This Message Will Self-Destruct…

by August 9, 2010 08/9/10

There’s an interesting Website we stumbled upon the other day that provides a secure, auto-deleted messaging service.

So what exactly does that mean? This Message Will Self-Destruct offers the ability to send an encrypted email-like message to another person either with or without a password. As a reassurance that your message is secure, it’s never stored with TMWSD, just hashed using a heavy-duty hashing utility called bcrypt. The optional password salts the encryption key for even more security.

In addition, whenever the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever.

Try it out for yourself, but just remember that if you forget the password, not even TMWSD can recover your message!


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


Datajockeys
Datajockeys

Anyone who trusts a non-vetted 3rd party to handle their message traffic is just asking for trouble. Of course since you can consider the site compromised... time to have some fun! oh black helicopters...

stephen houson
stephen houson

I worry that a goverment will set up such a site for the purposes of monitoring private communications. If this service indeed is located in San Antonio, Southwest Research Institute comes to mind as a possible host. SwRI is largely a captive not for profit with many US Gov't contracts. Just a thought. Panhandle Rancher

waykno
waykno

Does all this mean my Ticonderoga #2 and Big Chief tablet are out dated??? I am not sure anyone wishing to send anything secure should use the internet. Well, for the average person, that is--if you are part of a bigger system and have all the safeguards, then maybe.

Bryan Black
Bryan Black

No worries, I've enjoyed your comments breaking down the effectiveness of the service, and sincerely appreciate your additions to the conversation.

I agree about the communication patterns being available through the use of analytics, but as you've said, one would first have to gain access to analytics data and that analytics service would then need to store IP addresses in order to establish that pattern of communication between users.

I too agree that there seems to be a lack of transparency with the site. Yes, they are storing the message, but only until it's received.

Here's their verbiage (not mine and it was never my claim that the message is hashed) What I was referring to is below...

"TMWSD is a secure, auto-deleted messaging service. This means two things.

1. We encrypt your message before we store it.

2. The first time the message is retrieved we delete the encrypted content.

We didn't stop there, however. We added the ability to restrict access by password. You don't need to worry about your password either, because in this case we never actually store it. Instead we hash it using a heavy-duty hashing utility (bcrypt). As an added bonus, if you provide a password we salt the encryption key with it for even more security. This means that without the password no one can decrypt your secret message, not even us."

Copy on the San Antonio server, I saw that too after I read your first comment. Again I appreciate your thoughts.

Code24
Code24

One other thing. The message IS stored. They are just claiming it is stored in an encrypted manner. From their "What is this?" link;

" 1. We encrypt your message before we store it."

So they are storing it. The odd thing is your claim that it is hashed... It can't be. A hash is a one way function, not an encryption method. You can never reverse a hash.

Speaking just to the NON password version, they store the message in some encrypted way... But the URL they pass you is just a session ID, not the encrypted data itself. So somewhere on their servers is a database that stores a session ID, the data itself, and the key to reverse it (they have to store the reversal key, because you are not prompted for it. The first time you hit the link, it AUTOMATICALLY decrypts it. Again, this is the "standard" way of using their site, minus the extra password).

So they hold the message itself (which they admit) as well as the key to decrypt it. This site is provably insecure.

Code24
Code24

One other thing. The message IS stored. They are just claiming it is stored in an encrypted manner. From their "What is this?" link; " 1. We encrypt your message before we store it." So they are storing it. The odd thing is your claim that it is hashed... It can't be. A hash is a one way function, not an encryption method. You can never reverse a hash. Speaking just to the NON password version, they store the message in some encrypted way... But the URL they pass you is just a session ID, not the encrypted data itself. So somewhere on their servers is a database that stores a session ID, the data itself, and the key to reverse it (they have to store the reversal key, because you are not prompted for it. The first time you hit the link, it AUTOMATICALLY decrypts it. Again, this is the "standard" way of using their site, minus the extra password). So they hold the message itself (which they admit) as well as the key to decrypt it. This site is provably insecure.

Bryan Black
Bryan Black

Code24, I did and still do see the analytics hooked into the system, but why does that make you assume your message traffic is being stored somewhere? I see Amazon s3 hooked into it, but that appears to just be a spot to store their mixpanel analytics script or analytics results.

Don't get me wrong I'm not claiming the site is 100% secure, as I don't run it, but let's truly analyze what hooks are into this page and see if we can determine what's actually happening.

Thanks for the comment,

~ Bryan

Code24
Code24

I stand corrected. _6_ domains, 2 of which are nothing but traffic analysis. (google-analytics and mixpanel). You would have to be insane to use this site for anything you actually want private.

Code24
Code24

Yeah.....

A "secure" "anonymous" website that has traffic analysis hooks into it? I think I'll pass.

(hit the site with "no-script" enabled, to quickly see the 5 domains that all have hooks into the page).

Code24
Code24

Yeah..... A "secure" "anonymous" website that has traffic analysis hooks into it? I think I'll pass. (hit the site with "no-script" enabled, to quickly see the 5 domains that all have hooks into the page).

dms
dms

Call me paranoid, but sometimes I can't help but wander if such sites (including the on line back up sites) are actually operated by the NSA. Now if I can just find my tin-foil hat I will give it a try.

Poltical Atheist
Poltical Atheist

Anybody have the 411 on this company/person/software? A quick search and not getting much info on who created this. Not that I'm paranoid or anything...uh oh. the black helicopters are back. gotta go!

