stupidly secure chat

Every other messenger asks you to trust their protocol. This one asks you to trust yourself.

No email. No phone number. No tracking. Just a username and password.

The entire security model in 10 seconds

01

Agree on a key

Meet your friend. Say “our secret key is tacomonday.” That’s your key exchange. No protocol. No ceremony.

02

Encrypted on your device

Type a message. Your browser encrypts it with the key before it leaves your device. AES-GCM. Industry standard.

03

Server sees garbage

Our server stores your messages. But it can't read them. Even if we get hacked, the attacker gets meaningless ciphertext.

try it right here

Type a message. Watch the server's view in real time.

your message
server sees
...encrypted garbage appears here
AES-256-GCM envelope encryption · key: “tacomonday

why you should not use this app

These are real tradeoffs. If they bother you, use something else.

What we don't do
  • ~No traditional forward secrecy. If the key leaks, recent messages are exposed
  • ~You must exchange the key securely (meet in person, smoke signals, carrier pigeon)
  • ~Metadata (who talks to whom) is still visible to the server
  • ~No key recovery. If you both forget it, your messages are gone forever
  • ~You must rotate keys yourself when needed
What you get instead
  • +Security you can explain to your mom
  • +Codebase small enough to read in an afternoon. Actually verify it yourself
  • +No account data. No email, no phone number, no real identity
  • +Approval-gated history. Your friend is the tripwire if a key leaks
  • +Per-conversation security settings. Tune your threat model for each chat

You are the security layer. We give you the tools. You decide how to use them.

The secure messaging bell curve

"we agree on a password in person and type it in"

"well ACTUALLY you need Diffie-Hellman key exchange with double ratchet and X3DH extended triple Diffie-Hellman with post-quantum hybrid KEM and..."

"pre-shared key symmetric encryption with zero-knowledge server"

how it works

The entire setup is one conversation with a friend.

IRL conversation — the coffee shop
A
"Hey, go to stupidlysecurechat.com"
A
"My username is grug42"
A
"Our secret key is tacomonday"
B
"Cool."
that's it. you're done.
Both open the app, enter the username and key, start chatting.
No verification dances. No phone numbers. No ceremony.

grug talk about security

from the cave of simplicity

inspired by the grug brained developer

what the server sees

We're honest about what we can and can't see. Most apps aren't.

Message contentno

Encrypted before it leaves your device

Your encryption keyno

Never sent to the server. Ever.

When messages are sentin transit

Observable in real time, but never stored or logged

IP addressesin transit

TCP/IP requires it, but never stored or logged

Who's talking to whomyes

We need this to route messages

Message sizesyes

We store the ciphertext

How often you messageyes

We route the messages

We can't read your messages. We can see that two pseudonymous accounts are exchanging encrypted blobs, and how often. We can't see when individual messages were sent. If IP-level anonymity matters to you, use Tor.

don't trust us?

Good. You shouldn't trust anyone. Run your own.

terminal
$ git clone https://github.com/stupidly-secure-chat/ssc
$ cd ssc
$ docker compose up
# that's literally it
# postgres + redis + app
# your server, your data, your rules

Fully open source. MIT license.

ready to chat stupid securely?

No email required. No phone number. Just a username and password.
Then meet your friend and agree on a key.

No password recovery. Forget it and it's gone forever.
That's the deal.