Skip to content

Latest commit

 

History

History
73 lines (46 loc) · 3.52 KB

README.md

File metadata and controls

73 lines (46 loc) · 3.52 KB

whisper-secret-messages

Share text-based information securely and anonymously over the internet.

https://secret-messages-7749d.web.app/

Contents

About the project

Screenshot

Using the website, users can enter and store text information, and receive a link to share this information securely. Only those with the link can access the information. We use end-to-end encryption -- both encryption and decryption is performed on the client, and the passphrase used for encryption is never sent to the server.

Security

The text information is shared using end-to-end encryption. Encryption and decryption are performed only on the client. See below for more information about the encryption used.

There are several additional security measures:

  • link expiry: specify time duration after which the secret can no longer be viewed
  • link accesses: specify number of accesses after which the secret can no longer be viewed
  • custom passphrase: the link recipient must possess the passphrase to access the secret

These measures help protect against the case where the link is intercepted and/or the case when the link is shared using a medium that does not use forward secrecy.

Encryption

We use the Web Crypto API in the user's browser to do AES-CBC 256-bit encryption, and PBKDF2 SHA-256 to derive the encryption key for the user's data. The salt and initialization vector (IV) used for encryption/key derivation are randomly generated every time. We use 100,000 iterations with PBKDF2 for key derivation.

If a custom passphrase is provided, it will be used for encryption and the recipient must enter the same passphrase to decrypt the secret. Otherwise, a randomly generated passphrase will be used.

Backend

Once the data is encrypted in the client, the encrypted data is sent alongside the IV and salt to an endpoint managed by Google Cloud Functions. The data is then stored as a new document in Google Firestore document store. An ID is returned to the client for the purpose of retrieving the document.

When the receiving client sends the ID to the endpoint, the document corresponding to the ID will be retrieved; and the encrypted data, IV, and salt are sent to the client.

Documents are regularly deleted from the Firestore database as they expire.

Technologies used:

Developer setup

See Developer setup.

License

This project is licensed under the GNU General Public License v3.0.

Contributors

Originally created by Fabian Tam and Steven Wong.

Fabian Tam
Software Engineer
fabiantam.com

Steven Wong
UBC Computer Science Student
https://twitter.com/swongggg