Matthijs
Matthijs

Well, nice and all, however the recipient can always make a screenshot of the message. So I wouldn't trust the "self-destruct" part too much.

btimmer
btimmer

Cool site idea. Just had a "why didn't I think of that" moment. :)

@TASurvivalism - I've used mailinator.com in the past (back in 2001'ish I think), works great. Also, looks like your URL for BugMeNot has an extra "t" in there and should be http://bugmenot.com/

btimmer
btimmer

Cool site idea. Just had a "why didn't I think of that" moment. :) @TASurvivalism - I've used mailinator.com in the past (back in 2001'ish I think), works great. Also, looks like your URL for BugMeNot has an extra "t" in there and should be http://bugmenot.com/

AKPGP
AKPGP

Look around - there have been reports of this being "less than advertised" I would NOT trust my Comsec to it at all...

TASurvivalism
TASurvivalism

I recommend also checking out:

http://bugmetnot.com/

- provides log in credentials for sites that you might encounter often but probably don't want to register for.

http://www.mailinator.com/

- provides on the fly, temporary email address services for one time visit site registrations and that sort of thing.

TASurvivalism
TASurvivalism

I recommend also checking out: http://bugmetnot.com/ - provides log in credentials for sites that you might encounter often but probably don't want to register for. http://www.mailinator.com/ - provides on the fly, temporary email address services for one time visit site registrations and that sort of thing.

Sven
Sven

got it ;)

Let me say, it works :)

Sven
Sven

got it ;) Let me say, it works :)

Code24
Code24

Well, they may not be storing the message itself, but the analytics portion makes it trivial to correlate sender and receiver. If I am trying to attack a secure communications channel, the first thing I will go after is the end points, and how the message is moved.

So right off the bat the analytics would tell anyone (the site creator, LEOs, and anyone who could hack the analytics data) the web of communication that a certain group uses. In other words, it immediately establishes which people communicate together. Alice creates a link that Bob opens. Bob then creates a link that Carol opens, etc.

There is a certain methodology that is always employed by people I _trust_ to create secure communications. Those people would NEVER track analytics.

Add to that that I don't really see a lot of transparency to this site. Other than taking the author's word for it, there is no PROCESS list, as to how the message is deleted. Is it wiped? Can forensics get it back?

The icing on the cake is that the short domain (https://tmwsd.ws/) is hosted out of Samoa. Do YOU know what the laws for seizure in Samoa are? Do you know if they change often? I don't. As a general rule of thumb, I don't trust my online privacy to third world countries.

Bryan Black
Bryan Black

Code24, I did and still do see the analytics hooked into the system, but why does that make you assume your message traffic is being stored somewhere? I see Amazon s3 hooked into it, but that appears to just be a spot to store their mixpanel analytics script or analytics results. Don't get me wrong I'm not claiming the site is 100% secure, as I don't run it, but let's truly analyze what hooks are into this page and see if we can determine what's actually happening. Thanks for the comment, ~ Bryan

Bryan Black
Bryan Black

Have any specific examples of what you're claiming?

Code24
Code24

Never mind the Samoa thing. I tracked the server, and it's hosted out of San Antonio. My initial thought was that it was hosted outside of the US, but I forgot that Samoa sold their domain names. That was stupid of me.

Code24
Code24

Well, they may not be storing the message itself, but the analytics portion makes it trivial to correlate sender and receiver. If I am trying to attack a secure communications channel, the first thing I will go after is the end points, and how the message is moved. So right off the bat the analytics would tell anyone (the site creator, LEOs, and anyone who could hack the analytics data) the web of communication that a certain group uses. In other words, it immediately establishes which people communicate together. Alice creates a link that Bob opens. Bob then creates a link that Carol opens, etc. There is a certain methodology that is always employed by people I _trust_ to create secure communications. Those people would NEVER track analytics. Add to that that I don't really see a lot of transparency to this site. Other than taking the author's word for it, there is no PROCESS list, as to how the message is deleted. Is it wiped? Can forensics get it back? The icing on the cake is that the short domain (https://tmwsd.ws/) is hosted out of Samoa. Do YOU know what the laws for seizure in Samoa are? Do you know if they change often? I don't. As a general rule of thumb, I don't trust my online privacy to third world countries.

Bryan Black
Bryan Black

No worries, I've enjoyed your comments breaking down the effectiveness of the service, and sincerely appreciate your additions to the conversation. I agree about the communication patterns being available through the use of analytics, but as you've said, one would first have to gain access to analytics data and that analytics service would then need to store IP addresses in order to establish that pattern of communication between users. I too agree that there seems to be a lack of transparency with the site. Yes, they are storing the message, but only until it's received. Here's their verbiage (not mine and it was never my claim that the message is hashed) What I was referring to is below... "TMWSD is a secure, auto-deleted messaging service. This means two things. 1. We encrypt your message before we store it. 2. The first time the message is retrieved we delete the encrypted content. We didn't stop there, however. We added the ability to restrict access by password. You don't need to worry about your password either, because in this case we never actually store it. Instead we hash it using a heavy-duty hashing utility (bcrypt). As an added bonus, if you provide a password we salt the encryption key with it for even more security. This means that without the password no one can decrypt your secret message, not even us." Copy on the San Antonio server, I saw that too after I read your first comment. Again I appreciate your thoughts.

The Latest
Squawk Box

ITS Guy Fawkes Morale Patch - Inspired by our original ITS Guy Fawkes design and numerous requests, we’ve created a patch to “remember, remember, the fifth of November.” November the Fifth marks a day of celebrating in Britain by burning effigies of Guy Fawkes and remembering the Gunpowder Treason & Plot. The history surrounding the plot, which created a day of infamy, is an interesting one with many lessons learned. Click here to learn more about the history behind this patch.

14 hours ago
Leave a Comment