bookmarks, sensitive email drafts, slack messages, etc. But I also don't think I care enough to pay for something that blocks those. Hopefully there are people that do care enough to pay
- An idea for a possible pivot: Ad agencies sometimes want to show how much money or traffic they bring in for clients. Made up data isn't convincing to close a sale, but real pages can have sensitive data like company names, logos, ad spend, etc. With a slight pivot, you might be able to provide them something to obscure that info. I only have second-hand knowledge of this problem, so you'd need to verify that they care enough about this -- don't take my word for it.
I would recommend doing more than gaussian blurring. Blurring makes it harder but not impossible to recover, especially if you know the exact font and font size in an image (which is easily recovered when the attacker can visit the website to work it out!).
https://youtu.be/acKYYwcxpGk here's a citation for that being possible, in case anyone's interested. Also has some of the methods posted on github from what I remember.
Yep: https://github.com/bishopfox/unredacter
We would need actual black bars.
Or if you want it to look "authentic" replaced it with blurred random text.
But personally I like solid bars as it makes it obvious what is happening and that it is secure.
Soo... No source? Requires access to 'Read and change all your data on all websites'? Pinky-promises not to send data to a server?
On top of that it uses blur to hide secrets when it has been proven that blurring leaks enough information for the obscured data to be reconstructed.
On top of that it's a $4/mo subscription service for what in your words amounts to regex + entropy heuristics + some enshittification (you're not allowed to have custom regex unless you pay subscription)...
What, you don't trust strangers with all your web browsers data? Don't be so paranoid.
Now developers have to give their source code for free and can also not monetize subscription. Is it some kind of modern slavery?
The only place I'm insistent about source-code is things like this that need access to a ton of my data at all times. An app that only has access to the data I choose to share with it, I'm more willing to give-and-take on the show-me-the-code front.
As far as subscriptions go, a lot of devs have moved to a subscription-train model, which I really like: you pay for the subscription (which funds development and pays for support), but at any time you can _stop_ paying the subscription cost and keep the version you're currently running without further updates. That's a good trade-off to me, since I can choose to end my subscription without it becoming a catastrophic migration event that has to be carefully planned and executed fully before opting to stop paying.
No source - no pay. Even if source, in case the licensing scheme is subscription-based, there better be some service rendered that has recurring expenses, otherwise -- still no pay.
yes source - still no pay. What is the benefit in satisfying your demands? Code it yourself and make it open source.
Dude, just install the closed source screen reader that tries to find PII/credit cards/social security numbers on your computer. It's for Cyber Security!
Agreed. Flagged the article. Borderline malware advertisement.
They built a new thing and shared it. Hn is news for “hackers”, and sharing early products like this is one of the intended use cases. Sure it lacks polish, but flagging seems extreme
I mean, drumming up a chrome extension on HN to get a userbase, then abusing it or selling it off to be abused shouldn't be the sort of entrepreneurial/hacking mindset HN appreciates.
> abusing it or selling it off
I got no indication that the author was planning to do either of these things
How about all the red flags of my initial comment?
A Google Chrome extension to hide your secrets? Wouldn't that be self contradicting?
Feature idea for another product based on the exact same stack tech : replace private information that are less private than secret keys but still not for public release (filepath files folders names in file system, user accounts names etc.) so that developer can easily make product screen recording / screenshot to showcase their product to the public. Then replace those strings by dummy strings generated by AI. You could sell it for more. I need this.
This is a great example of a product that doesn't really need to exist in a super completed state but that "gracefully degrades" to the customer tiers that come in. Like technically the features in the tiers are not complex or difficult (not disparagement to the effort and design, instead respect) - but the natural "peak solution" (using LLM to detect secrets) is advertised and achievable.
Well done!
In security, whitelisting is preferable to blacklisting. However given that people can already whitelist by only sharing one window (which is what I, and I guess most security conscious people, always do) I'm not sure there's a business here.
I was puzzled by that, too: I'm always mystified when people share their entire screen on a Zoom call instead of just the one window they need to show me. Zoom even makes it easy to change out what you're sharing (add / subtract) any time.
Having seen a giant work meltdown stemming from a colleague's Slack DM accidentally broadcast over a Zoom call, I'm always paranoid about it.
Sharing secrets is scary. Instead we share your screen and secrets to third party LLM providers!
Nice line of defence! Ofc. people should avoid a situation where a secret on screen is worth something. Use MFA, VPN, key vault, JWT, OTP etc. etc.
A very cool idea but I think instead of blurring, you should just put a black bar over the recognized secrets. I mean think about it: you're going all the way when it comes to detection but only halfway when it comes to actually obscuring.
Or make it customizable! Maybe I want to cover my secrets with daisies. Or fig leaves.
“Colleagues”, the first prompt on the main page, is misspelled as “collegues”