How Messenger Works

Enhanced Encryption

Messenger uses AES-256-GCM with HKDF key derivation and Additional Authenticated Data (AAD) for extra security. Each message has a unique salt and IV. AES-256-GCM, HKDF-SHA-256 key derivation, 256-bit salt, 96-bit IV, 128-bit auth tag, AAD for integrity.

                            
                            
                            
                        
crypto.jsJavaScript

async function encryptMessage(plaintext) {
  // HKDF key derivation with 256-bit salt
  const derivedKey = await deriveKeyHKDF(masterKey, salt, info);
  // AES-256-GCM with Additional Authenticated Data
  const encrypted = await crypto.subtle.encrypt(
    { name: 'AES-GCM', iv, additionalData: aad }, 
    derivedKey, data
  );
  return { encrypted, key };
}
                    

Real-time Communication

Messenger uses polling with exponential backoff and auto-reconnect for reliable real-time communication without WebSocket overhead. Polling with exponential backoff (2-30s), auto-reconnect on connection loss, connection status tracking.

                            
                            
                            
                        
messenger.jsJavaScript

// Polling with exponential backoff
function startPolling() {
  const poll = async () => {
    await loadMessages();
    const delay = adjustPollInterval(success);
    setTimeout(poll, delay);
  };
  poll();
}

// Auto-reconnect on connection loss
if (consecutiveFailures >= MAX_FAILURES) {
  updateConnectionStatus('disconnected');
  setTimeout(reconnect, 5000);
}
                    

Features

Typing Indicator

See when someone is typing in real-time.

Read Receipts

Know when your messages have been read by the recipient.

Message Expiration

Set a self-destruct timer for messages (hours or minutes).

Multiple Rooms

Manage multiple chat rooms simultaneously with a sidebar interface.

QR Code Sharing

Share rooms easily via QR codes for quick access.

Room History

Save and revisit recent rooms via localStorage.

Security

Client-side encryption with AES-256-GCM
All encryption happens in the browser. Plaintext never leaves device.
Zero-knowledge architecture
Server sees only encrypted blobs. No access to plaintext possible.
Key in URL fragment
Room key is in URL fragment, never sent to server (RFC 3986).
Rate limiting
30 messages per 60 seconds per room/IP to prevent abuse.
No tracking or logging
No tracking cookies, analytics, or content logging. Privacy-first.

Privacy

Messenger fully respects your privacy. No tracking, no analytics, no logging of message content. All encryption happens locally in your browser. The server only acts as a relay for encrypted data.