GHOSTDROP
Ah%Ls}W3A+Sz<d!HoZ6Dk*Ov;ZKr{V2?g$y.c9Gn_Ry
AES-256-GCM ENCRYPTION
AES-256-GCM encryption happens entirely in your browser. Data is encrypted before leaving your device. Server receives only encrypted gibberish.
URL FRAGMENT KEYS
Encryption key travels in URL fragment (#key) - never sent to server. We physically cannot access your data. Even if compromised, server contains only gibberish.
SHAMIR SECRET SHARING
Split the encryption key into n shares with threshold t (e.g. 2-of-3). Each share travels in its own URL fragment. The full key is reconstructed only in your browser—no single share can decrypt alone, and the server does not deliver ciphertext until enough shares are combined client-side.
AUTO-DESTRUCTION
Messages auto-delete after first view or 24h expiry. Redis TTL ensures complete destruction. No recovery possible - true ephemeral messaging.
PRIVACY BY DESIGN
No accounts, no tracking, no logs. Anonymous by default. Even metadata is minimized. Optional image metadata cleaning removes EXIF/IPTC/XMP before encryption. Your privacy is built into the architecture, not added as an afterthought.
BURN AFTER READING
Customizable timers with visual countdown. Choose between instant, 5s, 30s, or 1 minute destruction. Smooth animations and manual control for maximum flexibility.
PASSWORD PROTECTION
Optional extra security layer. Custom passwords encrypted client-side with message data. Double protection: encryption key + password. Zero server-side password storage.
How It Works
CREATE & ENCRYPT
Type message or upload file. AES-256-GCM encryption happens in your browser. Get a secure link with key in URL fragment, or split the key into Shamir shares (n-of-t). Optional image metadata cleaning runs before encryption.
VIEW & DESTROY
Recipient decrypts client-side using key from URL or reconstructed shares. Message auto-destructs after viewing. No recovery possible.
Zero-Knowledge Guarantee
YOUR BROWSER
Encrypts data with AES-256-GCM
Key never leaves your device
OUR SERVER
Receives only encrypted gibberish
Cannot decrypt without key
SHARED LINK
Key or key-shares travel in URL fragment (#)
Never sent to server
TECHNICAL PROOF: URL fragments (#key / #shares) are processed client-side only. Server logs show only the UUID - encryption keys and shares are invisible to us.