Am I making an account anywhere?
Absolutely not! After the code loads into your device, which happens as soon as you follow an invitation link, you're done with our server. There is no further contact and, in fact, you can run SeeOnce offline if you like. But the program must have a way to tell you apart from an eavesdropper, and this is why it asks you to come up with a Password before anything else happens.
The Password is not stored, even in encrypted form, so there is little harm using a public computer or smartphone if you have to.
How much does it cost?
Well, that depends on whether you have it for private use, for business, or for education. . . . Just kiddin'! Other programs that supposedly enhance your privacy may talk like this, but not SeeOnce. This is SeeOnce's price chart:
- Private use: free
- Education: free
- For Business: free
Always free, because it costs us almost nothing to provide the service, why shouldn't we just give it away for free? The best things in life are all free, my friend: air, love, freedom, and now SeeOnce.
SeeOnce says my Password is Terrible!
This is probably because it is terrible, and will give you no real security. Hackers guess users' passwords by trying words contained in special dictionaries. If your Password is made from those, they'll guess it very quickly. SeeOnce contains dictionaries of the 10,000 most common English words and the 1,000 most common English passwords, and will give you a reduced score if you use those. To strengthen your Password, add special symbols, numbers, misspellings, and unusual words.
SeeOnce adds extra computations to compensate for weaker Passwords, and tells you approximately how long it will take to compute the Password you have just entered. If you want SeeOnce to be snappy, get a Password score above Medium.
Can I use multiple devices?
You can, but bear in mind that SeeOnce stores essential data locally, and you'll need that data if you want to continue a given conversation on a different device. To get the data out, click the Backup button, which will encrypt all that data and display it ready to be copied or sent to your email with the Email button. Since many email providers store drafts automatically, you may not need to actually send the backup anywhere: just keep it as a draft, and you'll be able to load it back into SeeOnce, on a different device, as soon as you log into your email service.
The Chrome app version syncs its data in the background, using Google servers, so you only need to log into Chrome and open SeeOnce, even on a different machine.
If you want to stop using a certain device and leave no traces behind, click the Wipe button, which appears after clicking Backup.
Can I change my Password?
Changing your Password in SeeOnce is as easy as typing in a new Password when you want to change it. Since SeeOnce encrypts data locally using your Password, you may be asked for the old Password if you try to continue a conversation in course. The recipient will be notified that your Password has changed as soon as he/she gets your next message.
After changing your Password, the recipient only knows it's you because of your email address, which is less than reassuring. You may want to provide some further proof of your identity after a Password change.
What is a Reset?
SeeOnce provides excellent security by changing the encryption keys for each message exchanged. This is done using "asymmetric encryption," where two keys are used: the private key stays securely encrypted in your device, while its matching public key is transmitted with the message, also encrypted. The result is a kind of ping-pong between you and the other side of the conversation. The most secure "Read-once" mode requires that messages be exchanged in strict alternation, and SeeOnce switches automatically to the slightly less secure "PFS" mode when this is not respected. PFS mode messages also have forward secrecy, but messages become unreadable only after they are replied to.
Still, it is possible for conversations to go out of sync, with the result that messages cannot be unlocked even the first time. This will also happen if one of the correspondents has changed his/her Password. To solve this problem, click the Reset button, which re-initializes the conversation with a special PFS message that will reset it also on the other side. After this, conversations can continue normally, with full forward secrecy.
What is Chat?
Let's say you find yourself exchanging SeeOnce-locked emails with someone every few minutes. Since both of you are currently online, wouldn't it be more effective to have a real-time chat session? SeeOnce has a button for that. When you click Chat, a special chat invitation is generated, which you can email just like any other locked message. At the same time, a chat window opens on a browser tab (sorry, not on Internet Explorer, Safari, or anything under iOS, since they don't yet support the WebRTC protocol that the chat needs). You'll be asked to supply a name to identify yourself on the chat and click a Start button.
When the recipient of your invitation unlocks it, a similar chat window opens on his/her side, and then you're both connected in real time. The chat session can involve just text and files, or you can add audio, or even video. The sender decides the type of chat when making the invitation.
