Post-quantum encrypted peer-to-peer chat system with zero data storage.
- ✅ Post-Quantum Encryption - ML-KEM/Kyber hybrid (Chrome 142+, Firefox 120+)
- ✅ Direct P2P - WebRTC data channels, no message relay
- ✅ Zero Storage - No databases, no logs, completely ephemeral
- ✅ No Registration - No accounts, phone numbers, or personal data
- ✅ Browser-Based - No installation required
- ✅ Cross-Platform - Works on desktop, mobile, all modern browsers
- ✅ Open Source - Auditable code, transparent security
- Visit the app (once deployed)
- Click “WH15P3R CHAT” to generate a session code
- Share code with your contact via separate channel (phone, Signal, in-person)
- Verify code out-of-band when prompted
- Chat securely - Green border means quantum-resistant encryption active
- Click “END” when finished - all keys destroyed
For maximum security: Use Tor Browser
Signaling Server:
- Platform: Deno Deploy (serverless)
- Repository: whisper-signaling
- URL:
https://whisper-signaling-20.ymgholdings.deno.net - Cost: FREE
Client:
- Platform: GitHub Pages (or custom hosting)
- Repository: This repo
- Domain: WH15P3R.link (when configured)
- Cost: FREE (plus domain registration)
Option A: Use Our Server (Easiest)
- Use existing:
wss://whisper-signaling-20.ymgholdings.deno.net - No setup needed
Option B: Deploy Your Own (Recommended for Privacy)
# Fork whisper-signaling repo
# Connect to Deno Deploy
# Get your own serverless endpoint
# Update client with your URLSee Signaling Server Repo for details.
Via GitHub Pages:
-
Fork this repository
-
Update
index.htmlline ~482 with your signaling server URL:const SIGNALING_SERVER = 'wss://your-server.deno.dev';
-
Go to Settings → Pages
-
Source: Deploy from
mainbranch -
Access at:
https://ymgholdings.github.io/whisper-chat/
With Custom Domain:
- Follow GitHub Pages setup above
- Add custom domain in GitHub Pages settings
- Update DNS records at your registrar
- Enable HTTPS (automatic via GitHub)
┌─────────────────────────────────────────────────┐
│ Client (Browser) │
│ • Post-quantum encryption (ML-KEM) │
│ • Session code generation │
│ • WebRTC P2P connection │
│ • User interface │
└─────────────────────────────────────────────────┘
│
│ TLS 1.3 + ML-KEM
↓
┌─────────────────────────────────────────────────┐
│ Signaling Server (Deno Deploy) │
│ • WebRTC handshake coordination │
│ • No message content access │
│ • Zero data storage │
│ • Ephemeral sessions only │
└─────────────────────────────────────────────────┘
│
│ WebRTC signaling
↓
P2P Connection Established
↓
┌──────────────┴──────────────┐
│ │
Client A ←─────────────────────→ Client B
DTLS 1.3 + ML-KEM (Direct P2P)
Post-Quantum Encrypted Messages
No Server Involvement
Layer 1: TLS 1.3 (Client ↔ Signaling Server)
- Algorithm: X25519MLKEM768 (hybrid classical + post-quantum)
- Purpose: Protects session code exchange
- Status: Active in Chrome 142+, Firefox 128+, Safari 17.2+
Layer 2: DTLS 1.3 (Peer-to-Peer)
- Algorithm: DTLS 1.3 + ML-KEM hybrid key agreement
- Encryption: AES-256-GCM
- Purpose: Encrypts actual chat messages
- Status: Active in Chrome 142+, Edge 142+, Firefox 120+
✅ Message Content - End-to-end encrypted, quantum-resistant
✅ Future-Proof - Protected against future quantum computers
✅ Server Seizure - Nothing stored to seize
✅ Retroactive Surveillance - Keys destroyed after session
✅ Data Breaches - No data to breach
❌ Endpoint Security - Cannot protect compromised devices
❌ Metadata - Connection timing/patterns visible (use Tor)
❌ Physical Coercion - No crypto protects against this
❌ Screen Recording - Messages visible on screen
For All Users:
- ✅ Use Chrome 142+ or Firefox 120+ for post-quantum encryption
- ✅ Verify session codes out-of-band (phone call, in-person)
- ✅ Close browser when finished (destroys keys)
For High-Risk Users:
- ✅ Access via Tor Browser (hides IP addresses)
- ✅ Use Tails OS (leaves no traces on device)
- ✅ Verify you see “🔒 Q POST-QUANTUM ACTIVE” badge
- ✅ Meet in person for initial code exchange
- ✅ Assume endpoints may be compromised
See <USER_GUIDE.md> for complete security guidance.
