How do self-destructing messages work?

You can assign timers to your messages in the Subrosa Chat & Calls application. After the timer runs out, the message will be deleted without a trace. As an even further security-measure, self-destructing messages can not be saved, copied, or forwarded to ensure perfect communication secrecy.

There’re two options to make your messages self-destruct. Set a Time To Live (TTL) which starts a countdown the moment the message is sent. After the time runs out it is deleted, regardless of whether the recipient has seen it. Set the message For Your Eyes Only (FYEO) in which case the countdown is triggered after the recipient sees the message and after it runs out the message is again deleted.

What server security do you have?

Our gateway servers have multilayered protection. We use logical isolation, firewall filters, ACLs, and DDoS and APT protection. Moreover, we run our BGP network for additional control and security.

Communication between our servers travels via a VPN tunnel, and no unencrypted traffic ever leaves our infrastructure. Furthermore Subrosa has complex technical procedures to ensure no sensitive client-related information is ever stored on our servers.

How safe is PGP encryption for email?

Your PGP encrypted emails are only as safe as the security mechanism of the email client you’re using: how complex the cryptographic keys are, from where they are generated, and where they are stored.

Unlike most competitors, that generate the keys directly on their server and share them with the user, Subrosa Mobile generates the private keys directly on the peers devices. This flow guarantees that no one can access the encrypted information but the users themselves. The only inconvenience is that we store no copies of your keys, and thus we’re not able to assist you in case you forget or lose yours.

The cryptographic keys we use imply 4096-bit encryption, which will take supercomputers 14 million centuries to decrypt.

How safe is ZRTP encryption for voice calls?

The first step of a VolP (voice over IP) call is to exchange compatibility information to establish a connection. Basically, both the recipient and the initiator generates ephemeral key pairs and transmit key-agreement information. The technique uses a short authentication string (SAS) that users share over the phone, verbally for authentication. Each session uses different ephemeral keys and creates a shared secret which the ZRTP mixes with the secret of the next call.

The technical flow of the ZRTP encryption makes every consecutive call more secure than the previous one. The approach allows detection of MiTM (man-in-the-middle) attacks and is practically impossible for eavesdropping as the generation of a new key for each session ensures that even if a key gets leaked, past and future communication is absolutely protected. The complex technique implies multi-layered protection: from the shared secret and the ephemeral keys to the fact that once a connection is established, both devices act as a receiver and transmitter of information.

No sensitive data goes through any server, guaranteeing the complete privacy of communication. If two encrypted phones agree on a key, the users can be sure that their calls are protected from any attack.

How safe is the information shared in an OMEMO group chat?

To deliver messages to every peer in a group chat, we need to use our servers. Yet, sensitive data is stored only for a brief time. Once all users have received the message all trace of it on our servers is gone In the group chat, the user sends a message, and all recipients currently online receive it instantly. Yet, all peers that are offline don't. The message is stored on our servers that constantly check whether the recipients have come online to send it to them.

If we didn't imply this technique, the shared information would be lost and never delivered to the offline users. Once the message is delivered to all group members, it is deleted from the server-side leaving zero-trace. For even further security, we store shared group chat messages for a maximum of 7 days after which they're deleted regardless of whether all users have seen the message or not.

Still have questions?