Trust model
Most messengers ask you to trust that they will refuse the wrong request. YGOOW is built so the wrong request finds nothing to take.
The decision everything rests on
The server never negotiates your keys. A secret — or the knowledge of it — is agreed between people offline, outside the system. Our relay is never a party to that agreement.
The consequence is permanent: there is no key material on our side to subpoena, hand over, or backdoor. No one can be compelled to surrender what they never hold. This is the Lavabit lesson built in from the start, not bolted on after a court order — and it removes the operator as a point of pressure.
What it protects — and what it doesn’t
We would rather mark the edge of the protection than let you assume there isn’t one.
| YGOOW protects you from | YGOOW does not protect you from |
|---|---|
| the operator being turned into a point of pressure | a compromised or unlocked phone — spyware, or a device seized while open, reads your screen no matter the cryptography |
| interception of key negotiation — there is none to intercept | coercion aimed directly at you |
| a demand for material the server simply does not have | a weak secret chosen knowingly — that risk is yours, and the app shows it to you |
What each party can see
The whole threat model fits on one screen — who learns what about a message:
┌──────────────────────────────────────────────────────────────┐
│ YOUR DEVICE plaintext · your keys · who you talk to │
│ TOR NETWORK that *a* connection exists — never both ends │
│ THE RELAY one ciphertext block + a timestamp. Nothing more│
│ no sender · no recipient · no key · no IP │
│ AN ATTACKER with the relay seized: indistinguishable noise │
└──────────────────────────────────────────────────────────────┘
The one exception sits deliberately at the top of that list: your device. A phone unlocked in the wrong hands, or carrying spyware, reads your screen directly — no cryptography survives that. We put it first, because the projects that bury it are the ones to distrust.
Your key is only as strong as its secrecy
“Your key is anything” is the point — and it has an edge we won’t hide. A key is only as strong as the secrecy of your choice: a public file or a guessable link is not a secret. So the app measures the real strength of whatever you pick, stretches weak secrets with a memory-hard function before they are ever used, and never lets the weakest factor hide behind the strongest. The strength you see is the strength you have.
Three levels, and you choose
None of this is a single setting you trust. Before each conversation you pick how it is protected — a normal channel, content locked under a separate secret, or a secret that never touches the device at all — and there is no insecure default. The trade-offs, in plain terms, are laid out in choosing your protection.
The risk we can’t design away
One pressure point on us outlives the design: a malicious update pushed through an app store. We don’t pretend it’s gone. We mitigate it with signed, transparent releases, and we are committed to independent audit of our code — and we will never claim an audit we have not completed. Our standing disclosure terms are on the security page.
Verify, don’t trust us
“Trust us” is what every service says. Here is what you can check instead, without taking our word:
- The warrant canary is PGP-signed. Verify the signature against our published key — an unsigned or non-verifying canary means nothing. The steps are on the canary page.
- The security contact is machine-readable at /.well-known/security.txt (RFC 9116), pointing at the same key.
- The cryptography is written out, primitive by primitive, in the whitepaper — and the app re-runs the same known-answer test vectors on your own phone.
- An independent audit is something we have committed to, and will report when it is done — never before. We will not claim an audit we have not completed.
We do not ask you to believe us. We ask you to check.
The cryptography itself
Every primitive, the key derivation, the forward-secrecy ratchet, identity and quorum unlock are written out in full in the whitepaper. Nothing on this page is dressed up beyond what is written there.
Your key, your rules — everything else is redacted.