Revealing the secret. Secret Architecture

Any of your thoughts or desires can be anonymously distributed throughout the world in less than a second, starting only with you and your friends.

Secret came out only four days ago, and everything that we saw inspires us. Thoughts that are honest, touching, funny and, contrary to expectations, are seldom obscene in the country. This confirms our belief that anonymity can contribute to positive changes in the world.

We received a few questions about how Secret protects your personal data. We take this very seriously and we think it is important to be open and honest about how our system works in order to build trusting relationships with the community.

Look under the hood

Let's focus on two questions. Storage - how and where your information is stored. Delivery - how we deliver secrets to people you know.
')

Storage

First, your data is stored on Google’s servers, where Gmail is located. This means that your secrets are as securely protected as mail (this refers to the reliability of writing data to disk, which are located in the same data centers as Gmail). As a former Google engineer with deep backend knowledge, I am confident in this choice.

Some high-level details:

• Secret is hosted on the Google App Engine . It is written almost entirely on Go , but has some components in Java and Python.
• All data transmitted over the wire is encrypted using TLS.
• We use a non-relational database based on Google BigTable .
• All messages are encrypted before they are written to the database. The keys are on a third-party service that supports key rotation.
• Images are stored on Google Cloud Storage and transmitted via TLS.

Contacts. When we search for people you know from your Contacts, we do not send open phone numbers or e-mail to our servers. First, we locally calculate the hash (with “salt”), which the server uses to find matches with other hashes. For example, the number [+15552786005] becomes [a22d75c92a630725f4], and the original phone number never leaves your unit. This is a one-way transformation. In other words, we do not know your valid data , unlike other services.

Important note: Although we add “salt” to the hash, it is still possible to compare the hash with the phone number, especially if the attacker has “salt”. We are looking for a way to make it more secure (for example, add user-specific data to the hash or use Diffie's protocol ). If you have suggestions for improving security, write to security@secret.ly. This area is very interesting to us.

Secrets. Meta secret data is stored without being tied to the user. Instead, when delivering a secret to the user, we create a unique token for the user and provide access to the secret as a many-to-one relationship. Tokens are in the ACL belonging to the secret, not the user. Messages (comments and posts) are encrypted on the server and decrypted when a unique token is exchanged for a secret. The server never returns personal-sensitive data along with the secret.

These data structures (users, posts, ASLs) are logically separated in the database. Despite the fact that this abstraction does not provide physical security, it prevents the mere observer from finding the author of the secret and will allow us to easily separate the data in the future.

Identification. For moderators there is no way to find a post created by a specific user. In case we need to access information for debugging or administrative purposes, we use the “Two-person rule” . Two people must provide their keys at the same time. In our case, two admins (now the founders) must log in with a Google account (with two-factor authentication) and request the necessary resource in a certain period of time. In more detail, this system, known as Red October, is described in the Cloudflare blog .

Delivery

Secret's delivery system was designed to meet these criteria:

• Must be safe.
• Must be quick.
• Must be trained.

What happens when you post

• The post is first saved and delivered to the author.
• Further, the asynchronous process determines to whom you can still deliver your post (with whom you are connected or to whom it may be interesting). The contacts in your book are just a strong signal for the algorithm.
• Each delivery is unique to the user and can be canceled, which is an important feature in the fight against spam (which is not described in this article).

What's not happening

• We do not deliver secrets to people from your Contacts. If a person is in your notebook, it does not necessarily mean that he will receive a secret.

Time. Although our system has high bandwidth, this does not mean that secrets are always delivered instantly. For example, the less “friends” a user has, the less we show him. This avoids the trick when you can figure out who wrote the secret.

If the user has no friends or few of them, then he will not see many secrets from those whom he may know. The more friends he adds, the more secrets come from his "circle" (friends and friends of friends). If there are many friends, then we will show whether a specific post has come from a friend or friends of a friend. This is crucial for establishing trust, without revealing your identity.

Putting it all together

We strive to make technology highly safe and, at the same time, flexible and give us the opportunity to make our product more humane. Creating great products is possible only when complex technology can be presented in a simple, beautiful and complete form.

Nowadays and our age, security and privacy are more important than ever. It was important to us at Google and Square and will always be top priority at Secret.

David Byttow
Co-founder, Secret