Share text-based information securely and anonymously over the internet.
https://secret-messages-7749d.web.app/
Using the website, users can enter and store text information, and receive a link to share this information securely. Only those with the link can access the information. We use end-to-end encryption -- both encryption and decryption is performed on the client, and the passphrase used for encryption is never sent to the server.
The text information is shared using end-to-end encryption. Encryption and decryption are performed only on the client. See below for more information about the encryption used.
There are several additional security measures:
- link expiry: specify time duration after which the secret can no longer be viewed
- link accesses: specify number of accesses after which the secret can no longer be viewed
- custom passphrase: the link recipient must possess the passphrase to access the secret
These measures help protect against the case where the link is intercepted and/or the case when the link is shared using a medium that does not use forward secrecy.
We use the Web Crypto API in the user's browser to do AES-CBC 256-bit encryption, and PBKDF2 SHA-256 to derive the encryption key for the user's data. The salt and initialization vector (IV) used for encryption/key derivation are randomly generated every time. We use 100,000 iterations with PBKDF2 for key derivation.
If a custom passphrase is provided, it will be used for encryption and the recipient must enter the same passphrase to decrypt the secret. Otherwise, a randomly generated passphrase will be used.
Once the data is encrypted in the client, the encrypted data is sent alongside the IV and salt to an endpoint managed by Google Cloud Functions. The data is then stored as a new document in Google Firestore document store. An ID is returned to the client for the purpose of retrieving the document.
When the receiving client sends the ID to the endpoint, the document corresponding to the ID will be retrieved; and the encrypted data, IV, and salt are sent to the client.
Documents are regularly deleted from the Firestore database as they expire.
- Web Crypto API / SubtleCrypto
- Google Firebase
- Google Firestore: Serverless NoSQL document store
- Google Cloud Functions: Serverless backend functionality
- Google Cloud Scheduler: Cron job service
- Bootstrap 5
- JavaScript
- Node.js
See Developer setup.
This project is licensed under the GNU General Public License v3.0.
Originally created by Fabian Tam and Steven Wong.
Fabian Tam
Software Engineer
fabiantam.com
Steven Wong
UBC Computer Science Student
https://twitter.com/swongggg