View on GitHub

Safemsg

SafeMessage: A secure web-based message exchange system

Download this project as a .zip file Download this project as a tar.gz file

Safemsg: secure message exchange system with self-destructing messages and client-side encryption.

Why is Safemsg the best choice for security?

So, why is Safemsg better that other secure message exchange systems? Let us give you two good reasons why trusting a system based on "self-destruction" may be a wrong choise:

So, why choose Safemsg?

With Safemsg, messages are encrypted client-side and the server has zero-knowledge about the message. Furthermore, Safemsg is open source, so anybody can inspect the code and point out to possible security holes. You are also free to download and install Safemsg on a server of yours so long as you attribute the original software and you don't make profit out of it (Safemsg is licensed with the GNU GPL v2 licence).

Features

Safemsg is a secure message exchange system which can be used to exchange passwords and other confidential data. SafeMessage has the following features:

A running instance of Safemsg is available at www.jaqpot.org/safemsg

How Safemsg works...

Let's say that peer A needs to communicate a password, say 'abcd' to peer B. This is how SafeMessage works. First, peer A creates a SafeMessage:

Send a message (Use case UC1)
Fig. 1. The SafeMessage Use Case UC1 - Creation of a SafeMessage resource.

Then, peer B fetches and decrypts the message:

Read a message (Use case UC2)
Fig. 2. The SafeMessage Use Case UC2 - Retrieval of a SafeMessage resource.

In case someone intercepts the communication of A and B and reads the message, then, when peer B attempts to read the message, they will realize that the password has been stolen and proper action can be taken. However, even in that case, the only information that has been revealed by the server is the encrypted message and not the actual one (which is not known to the server). Necessary conditions for very high security are:

Using the API

To create a safe message, the client applies a POST as follows:

HTTP/1.1 POST /register.php

specifying the parameter msg which is the encrypted message.

Possible status codes are:

Here is how the response of this request looks like:

{
    "response": {
        "id": "24cb14d1-922f-425f-9fad-55626ef26be7-vuQ4pn9q",
        "created": 1419044972
    }
}

in this JSON document, the field id refers to the identifier of the created message, while created is the creation timestamp (server-side) of the created message.

The following parameters can be specified for additional security features:

To retrieve the message, the client applies a GET as follows:

HTTP/1.1 GET /retrieve.php?id={id}

where {id} is the identifier of the message which the client wants to retrieve.

HTTP status codes are:

User interface

A web-based user interface is provided in which Javascript is used in a second security layer where messages are encrypted locally (client-side) and are POSTed to the server in an encrypted form. The client who creates the message is given a link (URL) of the generated encrypted message and a key that is used to decrypt the message. Peer A needs to give to peer B both the link and the key to access the message.

Two access points are provided for this reason:

Send a message (Use case UC1)
Fig. 3a. Step 1: Peer A creates a SafeMessage to be sent to peer B.
Send a message (Use case UC1)
Fig. 3b. Step 2: The message is encrypted locally and then POSTed to the SafeMessage server. A link is acquired and a key is displayed to peer A which is not sent to the server. Peer A can choose to immediately destroy the message they just created if they wish.
Send a message (Use case UC1)
Fig. 3c. Step 3: Once peer B is given the link and the key, they are prompted to provide their key to read the message. Once peer B accesses this web page, the message is gone on the server.

Links

The source code can be found on github, a running instance of Safemsg is available at www.jaqpot.org/safemsg. Please, submit any bugs or feature requests here. Safemsg maintained by alphaville - follow me on twitter (@isToxic).

Limitations of Safemsg

Safemsg provides a high level of security against various types of threats. However, you should mind that: