how to communicate in the messenger and not be read by third parties
We’ve probably all heard discussions that our messengers are reading, that WhatsApp is full of backdoors, and Telegram has caved in… I’m not talking about those whose accounts were hacked and pulled out the most frank correspondence. Agree, you don’t really want to write when you are afraid that the wrong person will read it.
This post is not about who and how stores our correspondence and where it merges. Here I want to offer you an idea breaking the integrity of information. What is it?
Let’s say someone squeezed telegrams from you and now reads everything, hoping to find the login and password from the server that you sent to a friend a week ago. In less than ten minutes, and you have the server too wring out get hacked. But the attacker did not know either the login or the password. And what if you send only the password, and send the login somewhere else. Then, in order to hack the server, you will first need to steal as many as two accounts.
That’s what it is violation of the integrity of information: You divide the information into pieces and send it through different channels. This makes this information more difficult to collect.
One-time note services
Sending information through different channels is, of course, good, but someday an attacker will have access to all of them. And the special services could have had it earlier. In addition, the interlocutor will not be very comfortable. run around the room and catch your messages in every corner search for data in all chats. What to do? There is a solution! As a second channel, you can use one-time note service.
How it works?
You go to the desired site, write your password or any other data in the input field and click “Create note”. You are given a link that you copy and paste into the messenger along with the rest of the information.
– Why can’t anyone read the note, except for the interlocutor?
This is a one time note. After your friend reads the message, it will be permanently deleted from the server. Therefore, when someone else finds this link from you and tries to find out what was there, they will remain with a nose with nothing. And if you are under total surveillance and someone reads a note ahead of your friend, then both of you will know about it when you can’t open it, and you will continue to communicate personally.
– And the site admins will not know my password?
Here is the most interesting. When you create a note, your browser generates a random key and encrypts the note with it. The encrypted content flies to the server and waits for your friend, and the key is assigned to the end of the link as an anchor that never not sent to server (RFC, section 2.4.1). When a friend opens a note, he receives the encrypted content of the note from the server, which is immediately deleted, and his browser decrypts it with the key from the link. Badums! It remains only to save all the data for yourself, otherwise you won’t open the note a second time.
When I took up this topic, I immediately decided to make such a service, first of all, for myself, so that it would be convenient, functional, and reliable. It turned out, in my opinion, quite well, and this service, perhaps, even overtook all the others in some of its details, so further I will brag a little, and you will decide what I should finish.
Private-Net.work Notes – what is it and how is it different from others
Private-Net.work – a one-time note service created by me. I tried to combine all the best that I have ever seen and that I can do myself: a minimalistic design and a clear interface will make the site easy to use, AES encryption will protect you from leaks, and the absence of anything superfluous will play for the benefit of both points. By the way, about the excess.
“While I’m writing the note, won’t the scripts look at it?”
All libraries and javascript scripts necessary for the site to work are stored directly on my server. Nothing that is stored on other sites and CDNs is used to make sure that everything that is used does not collect data from our site opened in our users’ browsers. On the site no ads, no tracking scripts. Also to ensure that no one took the decrypted notes.
Do you do any kind of analytics? What are you collecting?
We don’t collect anything. As for analytics, I have only 2 counters: Number of notes created and number of notes read. Everything.
– Can you find out that I visited the site? Surely there are ip addresses in the logs?
I am doing my best do not collect unnecessary information. Therefore, in its main site request logs, only a part of hashand from the ip-address to distinguish different visitors when looking for errors in the site. Another hash of the ip address is used in anti-spam systems to protect against bots and intruders. But while everything works as it should, no one even looks at the hash.
What is known about the note and its author?
When you create a note, neither you nor the person who receives it don’t contact her. Due to the large number of notes that no one ever reads, it was necessary to establish a period during which notes are deleted in any case. To make it impossible to identify the creator of a note by the date it was written, only the date by which it should be deleted is stored, allowing users to choose for themselves how long it will be stored. By default, notes are deleted after 7 days.
Now in the database, each note corresponds to 4 fields: its identifier, encrypted content, the date by which it will be deleted if it is not read before, and a counter (also needed for decryption). This is how one of the test notes in the database looks like:
id | content | delete_date | counter |
hHQ8eny | 4b4fd1a3 | 2022-01-23 13:39:22.546147 | 114186091782275 |
Formatting
On my website, I made an opportunity note formatting. So if you send someone instructions for something, do not forget to do it beautifully)
Conclusion
I hope that some of you managed to discover something new for yourself, and those who have been in the subject before will say a couple of words about my site in the comments. I certainly do not consider myself a professional in cybersecurity, and therefore I count on constructive criticism. Thanks for taking the time to read my first post!
PS If there are those who want to dig into my site, scripts and something to hack, then I will not mind. But please tell me about your findings through contacts, indicated on the websiteso I can fix it. Still, I did not plan to open the backend code, since I consider this option to be safer in my case.
