PassLok vs. Minilock – 9 years later

I confess that the development of PassLok learned a lot from a competing app called MiniLock, by Nadim Kobeissi. That app got a lot of press when it was launched 9 years ago but is now defunct. In fact, its successor is also defunct, and so is its successor’s successor. Meanwhile PassLok continues delivering various crypto-related functions and spawning new children. This post collects some of that history and tries to get at the root causes for such a diverse outcome. Morale: sometimes slower is better.

Minilock, whose icon is displayed at the head of this article, was launched as a Chrome app on August 4, 2014, the second major release of prodigy developer Nadim Kobeissi, after Cryptocat. It was designed to make encryption accessible to regular people. You only had to load Minilock, enter your email address and passphrase (never called “password” in the app, I guess to encourage users to write something long, and therefore more secure), and then the app would generate a NaCl key pair from that passphrase and email. The public key was converted into a base58 “minilock ID” that you were supposed to share with your friends.

Minilock encrypted whole files rather than text-based messages. To encrypt a file (after entering your email and passphrase), you just drag the file from Explorer or Finder into a drop zone in the app, and enter the minilock IDs of the recipients (yes, they could be several). Then the app did its magic and prompted you to download it in encrypted form, with extension .minilock. To decrypt it, you enter your credentials once again and then drag the encrypted file to the drop zone, and voila! It was decrypted and ready to be downloaded. The app used no storage and had no key management of any kind, so users had to keep a collection of their correspondents’ minilock IDs somewhere else, although there were plans to add a database that would be saved with the app, as this article states. You may also want to read the articles at PC World, and Wired.

My own app PassLok was undergoing heavy development at that time, and I got a few ideas from Minilock that were incorporated into PassLok. For instance:

  • Use base36 rather than base64 to display public keys to users (called “Locks” in PassLok parlance). The idea was to make it easy for users to spell out their Lock over the phone if they wanted to, thus providing pretty good authentication to the recipients. I didn’t think base58 was simple enough because it includes both smallcase and capital letters.
  • Use 256-bit NaCl for public key cryptography. Prior to that, PassLok was using 521-bit SJCL keys, which was kind of overkill.
  • Add Reed-Solomon error-correction codes, as part of the end tags. This was removed after a while, since it’s pretty hard for digital data this short to be corrupted through strictly digital processing.

Of course, PassLok is a lot more complex than Minilock ever was, adding a host of steganography functions, five different encryption modes, signatures, hidden messages, secret splitting, secure video chat, multiple identities and, perhaps most importantly, a database of correspondents’ Locks that was saved with the app. Even so, it got good reviews for simplicity, like this one from LifeHacker, and this one from MakeUseOf.

The reviews for Minilock appeared in much better known venues but, you know what? Minilock has been dead for a long time now and it’s hard to find any information on it, while PassLok has led to several derivatives that have four-digit installation numbers, according to Chrome Store statistics. So the question is: what happened to Minilock after such a great start?

It became Peerio on January 14, 2015. That’s less than six months after Minilock’s release. Peerio was a more complex app, including a chat host, file exchange, and a central server. It was distributed as a native app rather than browser-based. Users could exchange files, which were encrypted in Minilock format, and the server would supply the public keys of registered users so they did not have to keep their own databases. This development is divergent relative to PassLok, which adheres to a “servers are evil” philosophy. One reason for this philosophy is that servers entail hardware, personnel, and cost, which lead to the need for steady income. Sure enough, the Peerio team grew, new investors came, and the result was Peerio 2, launched June 15, 2017. I surmise that it failed to attract enough paying users, and the company ended up getting sold to WorkJam on January 13, 2019. The current WorkJam may contain some original Minilock code or ideas, but again, maybe not. WorkJam is an entirely different sort of app, focusing on team management rather than encryption. Their website makes no reference whatsoever to encryption being used in their products.

You can read up about Peerio in Wired, Hacker News, and other hard-to-find places. If you are wondering what happened to Kobeissi, who was no longer involved with the Peerio 2 team, this article in Forbes magazine might give you a clue. It seems there was pressure to put backdoors on the software so managers would not be in the dark about what their employees were saying to each other in their encrypted chats. Are you shaking your head? Yup, we’ve seen that before. The root cause is money, as always. And not a lot of it, which is a pity. What price do you place on your principles?

So Peerio is no more, and Minilock is no more, and meanwhile, PassLok keeps growing, slowly. Just recently it spawned GroupEncrypt, which uses a very similar encryption algorithm but is aimed at user groups with zero knowledge of cryptography. Because it encrypts and decrypts files rather than text, its interface looks a lot like good old Minilock, except that all the work involved in keeping a database of user public keys, and not a lot of it, is shunted to a single Administrator. Regular users only need to enter their personal Password and start dragging files to a big drop zone on the page. GroupEncrypt is meant to be run from a server, but this is the user group’s own private server, so I have nothing to do with it. That private server does not need to be powerful or have a large capacity, just deliver the html code, which is less than 100 kB compressed. The (encrypted) files to be shared can reside in absolutely any file sharing service, which never will be able to peek into their content because all encryption is done client-side, and they are not involved with the app at all.

Like Passlok, GroupEncrypt is open-source and there is no good reason why it should ever stop being so or become unavailable like Minilock and the different flavors of Peerio. The expense involved is next to zero, so there’s no need for income and no pressure to please paying customers. Is it any good? You decide. Take it for a spin. The code is on GitHub.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.