Choosing your protection
Every other messenger picks your security for you and hopes you never ask. YGOOW does the opposite: before a conversation starts, you choose how it is protected — and there is no default. If you don’t choose, you don’t chat. That sounds blunt. It is meant to be.
Why there is no default
A default is a decision made for you, by someone who will not be in the room when it matters. Security you didn’t choose is security you don’t understand — and the moment you need it, “I thought it was on” is not an answer. So YGOOW refuses to guess. You set the level when you open a conversation; the app tells you, in plain words, what each one costs and protects.
If none of it matters to you for a given conversation — that is a real, honest answer too. It just means you don’t need this app for that conversation:
You don’t need anything here protecting your metadata and your words? Send an SMS.
That isn’t an insult. It’s the truth, said once, so you can make a real choice.
The five layers a message passes through
Each layer above the one before it is a deliberate choice, never silent:
- Transport (TLS). The basic encrypted pipe.
- Tor (on by default). The relay never learns your IP or where you are. Turn it off only on purpose — and the app makes you confirm it, because off means you just handed over your address.
- End-to-end channel. A conversation only the two of you can read, bootstrapped from a key you agreed offline.
- Locked content (optional). The words themselves, sealed under a separate secret the channel never holds.
- Lifetime (optional). When a message may be opened, and when it disappears — counted on your device, never by the server.
The three levels you choose from
The choice is per conversation, framed by one question: if your phone were taken, what would it reveal?
1 · Private chat
A normal end-to-end conversation with one person. Fast, frictionless, nothing to manage. Messages you have already sent stay sealed even if your keys are later stolen — the key that wrote each one is used once and erased. For people you trust, about things that need privacy but not armour.
2 · Locked conversation
Everything in Private chat, plus: the content is sealed under a separate secret you choose — a password, a file, a link, or a quorum of people. Take the phone and break the channel, and the words are still locked, because their key was never the channel’s key. The level to reach for when the conversation matters more than convenience.
3 · Locked — nothing stored
The strictest. The content secret lives only in your head; nothing that can open the conversation is written to the device. A seized phone reveals nothing to read, past or future — because there is no key on it to find. The cost is honest: you re-enter the secret each time, and there is no recovery. For the conversation you would protect with your silence.
Inside any locked level you can also seal a single message with its own secret or a quorum — so one line is readable to one person and a sealed block to everyone else, with no error and no hint. That is the property we pull apart in “no oracle”.
Which level for which situation
| If you are… | and you want… | choose |
|---|---|---|
| two colleagues coordinating | privacy without ceremony | Private chat |
| a journalist and a source | content that survives a seized phone | Locked conversation |
| sharing one sensitive file or instruction | a key only a group together can open | Locked, per-message quorum |
| somewhere the device itself may be taken | nothing readable left on the phone | Locked — nothing stored |
None of these is “the secure one” and the rest insecure. They are different answers to different threats — and YGOOW’s job is to make the trade visible, then let you decide.
One secret, measured honestly
The locked levels rest on the secret you pick — so its strength is the whole game. Whatever form it takes, the app measures its real strength, stretches a weak one with a memory-hard function before it is ever used, and never lets the weakest part hide behind the strongest. A public file or a guessable link is not a secret, and the app will say so. More on that in the trust model.
Your key, your rules — everything else is redacted.