This Message Will Self-Destruct... - ITS Tactical

Shop the ITS Store!


This Message Will Self-Destruct…

By The ITS Crew

There’s an interesting Website we stumbled upon the other day that provides a secure, auto-deleted messaging service.

So what exactly does that mean? This Message Will Self-Destruct offers the ability to send an encrypted email-like message to another person either with or without a password. As a reassurance that your message is secure, it’s never stored with TMWSD, just hashed using a heavy-duty hashing utility called bcrypt. The optional password salts the encryption key for even more security.

In addition, whenever the intended recipient reads your message (with or without the password you may have given them) the encrypted message is deleted forever.

Try it out for yourself, but just remember that if you forget the password, not even TMWSD can recover your message!

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.


  • This is probably one of the coolest sites I’ve seen in weeks! I’ll need to come up with a real use for it…

    Password: tac

  • got it 😉
    Let me say, it works 🙂

  • TASurvivalism

    I recommend also checking out:
    – provides log in credentials for sites that you might encounter often but probably don’t want to register for.
    – provides on the fly, temporary email address services for one time visit site registrations and that sort of thing.


    Look around – there have been reports of this being “less than advertised” I would NOT trust my Comsec to it at all…

    • Have any specific examples of what you’re claiming?

  • Cool site idea. Just had a “why didn’t I think of that” moment. 🙂

    @TASurvivalism – I’ve used in the past (back in 2001’ish I think), works great. Also, looks like your URL for BugMeNot has an extra “t” in there and should be

  • Matthijs

    Well, nice and all, however the recipient can always make a screenshot of the message. So I wouldn’t trust the “self-destruct” part too much.

  • Anybody have the 411 on this company/person/software? A quick search and not getting much info on who created this. Not that I’m paranoid or anything…uh oh. the black helicopters are back. gotta go!

  • dms

    Call me paranoid, but sometimes I can’t help but wander if such sites (including the on line back up sites) are actually operated by the NSA. Now if I can just find my tin-foil hat I will give it a try.

  • Code24


    A “secure” “anonymous” website that has traffic analysis hooks into it? I think I’ll pass.

    (hit the site with “no-script” enabled, to quickly see the 5 domains that all have hooks into the page).

  • Code24

    I stand corrected. _6_ domains, 2 of which are nothing but traffic analysis. (google-analytics and mixpanel). You would have to be insane to use this site for anything you actually want private.

    • Code24, I did and still do see the analytics hooked into the system, but why does that make you assume your message traffic is being stored somewhere? I see Amazon s3 hooked into it, but that appears to just be a spot to store their mixpanel analytics script or analytics results.

      Don’t get me wrong I’m not claiming the site is 100% secure, as I don’t run it, but let’s truly analyze what hooks are into this page and see if we can determine what’s actually happening.

      Thanks for the comment,
      ~ Bryan

    • Code24

      Well, they may not be storing the message itself, but the analytics portion makes it trivial to correlate sender and receiver. If I am trying to attack a secure communications channel, the first thing I will go after is the end points, and how the message is moved.

      So right off the bat the analytics would tell anyone (the site creator, LEOs, and anyone who could hack the analytics data) the web of communication that a certain group uses. In other words, it immediately establishes which people communicate together. Alice creates a link that Bob opens. Bob then creates a link that Carol opens, etc.

      There is a certain methodology that is always employed by people I _trust_ to create secure communications. Those people would NEVER track analytics.

      Add to that that I don’t really see a lot of transparency to this site. Other than taking the author’s word for it, there is no PROCESS list, as to how the message is deleted. Is it wiped? Can forensics get it back?

      The icing on the cake is that the short domain ( is hosted out of Samoa. Do YOU know what the laws for seizure in Samoa are? Do you know if they change often? I don’t. As a general rule of thumb, I don’t trust my online privacy to third world countries.

    • Code24

      Never mind the Samoa thing. I tracked the server, and it’s hosted out of San Antonio. My initial thought was that it was hosted outside of the US, but I forgot that Samoa sold their domain names. That was stupid of me.

    • No worries, I’ve enjoyed your comments breaking down the effectiveness of the service, and sincerely appreciate your additions to the conversation.

      I agree about the communication patterns being available through the use of analytics, but as you’ve said, one would first have to gain access to analytics data and that analytics service would then need to store IP addresses in order to establish that pattern of communication between users.

      I too agree that there seems to be a lack of transparency with the site. Yes, they are storing the message, but only until it’s received.

      Here’s their verbiage (not mine and it was never my claim that the message is hashed) What I was referring to is below…

      “TMWSD is a secure, auto-deleted messaging service. This means two things.

      1. We encrypt your message before we store it.
      2. The first time the message is retrieved we delete the encrypted content.

      We didn’t stop there, however. We added the ability to restrict access by password. You don’t need to worry about your password either, because in this case we never actually store it. Instead we hash it using a heavy-duty hashing utility (bcrypt). As an added bonus, if you provide a password we salt the encryption key with it for even more security. This means that without the password no one can decrypt your secret message, not even us.”

      Copy on the San Antonio server, I saw that too after I read your first comment. Again I appreciate your thoughts.

  • Code24

    One other thing. The message IS stored. They are just claiming it is stored in an encrypted manner. From their “What is this?” link;

    ” 1. We encrypt your message before we store it.”

    So they are storing it. The odd thing is your claim that it is hashed… It can’t be. A hash is a one way function, not an encryption method. You can never reverse a hash.

    Speaking just to the NON password version, they store the message in some encrypted way… But the URL they pass you is just a session ID, not the encrypted data itself. So somewhere on their servers is a database that stores a session ID, the data itself, and the key to reverse it (they have to store the reversal key, because you are not prompted for it. The first time you hit the link, it AUTOMATICALLY decrypts it. Again, this is the “standard” way of using their site, minus the extra password).

    So they hold the message itself (which they admit) as well as the key to decrypt it. This site is provably insecure.

  • waykno

    Does all this mean my Ticonderoga #2 and Big Chief tablet are out dated??? I am not sure anyone wishing to send anything secure should use the internet. Well, for the average person, that is–if you are part of a bigger system and have all the safeguards, then maybe.

  • stephen houson

    I worry that a goverment will set up such a site for the purposes of monitoring private communications. If this service indeed is located in San Antonio, Southwest Research Institute comes to mind as a possible host. SwRI is largely a captive not for profit with many US Gov’t contracts. Just a thought. Panhandle Rancher

  • Anyone who trusts a non-vetted 3rd party to handle their message traffic is just asking for trouble. Of course since you can consider the site compromised… time to have some fun! oh black helicopters…

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.