Negotiating the chat connection does require an outside server, which is Firebase.io, but after the connection is made the server is no longer contacted and sees none of the data exchanged between the participants. That data is encrypted and sent directly from one machine to the other. A third party can join only if it is given the exact URL of the chat, which not even Firebase.io saw in its entirety.
What is the Hide button for?
Sometimes just sending or receiving an obviously encrypted message can be too risky. This is why SeeOnce has a Hide button, which appears when a locked message is produced. When you click it, SeeOnce asks you for a cover text. A cover text is what you want your message to look like; it can be a piece of literature, technical writing, or just spam. It must be sufficiently long. After you supply it, SeeOnce encodes the locked message into letters and spaces of the cover text, so the result looks like the cover text. Since the last sentence is likely incomplete, you can complete it by typing some more without altering the encoding. Then go ahead and email it.
The recipient only needs to copy this text into SeeOnce, and it will decode and unlock automatically, just like the original random-looking locked message.
How does SeeOnce work?
When you click a SeeOnce-locked message, a webpage loads and the message is then loaded into it. The webpage is kept in the browser cache so it does not need to be loaded again until the software is updated. Before you can do anything, SeeOnce asks you to write your Password. It evaluates its strength by calculating its information entropy as you type it, and determines the amount of SCRYPT key-stretching that will be applied to your Password (more for weaker Passwords). When you click OK, the 256-bit binary key resulting from what you typed is calculated. This may take a while.
The message will then be automatically unlocked (decrypted), depending on the locking mode used. SeeOnce uses five different modes, depending on the situation:
- Key-locked: the item is symmetrically encrypted with XSalsa20, using the stretched user Password as key. This mode is used for data backups.
- Invitation: first the public key (Lock) deriving from the stretched user Password as private key through the Curve25519 elliptic curve is calculated, and then the Lock is used as key for symmetric encryption of the item with XSalsa20. Since the Lock is included with the encrypted invitation, this mode does not provide any real security, but is rather an enticing way to achieve a public key exchange. This mode is used for invitations.
- PFS: the sender generates a 256-bit random ephemeral key and computes its matching Lock using Curve25519. Then SeeOnce does a Diffie-Hellman (DH) combination of the new ephemeral key and the ephemeral Lock sent by the recipient in the previous message (which was stored upon reading). The result is used as symmetric key to encrypt the new message using XSalsa20, and this is sent to the recipient along with the new ephemeral Lock, which is encrypted with the DH combination of the permanent Password and the previous Lock. The recipient can then unlock the new Lock with the DH combination of his/her previous key and the sender's permanent Lock, and then DH-combine this with his/her previous key in order to reconstruct the symmetric key that decrypts the message.
- Read-once: This is like PFS, except that the message is encrypted with the DH combination of the recipient's previous ephemeral Lock and the sender's previous ephemeral key (rather than the sender's new ephemeral key), and ephemeral Locks are encrypted with the DH combination of the sender's previous ephemeral key (rather than the permanent Password) and the recipient's previous ephemeral Lock. The recipient needs to combine the previously received Lock (which was stored) and his/her ephemeral key in order to decrypt the message. This is the default mode of operation, but PFS mode is used instead if there is no previous key stored or strict alternation of messages is violated (which would cause Read-once mode to go out of sync).
- Reset: this is a PFS message that has been produced with after a reset, which resulted in the deletion of the locally stored ephemeral data. When the recipient gets this message, the local data pertaining to this conversation is first reset, and then the normal process continues so that the conversation can be re-synchronized.
To lock a reply, SeeOnce defaults to Read-once mode if no previous reply has been locked and there is a previous ephemeral key in storage, otherwise PFS mode is used. The user can always decide to lock the message for a new recipient, in which case Invitation mode is chosen automatically and the user is warned of the lack of security.
What are SeeOnce's weaknesses, and how do I protect against them?
SeeOnce does not attempt to authenticate users, so the only assurance you have that an invitation message actually comes from someone you know is that person's email address, if sent by email. You should try to authenticate the sender by asking him/her to send back a selfie doing something of your choice (the picture does not need to be locked, only the request), or something like that. This is especially important if the sender has changed his/her Password (SeeOnce will tell you it's a new Password) and does not mention the fact in the message.
