Ghostscript

Ghostscript Logo

Inspiration

Most of us treat Discord like a private living room, but it’s actually a glass house. After a close friend had her sensitive credentials scraped and her digital life upended, we realized that "standard" encryption isn't always enough. Sometimes, the mere appearance of encrypted text (that block of random gibberish) is enough to draw unwanted attention. We wanted to build something that didn't just lock the door, but made the door look like a blank wall to anyone but the intended recipient.

What it does

Ghostscript is a Chrome extension that acts as a "cloaking device" for your messages. It provides a secure overlay within the Discord UI where you type your true message. Once you hit send, the extension encrypts that data and weaves it into natural-language "cover text"—turning a private password into a comment about the weather or a video game. For the receiver, the extension automatically "sees through" the cover text, decrypting and displaying the original secret message directly in the chat window. It’s end-to-end encryption that speaks fluent English.

How we built it

We built Ghostscript as a full-stack secure communications prototype with a browser extension frontend, a pairing and cover-text backend, and a product-facing install site.

The extension is built with React, TypeScript, and Vite, and acts as the secure endpoint. It manages local identity generation, session state, Discord DOM integration, encrypted composition, incoming message monitoring, and decrypted overlay rendering. It injects directly into Discord Web and operates as the trusted client boundary.

On the cryptography side, Ghostscript uses modern secure primitives and authenticated encryption workflows to protect message confidentiality and integrity. The current implementation includes local identity bundles, secret derivation, AES-GCM authenticated encryption, message-bound additional authenticated data, and SHA-256-derived fingerprints for contact identity binding.

The backend service supports secure pairing and cover-text generation. Pairing is handled through short-lived 4-digit invite codes backed by session records, rate limiting, and invite invalidation. For language generation, the backend can use OpenAI-powered cover-text synthesis or fall back to local templates for resilient operation. This gives Ghostscript both operational reliability and a stronger demo story.

Challenges we ran into

Encrypted data is high-entropy, meaning it looks completely random at a byte level. Forcing that randomness into the rigid structure of human grammar without it looking like "word salad" is a massive technical hurdle.
We struggled to find a balance where the output was varied enough to hide data but mundane enough to avoid suspicion. If the cover text looks too weird or repetitive, it fails the "human test."
Because human language is much less "dense" than binary data, a short secret message can turn into a very long cover sentence. Navigating Discord’s character limits while trying to maintain a natural conversational tone required constant tweaking of our encoding dictionary.