Five locks, and every one is your choice
Most “secure messenger” diagrams show one lock and a lot of confidence. Real protection is layered — and the honest version names each layer, what it does, and where it ends. In YGOOW a message can pass through five, and each one above the last is a deliberate choice, never a silent default.
1. Transport (TLS)
The ordinary encrypted pipe between your phone and whatever it connects to. It stops the coffee-shop network from reading raw bytes. On its own it protects almost nothing that matters here — the far end still sees everything — which is exactly why there are four more layers.
2. Tor (on by default)
Your connection is routed through several independent relays, each removing one layer of wrapping, so no single hop sees both who you are and what you reach. The YGOOW relay lives inside that network as an onion service: it never learns an ordinary IP address for you. This is on unless you turn it off — and turning it off makes the app stop and confirm, because off means you just handed the server your address.
3. The end-to-end channel
A conversation only the two endpoints can read, bootstrapped from a key you agreed offline — in person, by a shared file, by a scanned code. The server is never a party to that agreement, which is the whole reason it has nothing to hand over when someone leans on it. Messages you have already sent stay sealed even if your keys are later stolen: the key that wrote each one is used once and erased.
4. Locked content (optional)
Here is where YGOOW stops looking like other messengers. You can seal the words themselves under a separate secret — a password, a file, a quorum of people — that the channel never holds. Break the channel, seize the phone, and the content is still locked, because its key was never in the channel to begin with. This is also what lets the same room be plain text to one person and a sealed block to another, with no error and no hint.
Because this layer is separate, it changes what the layers below even need to do. A protection like post-compromise security — healing a channel after it is breached — matters a great deal when the channel is your content’s only lock. When your content is sealed under a key the channel never touched, that particular worry mostly dissolves. Different architecture, different threats.
5. Lifetime (optional)
Finally, a message can carry a lifetime: when it may be opened, and when it disappears. The clock runs on your device — the server never learns when, or whether, you read. It is real protection against a phone seized later; it is not a spell that forces a determined recipient to forget, and we don’t sell it as one.
Why separate, and why optional
The layers are independent on purpose. You shouldn’t have to accept the cost of the strictest one to get the benefit of a weaker one, and you shouldn’t get a strong-sounding label that quietly leans on a layer you never turned on. So each is yours to raise, with the cost stated plainly — and the protection levels bundle them into three honest choices, framed by a single question: if your phone were taken, what would it reveal?
That is the whole point of counting the locks out loud. A messenger that shows you one lock is asking for your trust. One that shows you five, and tells you which are open, is offering you something better: the ability to check.
Your key, your rules — everything else is redacted.