Loading...

Create Spot

How This Works

Even this program will not save the password once you type it in. So you'll need to write it down on a piece of paper or save it.

You'll send the password by email, phone, text, WhatsApp, Telegram or write it down on a piece of paper and give it to the participants in person. You can change the password but the randomly generated one above is quite strong (~20480^4 possibilities).

Password Scheme

The password is combined with the room name then hashed. The hash is then used with PBKDF2 SHA-256 for 1,000,000 rounds to create the AES password which is then used in CBC mode to encrypt the message. Each AES encryption operation generates a unique IV that is stored with the encrypted data. The combination of IV and encrypted text is hex-encoded to create the message. The message is JSON containing your username and your public key. The public key is used for other participants to send you messages. Only users who have the password can know your public key and send messages to you because only they can decrypt the message containing your public key and username that you will send when you create the spot.

Encryption Scheme

Once your device decrypts the other participants (see above) it can send a message by generating an encrypted version using a new unique IV and a newly generated strong password. The new strong password is only used for a single message. The strong password is encrypted for each recipient using their known public key. The recipients and their specifically-encrypted messages (each containing the same password) are combined with the encrypted message and then wrapped then encrypted using the room password (see above) to be sent to the server.

For reading messages, your device will downlad the message and look to see if it is one of the recipients, and if so, it will decrypt (using your private key that stays on your device) the single use strong password. The decrypted password can then be used to decrypt the message. Single use passwords also use PBKDF2 (but only 1000 rounds).

General Settings

Change Username



Not sure the above works.

Reset localstorage + sessionstorage.

Join Spot

The password is never sent off your device. It is used to encrypt and decrypt locally within the browser.

Entering “