How Safevia.net works - technical perspective
Encryption & decryption on client side (End-to-End)The main advantage of Safevia.net is that instead of sending plain text or encrypting text and files on the server, it always encrypts content directly in the web browser on the sender's device. Subsequently, decryption is done in the receiver's web browser. Encryption/decryption key is never sent to the server and only used directly in the web browser.
Security standardsSafevia.net is using the AES-GCM symmetric encryption algorithm with a 256-bit length key. In passwordless mode the key is generated randomly. In password mode the encryption key is derived based on password by PBKDF2 function with SHA-256 hash through 150000 iterations with a 128-bit random salt. These are strong, mature, and proven cryptography standards.
Secrets in the link URLSecretly generated link (URL) for the receiver contains the following elements:
- [m] in a Query String - message identifier
- [s] in a Query String - server and version indicator
- [k] in a Hash/Anchor part - encryption key (only in passwordless mode)
- [sc] in a Hash/Anchor part - salt for password check (only in password mode)
- [sk] in a Hash/Anchor part - salt for deriving encryption key (only in password mode)
- [u] in a Hash/Anchor part - user token needed to fetch encrypted content
- message text and files are not transferred in an unencrypted form to the server
- data on the server cannot be easily decrypted because the encryption/decryption key is protected
- way of encryption is valid and secure
No external vendor codeIn Safevia.net there's no executable code in the service that cannot be managed by us. In particular, this site doesn't use any external tracking and analysis services or commercial advertisement networks. What's more, for cleanliness and safety, the source code does not have any code dependencies in the form of external libraries.
Protection from botsIn case an indexing bot or preview generating bot would visit URL (because it has been sent through e.g. Gmail or Facebook), it won't see an unencrypted message directly. Button has to be clicked manually or intentionally automated first to run decryption. Each such try to fetch encrypted messaged (even automated) will be logged. What's more, in password-based mode content is fully protected from bots.
You are safe from us and safer from hackersWithout having access to the full link (URL address) to the message, no one from Safevia.net Administrators will be able to read the content. This means it is also much harder for hackers to intercept the content of all the messages. You don't have to trust us, but you can trust the cryptography and source code audit.