When you create a Whisper Page, we implement the following security
measures to ensure your privacy and protect your data:
Storage: Each Whisper Page's content is encrypted
with a unique key using ChaCha20Poly1305 and then stored in a SQLite
database. This database is encrypted at rest using Linux LUKS block
storage encryption secrets.
Client-side decryption: We never store the key used
to encrypt your Whisper Page's content. The key is tacked onto the
unique URL for your Whisper Page and is only known by you and anyone
you share it with. When you visit a Whisper Page, the key is extracted
from the URL and used to decrypt the content with your browser.
Secure transmission: Your communication to Whisper
Pages is encrypted in transit using QUIC (HTTP/3).
Self-Destruction: Whisper Pages are deleted after a
period set by the user. Users also have the option to automatically
delete a Whisper Page once it has been viewed.
SHA-256 Hash Links: When a Whisper Page is created,
two SHA-256 hashes are generated to serve as the path for the Whisper
Page. This makes it incredibly difficult for someone to try to
enumerate through potential paths. Even if they were able to guess a
path, they would still need the key to decrypt the content.
No-Log Policy: We do not store logs of your
communications. Once a Whisper Page expires, its encrypted content is
permanently deleted from the database.
User Anonymity: Whisper.Page doesn't require any
personal information to use our service. However, we do collect page
view data on pages that are not Whisper Pages using Counter.dev to
understand how our service is being used.
If you have any questions or concerns about our security measures,
please don't hesitate to
view the source code for yourself.