Summoning the Unicorns... Loading depends on your connection speed!

NCRYPT.it

Mobile, Encrypted, Secure Hosted Messages

What is NCRYPT.it?

NCRYPT.it is a simple web site that can double as web-app that let you exchance encrypted messages with the safety of stron encryption without having to install any software. While an installed app may offer a lot of benefits, the reality is the vast majority of your contacts do not have an app and most probably will not install one. NCRYPT.it allow you to sent client-side encrypted messages to anyone owning any mobile phone (nokia, apple, android, blackberry, etc) that can access the web, as well as any computer on the planet. All of this without having to install dedicated software and with the power of AES-265 encryption.
Not only that, NCRYPT.it allow you to host the encrypted message on the web in a totally safe encrypted form, so that you're able to sent pages and pages of encrypted content over single SMS message via a short link.
As a little nifty additional feature, all messages hosted on NCRYPT.it will only last 7 days before getting destroyed and you can safely forget about the possibility of late leaking.

TD;DR; version?

NCRYPT.it is a simple mobile application born to provide a layer of reasonable (YMMV) security over unsecure communication channels. It aims to provide users that cannot (or will not) install application on any device a simple yet effective way to exchange mobile, encrypted, secure hosted messages that expire after a certain time (one week), without relying on server to store any password, since the encryption is done entirely on client-side.

Is it safe enough for XXX?

NCRYPT.it is a simple mobile application born to provide a layer of reasonable (YMMV) security over unsecure communication channels. It aims to provide users that cannot (or will not) install application on any device a simple yet effective way to exchange mobile, encrypted, secure hosted messages that expire after a certain time (one week), without relying on server to store any password, since the encryption is done entirely on client-side.

That about the NCRYPT.it Terms of Service?

We ask you to comply with the TOS. In reality all we ask you is to, please, DO NO EVIL.
Thanx.

Why it is secure?

All the content you type gets encrypted on your PC (inside your browser, actually) before you sent it out over the network, and is stored encrypted on the remote end.
No content ever gets transmitted in clear, but you don't have to trust us. Fire up a network analyzer (tcpdump, Wireshark or whatever) and look at the traffic payloads.
Look at the source of our web pages in your favourite editor and look for backdoors or programming errors. If you find any, please tell us and we will try to fix them as soon as possible.

Please keep in mind that we cannot guarantee the security of your client. This means that if somebody installed a Trojan, a keylogger or anything else on your [PC|Mac|Workstation] that can read what you type inside our web form, he will be able to read what you write while you do it.
On the server side, we do our best to protect the whole infrastructure: web servers, databases and so on.

What is AES? What does AES-256 mean?

AES is the encryption algorithm we use to secure the messages before they get sent out on the wire. It was approved by NIST in 2001 after a 5-year long selection process during which it was known as Rijndael. AES strength depends on the number of "rounds": AES-256 is the most secure one.
If you want more information, please refer to the Wikipedia page on AES and/or use your favourite search engine.

So I can write anything and it will be perfectly secret for a week?

Yes. Keep in mind that we have logs (and we keep them) of the ip address which entered each message. This may or may not disturb you, but we will turn them over to the authorities in case anything goes wrong (that means, on subpoena OR if you use the service to put other people in danger).
We will not tolerate abuses of the service. This means collaborating with the authorities to the fullest extent in case of criminal issues.

How should I choose my password?

Please use something long, that you and your contact can use, at least 32 chars. As with any password, the more complex, the better. You are welcome to insert letters, numbers, and other signs (!%(#*@&...).

Why just two thousand characters per message?

We do believe it is enough to exchange small messages with your contacts. If you need a larger message space, you can split the content in more than one 2kb chunk and encode everything with the same password, then send more than one url. NCRYPT.it is not intended to be an encrypted storage. :)

Just a week? My contact can't read the message so fast!

Then write it later. :)
Seriously, we have to limit the size of the encrypted messages queue, and most content gets stale after a week. Again: messages get _deleted_ after a week, we cannot access them any more. Full stop. We only keep multiple copies of _one_ backup snapshot, the last.
So, no - we cannot recover older messages from backups, either.

What is that Javascript at the beginneng and end of the page?!?!

JS libraries and Web Statistics. :) We didn't feel comfortable with using Google Analytics and instead chose lloogg.com, an italian web stats service that really rocks.
We need the statistics for learning more about usage and after all we HAVE the logs. If you're concerned with your IP address try accessing the site via TOR.

I found a bug!

Great! (Well, sort of... O_o). Please, contact us and we'll promptly respond to your inquires. We'd love you to comply with the terms of responsible disclosure and we'll do our best to get in touch with you in less than 24 hours, trying to fix the vulnerability (where possible), in less than 7 days. At the moment we're not able to create a monetary compensation program, so we'll give you full credit over the finding and your name will be (if you wish so) added at the end of this page in the KUDOS section along with a link to your website.
We'd also like to thank you for the time spent in analyzing and testing every part of this code. We'd like to create a secure environment and every help we get bring us closer to the aim.

KUDOS

Go back home!