๐ŸฆŠ WhisperFox

How it works, in plain language โ€” and honest answers about what we can and can't protect.

How it works

  1. Your message is encrypted in your browser. Before anything leaves your device, your browser locks the message with a freshly generated key (AES‑256‑GCM โ€” the same cipher banks and messaging apps use). The readable text never travels anywhere.
  2. The sealed message lives inside the link itself. Everything after the # in the link is the encrypted message. Browsers never send that part of a URL to any server โ€” including ours. We physically cannot receive your message, so there is nothing for us to store, leak, or hand over.
  3. The key to open it is split in two. Half rides in the link; the other half is a value our server computes on demand. Opening the message requires both halves (plus your secret phrase, if you set one). Neither the link alone nor our server alone can decrypt anything.
  4. When the timer ends, the server half disappears โ€” for real. The server's half is derived from a random value that is automatically and permanently erased shortly after your message's window closes. After that, the missing half doesn't exist anywhere. Expiry isn't a policy we promise to follow โ€” it's math. Even we couldn't reopen an expired message.

The short version: the message is in the link, the link never reaches us, and the piece needed to unlock it self-erases. There is no database of messages because there are no messages to put in one.

FAQ

Can WhisperFox read my message?

No โ€” and not because we promise not to look, but because we never receive it. Encryption happens in your browser, and the encrypted message travels in the #fragment part of the link, which browsers never transmit to servers. The only thing our server ever handles is a short random value that contains no information about your message.

What do you store on your servers?

Nothing about your message. No message content, no encryption keys, no secret phrases, no record that your particular message ever existed. The server keeps one random 32‑byte value per hour (shared across all messages, containing no message data) that it uses to compute key-halves on demand โ€” and that value automatically erases itself a few hours later.

What happens when the timer runs out?

The server refuses to hand out its half of the key the moment the deadline passes, and the hourly random value it would need is permanently erased shortly after. Once that happens, the key half is gone from the universe โ€” an expired message cannot be recovered by the recipient, by an attacker, or by us. If the message is still open in a tab, the page also wipes the text from the screen when the countdown hits zero.

Can the link be opened more than once?

Yes. The link keeps working until the timer you chose (1โ€“60 minutes) runs out โ€” it is time-based, not burn-after-first-read. If you want to make sure only the right person can open it during that window, add a secret phrase.

What does the secret phrase do, and do you see it?

The phrase is folded into the encryption key in your browser โ€” it never leaves your device and is never sent to us. Without it, the link alone isn't enough to decrypt the message. Share the phrase over a different channel than the link (say the link over email, the phrase over a call), and make up a fresh one each time โ€” don't reuse a real password.

What if someone intercepts the link?

Anyone holding the link can open the message until it expires โ€” that's why the timer is short and why we recommend a secret phrase. With a phrase set, an intercepted link is useless on its own. Without one, treat the link like the secret itself.

If your servers were hacked, what would the attacker get?

No messages โ€” there are none stored. At worst, an attacker would obtain the hourly random values, which by themselves decrypt nothing: they'd still need the link (which we never have) for every individual message. And because those values self-erase within hours, even a successful break-in only ever concerns a few hours' worth of links the attacker somehow also captured elsewhere.

Are the ads safe next to my secret?

Yes. Our server fetches the ad and passes it to the page as plain first-party HTML โ€” no third-party JavaScript ever runs on WhisperFox, and the page that shows your decrypted message enforces this with a strict Content Security Policy. Ad code cannot see what's on the page because ad code never runs here.

What can't WhisperFox protect against?

Honesty matters more than marketing: once a message is decrypted on the recipient's screen, we can't stop them from taking a screenshot, copying the text, or photographing the display. The self-destruct protects against links being opened late or by the wrong person โ€” not against a recipient who chooses to keep what you sent them. Only send secrets to people you trust with them.

Why should I believe any of this?

Don't take our word for it โ€” WhisperFox is open source (MIT). Every line of the browser encryption, the server, and the key-erasure logic is public and small enough to read in one sitting. You can also open your browser's developer tools while creating a message and watch the network tab: your message text never appears in any request.

Do I need an account? What about tracking?

No accounts, no sign-up, no cookies for tracking. The only third-party component anywhere is Cloudflare's Turnstile bot-check on the create page, which exists to stop automated abuse. The site is funded by the single ad you see, served first-party as described above.

What are the limits?

Messages are up to 500 characters and expire after 1 to 60 minutes โ€” you pick. WhisperFox is built for short-lived secrets like a password you're handing off, a door code, or a one-time link, not for long documents or long-term storage.

Send a self-destructing message