- <SECURITY.md> - Complete security assessment and threat model
- <USER_GUIDE.md> - User security guide for different threat levels
- <DEPLOYMENT.md> - Detailed deployment instructions
- <ARCHITECTURE.md> - Technical architecture overview
| Browser | Version | PQ Status |
|---|---|---|
| Chrome | 142+ | ✅ Full support (October 2025) |
| Edge | 142+ | ✅ Full support (October 2025) |
| Firefox | 120+ | ✅ Full support (November 2024) |
| Safari | 17.2+ | ✅ TLS support (October 2025) |
| Tor Browser | Latest | ✅ Based on Firefox (recommended) |
Fallback: Older browsers use strong classical encryption (still secure against current threats, not quantum-resistant)
Serverless Setup (Recommended):
- Signaling Server (Deno Deploy): FREE
- Client Hosting (GitHub Pages): FREE
- Domain (WH15P3R.link): $12/year
- SSL Certificates: FREE (automatic)
Total: $12/year (just domain cost)
Alternative with VPS Backup:
- Above setup + Vultr Sweden VPS: $84/year
- Provides jurisdictional redundancy
| Feature | WH15P3R | Signal | Session | Matrix |
|---|---|---|---|---|
| Post-Quantum (Deployed) | ✅ Yes | ❌ No | ❌ No | |
| No Registration | ✅ Yes | ❌ Phone# | ✅ Yes | |
| Zero Storage | ✅ Yes | ✅ Yes | ❌ No | |
| Browser-Based | ✅ Yes | ❌ No | ✅ Yes | |
| True P2P | ✅ Yes | ❌ Server | ✅ Yes | ❌ Server |
| No Installation | ✅ Yes | ❌ App | ❌ App |
Unique Combination: Only system with deployed PQ encryption + zero registration + truly ephemeral + browser-based + direct P2P.
✅ Appropriate For:
- Journalists communicating with sources
- Business confidential communications
- Privacy-conscious general users
- Activists in partially-free countries
- Anyone concerned about quantum future-proofing
- Technical professionals needing quick secure chat
- High-risk dissidents under active surveillance (use Tails + Tor)
- Users who need persistent chat history
- Group communications (currently 1-on-1 only)
- File transfers (text only currently)
- Non-technical users in high-threat environments
Security Issues:
- Report via GitHub Issues (private security advisory)
- Email: [security contact if you add one]
Code Contributions:
- Fork repository
- Create feature branch
- Submit pull request
- Follow existing code style
Documentation:
- Improvements welcome
- Translations appreciated
- User guides for different threat models
✅ Network surveillance (ISP, government)
✅ Future quantum computer attacks
✅ Server compromise/seizure
✅ Retroactive data requests
✅ Man-in-the-middle (with out-of-band verification)
❌ Compromised endpoints (malware, keyloggers)
❌ Physical device access
❌ Coercion/torture
❌ State-level targeted surveillance (combine with physical security)
❌ Traffic analysis without Tor
Reality: No encryption protects compromised endpoints. Use defense in depth.
Completed:
- ✅ Post-quantum encryption (ML-KEM)
- ✅ WebRTC P2P connections
- ✅ Ephemeral sessions (zero storage)
- ✅ Browser-based (no installation)
- ✅ Out-of-band verification prompts
- ✅ User security guide
- ✅ Serverless deployment
Potential Future:
- ⏳ Group chat support
- ⏳ File transfer (encrypted)
- ⏳ Voice/video calls
- ⏳ Mobile app wrapper
- ⏳ Tor hidden service (.onion)
- ⏳ Independent security audit
Privacy:
- No data collection
- No user tracking
- No analytics
- No cookies
GDPR Compliance:
- No personal data stored
- No data retention
- Nothing to erase or export
Liability:
- Provided as-is
- No warranties
- Users responsible for lawful use
- Encryption tools are legal in most jurisdictions
Q: Is this really quantum-resistant?
A: Yes, when using Chrome 142+, Edge 142+, or Firefox 120+. Uses NIST-standardized ML-KEM (FIPS 203).
Q: Can the government read my messages?
A: They cannot decrypt messages in transit (even with quantum computers). But they CAN compromise your endpoint device.
Q: Do I need to trust the server?
A: Server only sees random session codes and connection metadata. Message content is end-to-end encrypted P2P.
Q: Why not just use Signal?
A: Signal is excellent. WH15P3R offers: deployed post-quantum (not planned), no phone number, no metadata storage, truly ephemeral. Different use cases.
Q: Is this secure for journalists/activists?
A: Yes, for medium-risk scenarios. Combine with Tor Browser and proper operational security. Read USER_GUIDE.md for your threat level.
Q: Can this be traced back to me?
A: Use Tor Browser to hide your IP. The system stores nothing, but network traffic patterns are visible without Tor.
Q: What happens if I lose connection?
A: Session ends, all keys destroyed. Start new session with new code.
- NIST - Post-Quantum Cryptography Project
- WebRTC Working Group - P2P standards
- Deno Team - Serverless platform
- Browser Vendors - Chrome, Firefox, Safari teams for PQ implementation
- Cryptography Community - For ML-KEM development and analysis
Open Source - Use Responsibly
Project Repository: https://github.com/ymgholdings/whisper-chat
Signaling Server: https://github.com/ymgholdings/whisper-signaling
Issues: GitHub Issues
Security: Private security advisory on GitHub
Last Updated: November 2025
Version: 1.0.0
Status: Production Ready