What's Secure Messages anyway?
It is way to exchange messages (currently only text is supported, next releases will allow binary files as well) between other parties.
Why did you create this project?
Started it for personal use and because I wanted to exchange messages with friends without the fear that someone might be sneaking in any way into my messages.
Why there are two modes (Novice and Advanced)?
In order to cover a wider range of users which might have different security requirements. The differences between the two modes, have been summarised in a table, towards the end of this help page.
How does it work?
Using Blowfish symmetric-key block cipher and your supplied password we encrypt the plaintext message on your browser's context. The generated ciphertext is then saved into our database.
Do you use the same DB to store the advanced and novice mode encrypted messages?
No, we are using two separate databases (one for each mode) with different DB users and different account credentials.
What are the prerequisites for others to fetch my secure messages?
If you are using the Novice mode
Any party who wants to fetch your secure messages needs to know only the generated 16-byte token
If you are using the Advanced mode
Any party who wants to fetch your secure messages needs to know a) "your password" and b) generated 16-byte token.
The password you are setting it up at the time you are saving your message, the 16-byte token gets generated by the server side code once your secure message is stored on the database.
What are the prerequisites for others to decrypt my secure messages?
Any party who wants to decrypt your secure messages needs to know a) "your password"
What encryption algorithm do you use?
We chose the Blowfish encryption algorithm using CTR cipher mode.
Is my password stored on your server?
If you are using the Novice mode
No password, nor its SHA-512 digest is being stored anywhere.
If you are using the Advanced mode
A SHA-512 digest of your password is only being stored which is 128-bit long. Your plaintext password is not saved on our server, is not even transmitted to us - actually it never leaves your browser.
If your server gets hacked, can the attacker read the stored messages?
If you are using the Novice mode
No. Even if someone manages to get access on our server it would require a tremendous* amount of time and processing power to bruteforce your encrypted message.
If you used the Advanced mode
No. Even if someone manages to get access on our server it would require a tremendous* amount of time and processing power to bruteforce the digest and come up with your password.
* Providing you are using a secure strong password
What information is being saved on your server?
If you are using the Novice mode
We are storing a) the Blowfish-ed encrypted message, b) the token, c) a random number d) timestamp. (c) and (d) will be used for future enhancements.
If you are using the Advanced mode
We are storing a) the SHA-512 digest of your password, b) the Blowfish-ed encrypted message, c) the token, d) a random number e) timestamp. (d) and (e) will be used for future enhancements.
Can we delete the messages from the server?
Currently there is no automatic way to delete the message - this feature will be added in future releases. However, you may contact us directly at anastasiosm@gmail.com providing us with the token value and the date/time (in GMT) at the moment you saved the message.
Your site sucks, it's slow.
Currenlty, the server is co-hosted and performance is acceptable taking into account the current usage. If demand gets increased we might get a dedicated server to serve our visitors.
Main Differences Between the two modes
| Novice Mode | Advanced Mode | |
|---|---|---|
| What are the prerequisites for others to fetch my secure messages? | They would need to know/guess only the generated token. | They would need to know/guess both the password and the generated token. |
| Once my encrypted message is fetched (sniffed etc), what are the prerequisites for others to be able to decrypt the messages? | They would need to know/guess your password. | They would need to know/guess your password. |
| So, if someone manages to guess my 16-byte token, will he be able to decrypt my message? | No, your password is also required to decrypt your message. | No, your password is also required to decrypt your message. |
| Is my password stored on your server in plainext? | No | No |
| Is any value that is being stored on your server, related with my password? | No | Only the SHA-512 digest of your password |
| What's being saved in the database | The Blowfish-ed encrypted message, the token, a random number and a timestamp | The SHA-512 digest of your password, the Blowfish-ed encrypted message, the token, a random number and a timestamp |
| Can I delete my messages? | Currently you cannot do so by any automatic means, but we are working on it. In any case you may contact us. | Currently you cannot do so by any automatic means, but we are working on it. In any case you may contact us. |
Disclaimer
By visiting this website you agree to accept the terms of use set out below. Please be aware that these may change at any time without notice. Use of this website constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Anastasios Monachos - secuid0) be held liable for any damages whatsoever arising out of or in connection with the use or spread or storage of any information in this server.
Back to home.