A person having the URL you sent but not having the password cannot decrypt the message. This menas your ISP, government, and the court cannot decrypt it. Since we don't save your password, even we cannot decrypt your message.

You can find the full source code on github. Includes Javascript and Android App code.

Below is the diagram how your message is encrypted and decrypted.

Some highlights are listed below:

• + The hint message is optional, which is used to remind the receiver what the password is. Note that it is NOT encrypted.
• + The pre-defined password is used by both sender and receiver.
• + A random IV is generated while encrypted. It is used not only for hashing the encrypt/decrypt keys, but also for block cipher.
• + The encrypt key is hashed by the IV and pre-defined password so that even the same password is used with other people, the key is still different.
• + The same IV is also used in block cipher to increase the attack difficulty.
• + The encrypted message and IV are transmitted via usual channels, for example, Messenger, Whatsapp, WeChat ... It is just an encrypted URL.
• + The URL will lead the receiver to the decryption page.
• + All the receiver need to do is typing the pre-defined password.
• + Then, the original message is decrypted on the receiver side.
• + The receiver can reply the message by doing the same procedure with either the same or a different password.

Warning: there are still some weaknesses in the communication. For example, a browser extension with the ability to read the full content of the HTML page can still read your information. Turn off those extensions if you have concerns.