⚠️ Important Note
Files aresent directly from your device to the recipient's devicetransferred (Peer-to-Peer). Bothdevices must be online simultaneouslyand the page must remain open on both ends. If a page is closed or connection lost, transfer fails. With TURN servers active on both sides, data can be sent via server. Only private Stun and Turn servers are used.
🔒 Sicherheitshinweise
• ECDH P-256for key exchange – session key never leaves the browser
• AES-GCM 256-bitfor file encryption with a random IV per file
• Optional password sent viaPBKDF2 (100.000 Iterationen)derived and combined with ECDH via HKDF
• Server fungiert nur als Signaling-Relay (WebRTC-Handshake) – No file storage
• Sessions laufen nach 15 Minuten automatisch ab
🔬 Technische Details (für Interessierte)
Key exchange (ECDH):Both sides generate an ephemeral Elliptic-Curve Diffie-Hellman key pair (Curve P-256). Public keys are exchanged via the server. From the shared secret (Shared Secret), aHKDF-SHA-256256-bit AES key is derived. The private key never leaves the browser.
Password protection (optional):If a password is set, one is derived from it viaPBKDF2-SHA-256 (100.000 Iterationen)a 256-bit key is derived and bytewise XORed with the ECDH shared secret before HKDF is applied. Without the correct passwordandthe ECDH connection, no decryption is possible.
File encryption (AES-GCM):Each file is encrypted with a random 96-bit IV (Nonce) viaAES-256-GCMencrypted. GCM provides both confidentiality and authenticity – tampered data is detected and rejected.
Data transmission (WebRTC DataChannel):The encrypted data are sent over aWebRTC DataChanneltransmitted directly between browsers (P2P). The server only sees WebRTC signaling messages (SDP-Offer/Answer and ICE-Candidates), never the file contents. WebRTC uses DTLS and SRTP internally for transport encryption – files are thus doubly protected.
Session & Signaling:The server holds the session exclusively in RAM (no database writing). After 15 minutes of inactivity, the session is automatically dropped. The code consists of 6 random characters (alphabet excluding ambiguous characters like O/0/I/l), resulting in ~109possible combinations.