exceptional encryption for everyone

exceptional encryption for everyone

Tuesday, July 29, 2014

surespot roadmap

TL;DR we will be ending gingerbread support in approximately 2-3 months. iOS 6 is already required so no worries there.

Here is our roadmap, items listed in the order they will be completed:

Group Chat


  • Will need ice cream sandwich or above.
  • v58 will still work (until the protocol changes outlined below) but without group chat ability.

Round of UI, bug fixing, and improvements


  • Will be making protocol changes that will not be backwards compatible with v58 so after this release only versions above v58 will work, thus surespot will not work on gingerbread phones anymore.

File transfer


  • Encrypted file transfer to allow any file to be sent (in group or 1 on 1 chat).

Desktop clients


  • Haven't decided between browser plugin or native desktop app approach. Leaning towards browser plugin as deployment and upgrading is much easier on top of the cross-platform advantages.


Friday, May 16, 2014

our first birthday


May 16, 2014

Surespot encrypted messenger celebrates one year of encrypting image, text and voice messages

When surespot was released just one year ago, the world was not yet aware of who Edward Snowden was. The co-founders Cherie and Adam didn't need the coming revelations of PRISM and DISHFIRE to understand that there was a need for easy to use, always-on encryption for electronic communications. “Some people claimed they had nothing to hide to which we would reply, then send me your bank pin number over text message.” The negative reaction was telling, we all knew deep down that electronic communications were not secure and now thanks to Snowden we know why we felt that way.

To regain that privacy surespot was created. All image, text and voice messages are encrypted on the users phone or tablet using 256 bit AES-GCM encryption which is exceptionally strong. surespot usernames are not identified with your phone number or email address and you can have multiple identities on a single device to keep matters separated. Identities can also exist on multiple devices simultaneously so you can carry on a conversation on your phone then move to your tablet and in the future- your desktop. Surespot users must invite other users using an invitation link or by scanning a QR code instead of pilfering your contact book and automatically associating you with everyone. This gives you the opportunity to ignore, block and even delete a friendship putting you back in control.

Consumer trust has been tested in this era of security breaches and data mining so the surespot creators made all of the surespot encrypted messenger code open source. This way anyone can examine the inner workings and verify that surespot works exactly the way it claims to and that there are no backdoors.

Surespot is free to use with in-app purchases unlocking extra features like voice messaging and the soon to be released encrypted group chat. Cherie and Adam simply ask you to pay what you like for the service. You can also contribute by providing code, translating (currently available in French, German, Spanish, English and Italian) and telling others about this encrypted replacement for mobile messaging.

“We wanted organic and sustainable growth so we have relied on our loyal fans to spread the word and in turn we implement their suggestions and provide personal customer service. On this anniversary we are happy to announce that 13 million messages have been sent by our 130 000 worldwide users.”

Surespot encrypted messenger is available for Android on Google Play and iOS on the App Store.

You can find out more about how surespot works on the website- www.surespot.me

You can follow us on Twitter- @surespot






Tuesday, April 8, 2014

How heartbleed / OpenSSL bug affects surespot.


TL;DR- change your password & back up your identity, no one was able to read your messages.

Our hosting company is Linode. We use their "NodeBalancer" product for load balancing, which allows for SSL termination, a feature we were taking advantage of. According to Linode, the vulnerability was patched in their NodeBalancers within 4 hours of initial bug reports meaning surespot servers were susceptible to the exploit until then.

Surespot relies upon HTTP sessions secured with SSL, so there was the potential that a session could have been hijacked and allowed the attacker to access the server posing as that user. In this state, the attacker could have performed the attacks described under "Login validation, sessions, and web method access" in the surespot threat analysis found on our website here: https://www.surespot.me/documents/threat.html.

Fortunately, as described in our threat document, these attacks are relatively minor. The encrypted message contents themselves are not vulnerable, as they are end-to-end encrypted and rely on the private key which is stored on your device.

Actions we are taking-

We have deleted all of the current sessions so any sessions that may have been hijacked will no longer be active.  Since Linode has patched the bug any new sessions will no longer be vulnerable.

It may be possible that an attacker could have obtained the information needed to login and create a new session.  In this unlikely event, to prevent the attacker from creating a new session we recommend changing your password (don't forget to back up your identity again).

We have reissued the SSL certificate.

We wish to reiterate that the contents of your surespot messages were not made vulnerable/readable by this OpenSSL bug.

~the surespot project
Exceptional Encryption for Everyone