Show HN: Entropy – Sharing screen is scary in SaaS age

Congrats! Launching is hard. Feedback:

- I can't tell what this is until I scroll "below the fold" (ie, below the first visible screen). I think your tagline just needs to be clearer. Even your first sentence in the post here could be a decent description ("Entropy, a small Chrome extension that spots API keys, tokens, emails, and throws a blur overlay on them in real time")

- I'm not very comp-sec minded. I've never in my life worried about leaking API keys, tokens, email addresses, etc via screen share. I have worried about leaking bookmarks, sensitive email drafts, slack messages, etc. But I also don't think I care enough to pay for something that blocks those. Hopefully there are people that do care enough to pay

- An idea for a possible pivot: Ad agencies sometimes want to show how much money or traffic they bring in for clients. Made up data isn't convincing to close a sale, but real pages can have sensitive data like company names, logos, ad spend, etc. With a slight pivot, you might be able to provide them something to obscure that info. I only have second-hand knowledge of this problem, so you'd need to verify that they care enough about this -- don't take my word for it.

I would recommend doing more than gaussian blurring. Blurring makes it harder but not impossible to recover, especially if you know the exact font and font size in an image (which is easily recovered when the attacker can visit the website to work it out!).

Soo... No source? Requires access to 'Read and change all your data on all websites'? Pinky-promises not to send data to a server?

On top of that it uses blur to hide secrets when it has been proven that blurring leaks enough information for the obscured data to be reconstructed.

On top of that it's a $4/mo subscription service for what in your words amounts to regex + entropy heuristics + some enshittification (you're not allowed to have custom regex unless you pay subscription)...

Feature idea for another product based on the exact same stack tech : replace private information that are less private than secret keys but still not for public release (filepath files folders names in file system, user accounts names etc.) so that developer can easily make product screen recording / screenshot to showcase their product to the public. Then replace those strings by dummy strings generated by AI. You could sell it for more. I need this.

This is a great example of a product that doesn't really need to exist in a super completed state but that "gracefully degrades" to the customer tiers that come in. Like technically the features in the tiers are not complex or difficult (not disparagement to the effort and design, instead respect) - but the natural "peak solution" (using LLM to detect secrets) is advertised and achievable.

Well done!

In security, whitelisting is preferable to blacklisting. However given that people can already whitelist by only sharing one window (which is what I, and I guess most security conscious people, always do) I'm not sure there's a business here.

A Google Chrome extension to hide your secrets? Wouldn't that be self contradicting?

Sharing secrets is scary. Instead we share your screen and secrets to third party LLM providers!

Nice line of defence! Ofc. people should avoid a situation where a secret on screen is worth something. Use MFA, VPN, key vault, JWT, OTP etc. etc.

A very cool idea but I think instead of blurring, you should just put a black bar over the recognized secrets. I mean think about it: you're going all the way when it comes to detection but only halfway when it comes to actually obscuring.

“Colleagues”, the first prompt on the main page, is misspelled as “collegues”