Security Analysis

Is Privnote Safe?

A thorough, honest assessment of Privnote's security model — what it protects, what it does not, and how to use it safely.

Security Assessment Summary

Good
For everyday use
Passwords, codes, temporary info
Moderate
For sensitive data
Use with password + separate channel
Insufficient
For classified data
Use Signal, Bitwarden Send instead

How Privnote Encrypts Your Notes

Encryption and cybersecurity

Privnote uses a client-side encryption model, which means your note is encrypted in your browser before it is transmitted to Privnote's servers. This is an important distinction from services that encrypt data only during transmission (HTTPS) but store it in readable form on the server.

The Encryption Architecture

When you create a note, Privnote's JavaScript code encrypts the text in your browser using a randomly generated encryption key. The encrypted note is then sent to Privnote's server for temporary storage. The encryption key itself is embedded in the URL as a fragment identifier — the portion of the URL after the # symbol.

URL fragments are a critical part of this security model. When a browser navigates to a URL, the fragment (the part after #) is processed locally by the browser and is never sent to the web server. This means Privnote's servers receive the encrypted note but never receive the key needed to decrypt it. In theory, Privnote's servers cannot read your note even if they wanted to.

HTTPS Protection

All communication between your browser and Privnote's servers is protected by HTTPS (TLS encryption). This prevents network-level interception of your note during transmission. However, HTTPS only protects data in transit — it does not protect data stored on the server. This is why the client-side encryption is important.

Password Encryption

When you add a manual password, it is used as an additional encryption key. The note is encrypted with both the random key (embedded in the URL) and your password. This means that even if someone obtains the URL, they cannot read the note without also knowing the password. This is the strongest security configuration Privnote offers.

Known Security Risks

⚠ Phishing Clone Sites

The most serious documented risk with Privnote is the existence of phishing clones. Sites like privnotes.com (note the extra 's') are designed to look identical to Privnote but intercept your messages before delivering them. These clones have been documented stealing Bitcoin wallet addresses and other sensitive information by replacing the content of notes before delivery. Always verify you are on privnote.com.

⚠ Screenshot and Copy Risk

Privnote cannot prevent the recipient from taking a screenshot, copying the text, or recording the screen. Once the message is displayed, the information is in the recipient's hands. The self-destruction prevents re-access via the link but does not prevent the recipient from preserving the content by other means.

⚠ Link Interception

If someone intercepts the Privnote link before the intended recipient opens it, they can read the note and the intended recipient will find it already destroyed. Links can be intercepted through compromised email accounts, malware, or insecure communication channels. Using password protection mitigates this risk significantly.

ℹ Server Trust

You must trust that Privnote's servers actually delete notes after reading and handle the encrypted data responsibly. Privnote is not open-source, so independent verification of these claims is limited. For most use cases this is an acceptable level of trust, but for highly sensitive data, consider open-source alternatives.

Maximizing Your Security with Privnote

01

Always verify the domain

Before typing any sensitive information, confirm the URL shows exactly "privnote.com" in your browser's address bar. Look for the padlock icon indicating HTTPS. Never use a Privnote link from an untrusted source without verifying it leads to privnote.com.

02

Use passwords for sensitive notes

Always add a password to notes containing credentials, financial data, or personal information. Send the password through a completely separate channel — never in the same email or message as the link.

03

Enable destruction notifications

For important notes, enable email notifications. If you receive a notification before the expected recipient has had time to read it, treat the information as potentially compromised and take appropriate action.

04

Warn recipients in advance

Before sending a Privnote link, let the recipient know it is coming. This prevents them from ignoring the link, accidentally opening it at the wrong time, or missing the window before expiration.