This still would not be enough against a man-in-the-middle who is able to access both yours and your correspondent's email accounts. SeeOnce's help page has instructions on how to perform an interlock authentication, which will reveal the presence of a man-in-the-middle with only three messages sent back and forth.
The second weakness is that the source code may have been tampered with if hackers gain access to the SeeOnce web server. SeeOnce's help page also contains instructions on how to authenticate the code, which involves taking the SHA256 hash of the code with a local or online utility, and comparing the result with what the developer has published and watching a one-minute video (see the Get SeeOnce tab). This is not a problem with the Chrome and native app versions, which are code-signed by the respective app stores.
Incidentally, every encryption app out there has these same weaknesses. They just don't tell their users about them, or how to protect against them.
But SeeOnce is written in JavaScript, which makes it inherently unsafe, right?
Not necessarily. Except for the activity of browser extensions, JavaScript code is liable to be replaced by malicious code by a method called code injection, but this is only triggered if the original code calls an outside resource or if the user clicks a link within the page. SeeOnce does all its work client-side, without ever calling an outside resource. Chat does connect to Firebase.io, but it does so on a separate browser tab without contact with the SeeOnce code.
If you are concerned an extension reading your secret stuff or injecting code, go ahead and turn off all browser extensions before running the web version of SeeOnce. Alternatively, you can install the Page Cage extension for Chrome or Firefox, and run the web version of SeeOnce from Page Cage. Or you can install the Chrome or Firefox SeeOnce extension/addon, which is natively invisible to other extensions.
But isn't it better to do encryption on the server, so the code is safe from prying eyes?
Oh, really? And then how do you know the code is genuine and it's doing what it says it does? By having the code run on the client, you can actually read the code before you execute it and take its SHA256 digital fingerprint. If the code runs on a server, you just have to trust. What's more, you have to send the plaintext out of your machine, trusting that SSL/TLS, if used, is doing its job. But since Heartbleed and the NSA revelations, we know this is not necessarily true.
Just about every other security app out there uses some sort of server intervention, but they are not doing it to help you. They are doing it so they can have something to make money. SeeOnce needs very few resources and therefore we are not trying to make money, which frees us from servers and from holding any sort of private data. Our Privacy Policy is real simple: we have nothing from you. On the contrary, you have our complete code to use as you see fit, except making money from it.
Is there more?
SeeOnce does only Read-once encryption but yes, there is way more that you can do, using PassLok. This is SeeOnce's big sibling, and it can do three kinds of asymmetric encryption (including self-destruct messaging) as well as hide its output within text in four different ways and also inside images. You can read all about it at the PassLok Weebly site. In addition to the standard PassLok, there's also PassLok for Email, PassLok Universal, and FusionKey, which integrate with email services and also include the Read-once encryption mode of SeeOnce.
And then, there is URSA, which involves only the symmetric encryption methods of PassLok. You can get something similar to self-destruct messages if you use a random symmetric Key that is later discarded by all the correspondents. If you want to learn about cryptography, you may want to start with URSA, then move on to SeeOnce, and finally tackle PassLok.
Why are you doing this?
Because I love people, and I believe their ability to communicate privately is a God-given right. When they exercise it, they are supporting innovation, free exchange of ideas, better government, and then everyone benefits. It's the bad, tyrannical governments throughout history that fear ironclad private communications, because they see enemies everywhere.
Will terrorists and pedophiles be able to use SeeOnce? Sure, as they also use roads, electricity, and indoor plumbing. But likely they are already using something heavier than SeeOnce in order to protect their online communications. It's the little guy on the street who is having his privacy trampled on these days, and this is the guy I am trying to help.
Who are you?
My name is Francisco Ruiz and I am the leader of the SeeOnce project. I have been a professor at the Illinois Institute of Technology, in Chicago, since 1987. In addition to cryptography, I have interests in energy, transportation, literature, music, photography, and theology. Our previous cryptography app, PassLok, also has a page on Weebly. You can read some more about all these projects at my page at IIT, or my personal page at prgomez.com. Drop me a line at [email protected]