A secure instant messaging system with double encryption

Only the sender and the recipient have the power to decrypt a message

How is it done?

Password Validation

The password associated with different accounts are never saved in our databases, only a hash value which is generated with a salt consisting of a pseudo-random string of bytes (to prevent rainbow table attacks) is sent to us and subsequently written in our databases, when you register. A hash function (with salt) is irreversible, so reversing the function to find your password is impossible. We are the ones who wrote the code for this website and even we do not have the power to ever know your password.

Hash Encryption Key (private instant messaging)

Your messages are first encrypted by the server (different keys for different users). Then, it is encrypted a second time using the hash encryption key.

The HASH ENCRYPTION KEY (HEK) is a hash value of your password (with different salt than for password validation) generated when you login your account which is temporarily saved on your local machine through the sessionStorage feature. It is used to encrypt and decrypt your sent and received messages. SessionStorage variables can't be accessed by our servers (unlike COOKIES or SESSION VARIABLES). Hence, this key is only accessible to you through your browser after you login and it is immediately erased from the browser when you close it, when you close the tab or when you log out.

Storing the HEK as a JavaScript variable using the sessionStorage feature makes the encryption and decryption very user-friendly since you don't need to memorize any new passwords or type your password each time you want to view or send messages.

1. The first reason sessionStorage variables were used instead of normal session variables to store the HEK was because admins of this website could technically access session variables. For complete privacy and security, people shouldn't trust anyone not to look at their messages (not even the creators of the website), it shouldn't even be a possibility and that is the level of privacy we achieved with FreeSpeech.

2. Since sessionStorage variables can't even be transferred through tabs, when you open a new tab of FreeSpeech, it stops decrypting messages since the HEK wasn't transferred. Even if it slightly decreases some functionality, it tremendously increases the security for your password and your messages which was the main focus of this project.

3. The third reason is because new browsers like the new version of Chrome stopped destroying sessions even after you close the browser, which means that the session variables aren't destroyed either. So, it is possible your key is saved on the server for a very long time even after you close the browser which makes using session variable an extremely bad idea. Using sessionStorage variables on the other hand is staggeringly more secure.


WorldChat is a groupchat for the whole world where every user can interact with each other instantly. You don't need an account to use this feature since guests can chat from the login page.

Once a message is received, without your password, nobody CAN decrypt any messages in which you are a sender or a receiver. Hence, be careful on how you store your password and make sure no one else except you can access it. If you forget or lose your password, you cannot reset it, so it would be impossible to decrypt your past messages or to access your account.

Created by Mathusan Chandramohan