One of the main advantages of Safevia is that instead of sending plain text or encrypting text and files on the server, it always encrypts content directly in the web browser on the sender’s device. Subsequently, decryption is done in the receiver’s web browser. Encryption/decryption key is never sent to the server and only used directly in the web browser.
Safevia is using the AES-GCM symmetric encryption algorithm with a 256-bit length key. In passwordless mode the key is generated randomly. In password mode the encryption key is derived based on password by PBKDF2 function with SHA-256 hash through 150000 iterations with a 128-bit random salt. These are strong, mature, and proven cryptography standards.
In case an indexing bot or preview generating bot would visit URL (because it has been sent through e.g. Gmail or Facebook), it won’t see an unencrypted message directly. Button has to be clicked manually or intentionally automated first to run decryption. Each such try to fetch encrypted messaged (even automated) will be logged. What’s more, in password-based mode content is fully protected from bots.
Without having access to the full link (URL address) to the message, no one from Safevia Administrators will be able to read the content. This means it is also much harder for hackers to intercept the content of all the messages and files. You don’t have to trust us, but you can trust the cryptography and code audit source.
Safevia Forms supports WordPress version 5.3 and newer. We test Safevia Forms on the newest version of each minor versions – eg on 18th July 2021 these have been:
Although Safevia Forms has been tested to work, we echo the WordPress recommendation to use the newest version, as previous may not be safe to use due to issues in WordPress itself.