One Time Dead Drop

Need to send some data securely? Password? This is the place.

10000 characters remaining

Is this safe?

  • Your message is not stored unencrypted
  • Your encrypted message is stored for 24 hours (by default), then deleted
  • Once your message is retrieved, it is deleted
  • If there is a problem retrieving your message, including an incorrect password, it is deleted after the chosen number of attempts (ie., no brute force attacks)
  • We cannot decrypt your message, as we simply don't have the password

The security of the encryption is handled using the industry-standard AES-256-CBC algorithm, with PBKDF2 for secure key derivation, ensuring that your data is encrypted with a highly secure, widely trusted cryptographic method.

The largest threat associated with this method is having your message & password both intercepted and retrieved before your intended recipient has an opportunity to retrieve it. As such, the recommendation is to send the message retrieval link and password via different methods. However, the choice of delivery is ultimately up to you.

What was used to create this tool?

  • PHP & MySQL: Backend language and database system used for secure storage and handling of encrypted data.
  • AES-256-CBC Encryption: One of the most secure encryption algorithms to ensure that the message cannot be decrypted without the correct password.
  • PBKDF2 Key Derivation: Used to securely derive encryption keys from passwords, significantly reducing vulnerability to brute-force attacks.
  • Bootstrap 5: Frontend framework providing a responsive and clean user interface.
  • JavaScript: For added interactivity, such as copying decrypted messages to the clipboard.
  • Prepared Statements: Used in database interactions to prevent SQL Injection attacks, ensuring safe handling of all inputs.
  • Content Security Policy (CSP): Helps prevent XSS (Cross-Site Scripting) attacks by restricting which resources are allowed to load.
  • SSL/TLS: Secure connection (HTTPS) ensures all communication between the user and the server is fully encrypted, protecting sensitive data from interception.
  • HTTP Strict Transport Security (HSTS): Enforces the use of HTTPS for all communication, preventing man-in-the-middle attacks by ensuring no insecure connections can be made.
  • Cloudflare Proxying: Traffic is proxied through Cloudflare, providing additional layers of security, including DDoS protection, secure TLS termination, and improved performance through global CDN caching.
  • Time-limited storage: Messages are stored for a limited time (24 hours by default) before being automatically deleted.
  • Self-destructing messages: Messages are deleted from the database after a single retrieval or upon an incorrect password attempt, ensuring they cannot be accessed again.
  • No password storage: We do not store any passwords, ensuring maximum privacy and security. Only the sender and the intended recipient know the password.
  • Anonymity: The user's IP address is not stored with the encrypted message, ensuring the messages are anonymous and untraceable.
  • Firewall & Rate Limiting: Access to sensitive endpoints is protected by server-side firewalls and rate-limiting measures to prevent brute-force attacks and unauthorized access attempts.

This combination of technologies and security practices makes this tool one of the most secure methods available for sharing encrypted messages online, ensuring your data is protected at every stage.