Secret Ripple

• 

  Secret Ripple Home

Inspiration

The inspiration for Secret Ripple came from recognizing the critical need for truly private communication in today's digital landscape. While many messaging platforms claim to offer privacy, they often require personal information, store metadata, or have complex setup processes that deter users. We were inspired to create a messaging platform that prioritizes anonymity and security from the ground up—one where users can communicate without creating accounts, sharing personal details, or worrying about their conversations being compromised. The vision was to build a tool as easy to use as sharing a simple link, yet as secure as military-grade encryption.

What it does

Secret Ripple is a web-based anonymous messaging platform that enables completely private conversations through end-to-end encryption. Users can instantly create secure chat links without any registration—simply generate a link and share it with anyone you want to communicate with. The platform features:

• Zero-account messaging: No usernames, emails, or personal information required
• Cryptographic anonymity: Each user is identified only by their cryptographic keys, stored locally
• Real-time communication: Messages are delivered instantly with live typing indicators
• Ephemeral conversations: Messages can be set to automatically expire
• Cross-device compatibility: Works seamlessly on any device with a web browser
• Offline-first architecture: Messages are stored locally and sync when online

How we built it

Secret Ripple's architecture showcases several innovative technical approaches:

Unique Supabase Event Queue Architecture: Unlike traditional real-time messaging that directly stores messages in the database, Secret Ripple uses Supabase as an intelligent event queue system. Messages are temporarily stored as encrypted events in the event_queue table, processed by recipients, then automatically cleaned up by PostgreSQL cron jobs. This approach provides real-time delivery while maintaining privacy and preventing data accumulation.

Dual-Key E2EE Implementation: We implemented a sophisticated cryptographic system using both X25519 (for ECDH key exchange) and Ed25519 (for digital signatures) keys. Messages are encrypted with shared secrets derived from X25519 keys, while Ed25519 keys ensure message authenticity through digital signatures that are verified before decryption.

Local-First Data Architecture: Built with Dexie.js (IndexedDB), the application stores all user data locally. User profiles, chat history, and cryptographic keys never leave the device, ensuring true privacy. The local database automatically syncs with the encrypted event queue for message delivery.

Scalable Infrastructure:

• Auto-cleanup: PostgreSQL cron jobs automatically delete processed events and stale data every hour
• Row-level security: Supabase RLS policies ensure users can only access their own messages
• Real-time subscriptions: Supabase's real-time engine delivers messages instantly across devices

Modern Tech Stack: Built with React, TypeScript, and Vite for the frontend, with shadcn/ui components providing a beautiful, responsive interface. The cryptographic operations use the Noble crypto library for maximum security and performance.

Challenges we ran into

Complex Cryptographic Integration: Implementing dual-key E2EE while maintaining usability was challenging. We had to carefully design the key management system to handle both X25519 and Ed25519 keys appropriately, ensuring signatures are verified before decryption while keeping the process transparent to users.

Event Queue vs Direct Messaging: Designing the Supabase event queue architecture required rethinking traditional messaging patterns. We had to solve challenges around message ordering, duplicate prevention, and ensuring reliable delivery while maintaining the ephemeral nature of the queue.

Local Storage Synchronization: Building a robust offline-first system that gracefully handles network interruptions, prevents data loss, and maintains consistency between local storage and the remote event queue required careful state management.

Cross-Browser Cryptography: Ensuring consistent cryptographic operations across different browsers and devices, especially with Web Crypto API limitations and IndexedDB compatibility issues.

Real-time Performance: Optimizing the real-time subscription system to handle multiple chat rooms and users while preventing memory leaks and ensuring smooth performance across different network conditions.

Accomplishments that we're proud of

True Zero-Knowledge Architecture: We achieved genuine privacy where the server never sees unencrypted data, user identities, or message metadata. Even we, as developers, cannot read user messages or identify users.

Innovative Event Queue Pattern: Our use of Supabase as a self-cleaning event queue rather than a traditional message store represents a novel approach to privacy-focused real-time communication that could inspire other applications.

Seamless User Experience: Despite the complex cryptography underneath, users experience messaging that's as simple as sharing a link—no accounts, no setup, just instant secure communication.

Signature Verification UI: We implemented clear visual feedback for message authenticity with green checkmarks for verified messages and red warnings for potential tampering, making cryptographic security transparent to users.

Scalable Privacy: The architecture scales efficiently through automatic cleanup, indexing strategies, and edge computing while maintaining strong privacy guarantees.

Production-Ready Security: Implemented industry-standard cryptographic protocols with proper key management, forward secrecy principles, and defense against common attack vectors.

What we learned

Privacy by Design Principles: We deepened our understanding of how to build applications where privacy isn't just a feature—it's the foundation. Every architectural decision was evaluated through the lens of user privacy and data minimization.

Cryptographic Implementation Complexity: Working with real-world cryptography taught us the importance of using established libraries, proper key management, and the subtle but critical differences between signing and encryption operations.

Event-Driven Architecture Benefits: Using an event queue pattern provided unexpected benefits for scalability, debugging, and system reliability while enabling the privacy features we needed.

Real-time System Design: Building responsive real-time features while maintaining end-to-end encryption requires careful consideration of user experience, network efficiency, and state management.

Local-First Development: Creating applications that work offline first and sync when needed changes how you think about data flow, error handling, and user experience design.

What's next for Secret Ripple

Enhanced Privacy Features:

• Implementing forward secrecy with automatic key rotation
• Adding support for disappearing messages with configurable timers
• Creating decoy traffic to obscure communication patterns

Advanced Communication Tools:

• File sharing with client-side encryption
• Voice messages with real-time encryption
• Group chat support with efficient key distribution
• Screen sharing capabilities for secure collaboration

Deployment & Accessibility:

• Mobile app development for iOS and Android
• Self-hosting options for organizations requiring complete control
• Integration APIs for embedding secure messaging in other applications
• Accessibility improvements for users with disabilities

Scalability Enhancements:

• Distributed architecture support for global deployment
• Optimized cryptographic operations for better performance
• Advanced caching strategies for improved response times
• Analytics dashboard (privacy-preserving) for system monitoring

Security Auditing:

• Third-party security audit and penetration testing
• Bug bounty program to identify and fix vulnerabilities
• Formal cryptographic verification of our implementation
• Open-source release for community review and contributions

Secret Ripple represents the future of private communication—where security doesn't come at the cost of usability, and privacy is the default, not an afterthought.

Built With

• cloudflare-pages
• indexeddb
• noble/curves-cryptography
• postgresql
• push
• react
• supabase
• tailwind-css
• typescript
• vite
• web