msg.pet (◕‿◕)

i kept running into this problem where i needed to send passwords or api keys to people, and every solution either felt sketchy or way too complicated. most “secure” messaging apps still store your data on their servers, which… defeats the point?

so i built msg.pet. the main thing i wanted to get right was making it so the server literally cannot read your messages, even if it gets hacked. the trick is that the encryption key lives in the url fragment (the part after the #), which browsers never send to the server. so all the server sees is encrypted gibberish.

the hard parts

figuring out the encryption took a while. i went with aes-256-gcm through the web crypto api, which sounds fancy but mostly meant reading a lot of documentation and messing up a lot. the trickiest bit was the key derivation - making sure the key in the url is actually secure and works across different browsers.

the architecture was also a puzzle. i had to really think through what data goes where to make sure there’s no way for the server to reconstruct the message. ended up being pretty minimal - just encrypted blobs in redis with auto-expiry.

what’s next

i want to add file attachments at some point - same idea, encrypted client-side before upload. also thinking about an api so other apps can use it for sensitive data sharing.