Secure mail and messages for yourself and others

    In the wake of the recent NSA scandals, it came to the realization that, ultimately, nobody should be trusted - sooner or later it may turn out that your data on server X turned out to be tapped by some organization, although the words said that all user data was completely encrypted .


    We thought how to protect ourselves in such a situation if we want to send a message that is really sensitive to wiretapping by mail (this is not about chats). You can only trust yourself (provided that bookmarks are not installed on your computer). The user-provider-server channel may also be compromised. Moreover, even an SSL connection cannot be completely trusted, given that
    1. not you are the owner
    2. the keys to the certificate could be transferred to special services

    The only option is to encrypt the message on the client side (directly in the browser) and then transfer it (already in encrypted form) to the server side. In our implementation ( Wolfram Mail is not an advertisement, please do not take advantage of it if it’s not interesting for you, because while we are on a paid hosting) the open message is being destroyed by RC4 encryption (yes, it’s not so reliable, but it’s suitable for its purpose ideally). Thus, the new pseudo-open message has no structure and the criminal organization will not be able to directly attack the ciphertext on the principle of open / closed text pairs.

    Next is the main encryption - BlowFish algorithm. It is still reliable and developed by B. Schneier, not the NSA or the FSB. We receive ciphertext. Now it can be transmitted without fear through open and listening channels. It is stored on our site only until the recipient reads it, then it is deleted from the server.

    Thus, neither our server nor information transmission channels have access to:
    • open text
    • key information (passwords)

    The recipient of the letter receives a notification on his e-mail with a link to the page for reading the message. All that is needed is an encryption password. Decryption also takes place on the client side. Yes, the password is also not sent outside the user's computer - the password is authenticated by indirect signs - crc32 (we will definitely replace it with GOST 34.11-2012 in the future).

    Now the service works in test mode (in the sense that bugs are checked, functionality is added and little things are honed), but it is already fully suitable for encryption. At least we already use it, and we did it for ourselves.

    If the project gains some funding, then it plans to buy a separate server so as not to depend on hosting restrictions.

    Also popular now: