When you create a Whisper Page, we implement the following security measures to ensure your privacy and protect your data:

  • Storage: Each Whisper Page's content is encrypted with a unique key using ChaCha20Poly1305 and then stored in a SQLite database. This database is encrypted at rest using Linux LUKS block storage encryption secrets.
  • Client-side decryption: We never store the key used to encrypt your Whisper Page's content. The key is tacked onto the unique URL for your Whisper Page and is only known by you and anyone you share it with. When you visit a Whisper Page, the key is extracted from the URL and used to decrypt the content with your browser.
  • Secure transmission: Your communication to Whisper Pages is encrypted in transit using QUIC (HTTP/3).
  • Self-Destruction: Whisper Pages are deleted after a period set by the user. Users also have the option to automatically delete a Whisper Page once it has been viewed.
  • SHA-256 Hash Links: When a Whisper Page is created, two SHA-256 hashes are generated to serve as the path for the Whisper Page. This makes it incredibly difficult for someone to try to enumerate through potential paths. Even if they were able to guess a path, they would still need the key to decrypt the content.
  • No-Log Policy: We do not store logs of your communications. Once a Whisper Page expires, its encrypted content is permanently deleted from the database.
  • User Anonymity: Whisper.Page doesn't require any personal information to use our service. However, we do collect page view data on pages that are not Whisper Pages using to understand how our service is being used.

If you have any questions or concerns about our security measures, please don't hesitate to contact us or view the source code for yourself.