FAQ:

1. Q: I've forgotten my password, what can I do?

   A: Passwords are never sent to our servers. We only store encrypted text - which is useless data once a password is lost. Also, we don't know who this text belongs to.

2. Q: Please explain 'Trustless Security'.

   A: Your password never leaves your device. We only store encrypted content. You don't have to trust us, or anyone else with your password, since only you know it and only you can decrypt your notes. It's like if you're writing a diary with special characters that only you understand. It doesn't matter where you keep this diary, since only you can understand the text that's inside.

3. Q: How can I make encrypted backup of my notes?

   A: It's simple: Open your site with Google Chrome or Mozilla Firefox and save the site before decrypting it (Ctrl + S should work). Make sure to save the site while 'Password required' dialog is still visible. To open your encrypted backup, open saved .html file and type in your password.

4. Q: Can I make a site public?

   A: You can add the password after the URL of your site, like this: ProtectedText.com/yourSite?yourPassword which will automatically decrypt yourSite with yourPassword.

5. Q:Why do I see the "Verifying you are human..." screen?

   A: Sometimes our servers come under attack by scammers attempting to steal user data to brute-force weak passwords, or they may launch DDoS attacks to bring us offline—hoping users will instead visit their phishing sites.
   When we detect unusually high traffic, we strengthen our security mechanisms to block these attackers. As a result, you may see human verification dialogs. Once completed, these allow us to mark you as a legitimate user (by setting a GDPR-compliant cookie) and grant you full access to the site. Just remember: if the site isn’t working, you may simply need to reload it to trigger the verification. This helps your browser receive a pass that lets you continue using the site as usual.

6. Q: Is the website www.protectedtextPRO.com safe?

   A: NO! That is a fake phishing site designed to steal your password. Scammers use it to gain access to your data on our site, and then scam you. Remember: only protectedtext.com is our official website. Everything else is a scam trying to trick you into giving away your password. The internet is full of scammers, and fake versions of our site appear regularly. If you don't see exactly protectedtext.com in the URL bar of your browser, do not enter your password—no matter what anyone says.

Q:Why do I see "Error: Server Error. The server encountered..."?

A: This usually happens when your IP address has been making too many requests (by you or someone else on your Wi-Fi network), so the server flagged your IP address as a potential attacker and stopped serving it. The easiest way to get around this is to simply change your IP address. This can usually be done by turning your Wi-Fi router off and back on, or by using a different Wi-Fi network if that’s an option.

Q: Why is my URL changed from "Mark's notes" to "mark-s-notes"?

A: Some characters aren't allowed in URL addresses, that's why your URL is redirected to a URL that has some characters replaced with dashes. You can always type in "Mark's notes" and you'll be redirected to the same URL.

Q: What are your long-term plans? How will you react to legal pressure?

A: We'd like to create a file storage and sharing service with a similar security approach.
In case of legal prosecutions, we can't hurt users because we don't know anything about them, and we can't decrypt their notes.

Q: Do I have to use a long password?

A: You don't have to, but it's recommended. The longer the password, the harder it is to guess. Note that your text is protected by both the URL and your password. However, if someone discovers your site, they can try many passwords until they guess yours. This is called a brute-force attack, which we mitigate by using Argon2 hashing. Still, to be more secure, use passwords that are complex and longer than 7 characters.

Q: Can I use a suspicious internet connection (e.g. Starbucks)?

A: Yes. Your password (or password hashes) are never sent over the network, and all data that's sent or received is always encrypted. Your data is decrypted only on your device, and encrypted before it's returned to us.

Q: How can you verify that a password is correct if you don't store it anywhere and don't send it to server? How do you authenticate the user?

A: The server doesn't know anything about authentication; that's all handled in your browser. There are no users on ProtectedText.com, just sites. Passwords are never saved; not even within encrypted text.
Decryption of a page will fail if the password is incorrect, so whoever can decrypt the page must have used the correct password. The idea is that we don't have to know the password; we just have to make sure that the password is correct - and one way to check that is to try decrypting some well-known text using the provided password. The "well-known" text we're using is the URL of the current site (which is different, but known, for each site).
Once a user creates the password, we store the encrypted URL, and each time the password needs to be tested, we just try decrypting the encrypted URL. If we get the expected URL, we try using the same password for decrypting the whole site (it's possible -- but very unlikely -- that two different passwords correctly decrypt the same URL, but using that wrong password for decrypting everything else will result in gibberish).

Q: How does overwrite protection work?

A: Overwrite protection prevents you from saving any changes if text was changed in the meantime. (The server stores the hash of the newest content, and sends the hash to the client together with the content. The client has to return that same hash when trying to save updated content. The server compares both the stored and received hashes to determinate whether client was served with the latest changes.)

Q: How is the title of each tab computed?

A: The title of each tab consists of up to 20 characters from the first non-empty line of text.

Q: What encryption algorithms are used?

A: ProtectedText.com uses standard AES algorithm for encrypting/decrypting the content, together with 'salts' and other known good practices to achieve exceptional security; and Argon2 and SHA512 algorithms for hashing. On top of that, all data is only provided through TLS.

Q: Is the server code available somewhere? I'd like to host the service myself.

A: We haven't opened the server code for now. We'd like to provide perfect security to everyone, not just tech-savvy users. So we've created an approach where the server side is irrelevant — that's the beauty of this service.
No one should be forced to trust anyone in order to be secure; that's why all security is provided on the client side (which users can verify). Even if you had access to the server code, you couldn't confirm whether that exact code was running on the server or if it had been replaced by something else. In other words: whenever a server’s code is responsible for providing security, you have to trust whoever runs it.

Q: How long do you keep sites on your servers? Will they ever expire?

A: Sites aren't deleted automatically. We'll keep them until you delete them yourself.

Q: Is there a length limit?

A: The current maximum length is a bit more then 750 000 chars per page.

Q: Is there some kind of self-destruct mechanism?

A: All that we have are encrypted versions of notes that you store on our servers, so once you delete your notes, that's it.

show more... Hide FAQ