Before you start

The following section is going to assume knowledge of

  • Hashing algorithms
  • Javascript programming language
  • Host-proof design

If you don't have the necessary skillset to perform the audit you have the following options

  • You could trust us: We consider this a poor option, but you may be able to take away some assurance from the fact that code is right there for inspection, and that other people are also checking it. You might want to search twitter for mentions of @senditonthenet to see what other people think.
  • You could get somebody else who you trust to check it for you.

Realistically we expect that most people will simply opt to trust us, especially considering how easily we could be 'caught' if we were up to anything. The choice is yours.

Auditing the code for the first time

Grab a copy of the code

We wrap all the javascript used on senditonthenet into a single file to make it easier to check for changes. You can grab a copy of it from this link application.js

If you are using a mac or linux you can pull down the code from the terminal using the following command


Checking it for exploits

Ok here is the hard part, because senditonthenet is a complex application it will take a long time to check it. At the time of writing it is 16267 lines long, and is likely to get longer as we add additional features. We have avoided minimizing the codebase so that it is easier to read.

So what are you looking for?

First and foremost you are looking for any parts of the code where we do any of the following

  • Create http requests - you need to make sure it doesn't upload secret keys
  • Anywhere where elements are dynamically added - make sure that no script tags are being added
  • Check the classes that handle your password when you enter it, and the parts that generate keys
  • When pages are returned from the server - need to verify that the server can't return something that gets executed as javascript
Following that checklist is the bare minium you would need to do, nothing beats a full line by line audit of the code

Take a checksum

Once you are happy with the code you should save a copy of it somewhere (with a timestamp) and record its checksum

To take a checksum of the file you are going to need to use a hashing function. When you hash a file you generate a small string that would change significantly if even 1 bit on the source file changed.

Senditonthenet recommends using SHA1, but you can use whatever you are most comfortable with. On OSX for example you could run the following.

shasum application.js

Auditing the code subsequent times

Take another checksum to see if it has changed

Do the same task to download the javascript and hash it, if it hasn't changed since the last time you checked it then there is no need to check it again

If the code has changed

Using the previous copy of the code that you checked you can just check the differences between the old file and the new one. To do this you would use a program called diff. By running the diff command against the two files it will show you only the changes.