Secure Link Security: what we protect against and what we can't
We encrypt your secrets right in your browser — our servers never see the original text. We protect against internet snooping and server breaches. We're honest about what we can't protect against: viruses on your device and scammers.
Table of Contents
1. What we protect and what we store
What we protect: What we protect: your secret text, key to decrypt it, settings for time-to-live and view count.
What we store: What we store: only encrypted text and service information. We never store the actual text and keys.
Trust boundaries: Who trusts whom: your browser — internet — our servers — recipient's browser.
2. Who might try to access your secrets
- Regular users (you and whoever you're sending the link to)
- Internet traffic snooping (e.g., through unsecured Wi-Fi)
- Hackers who break into our servers (hosting breach)
- Scammers who trick people (fake links, phishing texts)
- Viruses on your device (steal everything you type and see)
3. How the service works (step by step)
Creation
Creation: your text is encrypted right in browser — only encrypted data sent — server gives note number.
Sharing
Sharing: link without key, decryption key separately.
Reading
Reading: link gets encrypted text — browser decrypts with key — note gets deleted.
Destruction
Deletion: automatically after first read/time expires/'Destroy now' button.
4. Possible threats and how we handle them
| Threat | Mitigation | Risk |
|---|---|---|
| Someone spying on your internet connection | Protected by HTTPS encryption + we only store encrypted text on servers | low |
| Hackers break into our servers | We don't store decryption keys — hackers would only get meaningless encrypted data | low |
| Decryption key falls into wrong hands | Key is never sent to server and doesn't appear in website analytics | low |
| Password guessing (if you set one) | Strong password protection + attempt limits + no hints given | low/medium for simple passwords |
| Trying all possible link combinations | Links are very long and random + request limits + page not indexed | low |
| Reading the same note multiple times | After first read, note is permanently deleted + 'Destroy now' button | low |
| Scammers trick people | We can't control this, but we show warnings | medium (remains) |
| Viruses on your device | We can't control this — it's access to your computer | high (remains, we openly admit this) |
| Browser security flaws | Strict security settings + no external scripts + regular updates | low |
| Attempts to crash the service | Request limits + reliable architecture | medium/low |
5. How we protect your data (by levels)
Client
On your device: strong encryption right in your browser, keys never leave your device, automatic memory cleanup.
Server/API
Our servers: quick deletion after reading, automatic expiration, strict security settings, pages not indexed.
Hosting/network
Hosting and network: secure HTTPS connection, attack protection, request limits, backups without keys.
Product
The product itself: no personal data, statistics without keys and fragments, private logging.
6. What we can't protect against (being honest about this)
- Viruses on your computer/phone that spy on everything you do.
- Scammers who trick people, and accidental leaks in WhatsApp/Telegram.
- If the recipient decides to publish your secret themselves.
- User mistakes (e.g., sending key with link in the same message).
7. Being honest about what we can't protect against
Residual risk: Main remaining risk: viruses on your device and scammers.
Assumptions: We assume: secure internet connection, modern browser, no viruses on your device.
8. Vulnerability disclosure
9. Model version and changelog
Current version: Version 1.2 — October 2024
Complete service changelog
View all updates →