Security - Self Destructing Notes

Self Destruction

Every note submitted to the server will eventually be destroyed. All unread notes are destroyed after 30 days. All notes that have been viewed are destroyed 3 minutes after viewing. When the note is destroyed, it is overwritten with random data. This application does not make any assumptions about the underlying filesystem. Better safe than sorry, we say.

Single View

The note can be viewed only once. If someone attempts to view the note after the initial viewing, whether or not the note has been destroyed, the client is redirected to a standard 404 error.

Blowfish Encrypted

Before storing the note on disk, every note is compressed with ZLIB, then encrypted with Blowfish in ECB mode.

Private Passwords

The application uses a shared password server-side that is used for the encryption and decryption of all the notes. However, the application supports using custom passwords to encrypt and decrypt the note. Even though the private password is not stored by default in the application, this does not prevent the system administrator from modifying the code to do so. Therefore, it is best that you host this application yourself, on your own server.

Hashcash Protected

To prevent spammers from abusing the service, note submission is protected by the client solving a proof-of-work puzzle by minting a valid Hashcash token. As such, JavaScript is required to post a note. Hashcash tokens are stored on the server to prevent double-spending of the same token. Unfortunately, minting Hashcash tokens does not work well with mobile browsers.

Anonymous Fingerprints

Part of Hashcash tokens is the ability to create a uniquely identifiable resource string. Typically, this is an email address. However, with this application, your browser fingerprint is used as the resource string. The browser fingerprint is a 32-bit MurmurHash number. By itself, it cannot identify who it belongs to. The system administrator could tie that fingerprint to an IP address and user agent string by looking in his web server logs.

You currently have JavaScript disabled. JavaScript is required to use this website. Here is all the JavaScript code that is executed:

Hashcash- Hashcash tokens are minted when submitting a note to prevent denial of service POST attacks and to prevent spamming.

Fingerprinting- As part of Hashcash tokens, an anonymous MurmurHash resource string is calculated.

QR Code Generation- A QR Code is generated for sending to the recipient to scan using their mobile device to read the note.

Notifications- When posting a note, JavaScript is used to let you know that while you are posting your note, a Hashcash token is being minted.

Redirects- When viewing a note, JavaScript is used to redirect your browser after a timeout.

There is no tracking code, such as analytics, cookies, etc. in the default source code. If this site administrator has installed tracking code, I recommend installing the Ghostery and the Adblock Plus extensions, which are both available for Google Chrome and Mozilla Firefox browsers.