Frequently Asked Questions

Traditional Apps: Require you to install an app, verify a phone number, and create an account. You become a permanent contact in someone's database - even if you only wanted a one-time conversation.

nullroom.io: No app, no sign-up, no phone number, no account. Just click "Create Secure Room", share a URL, and chat. The moment you close the tab, everything vanishes.

Most messaging apps store your history on their servers, even if it's encrypted. nullroom.io is designed to leave no trace:

• No Accounts: We don't ask for your name, email, or phone number.
• No Logs: Our servers are configured to ignore connection details.
• No Persistence: Messages live only in your browser's temporary memory.

1. WebRTC (Peer-to-Peer): Your device talks directly to your peer's device - messages bypass our servers.
2. Post-Quantum Key Exchange: Once the direct connection opens, both peers perform an ML-KEM-768 key exchange to establish a quantum-resistant shared secret.
3. Hybrid Key Derivation: The quantum secret is fused with the classical URL key via HKDF-SHA-256, producing a hybrid session key that is secure against both classical and quantum attacks.
4. Web Crypto API: Every message is encrypted with the hybrid key using AES-GCM 256-bit before leaving your device (E2EE).

Only you and your peer. The initial key is appended to the URL after the # symbol (never sent to the server). Once connected, a second quantum-resistant secret is negotiated directly between your browsers and fused with the URL key to produce the final hybrid session key. Neither secret alone is sufficient - an attacker would need both. Because the URL fragment never leaves your device, it is mathematically impossible for us (or anyone compromising our servers) to decrypt your chat.

nullroom is optimised for private 1-on-1 conversations. Each room is limited to two participants - our backend enforces a "Room Capacity Lock" to prevent third parties from joining.

No. The encryption key is stored in your browser's URL fragment (#) - it never leaves your device. To maintain the Zero-Trace promise, the key is not synced to any cloud service.

Future quantum computers could break today's key-exchange algorithms (like ECDH), allowing adversaries who record encrypted traffic now to decrypt it later. nullroom uses ML-KEM-768 (NIST FIPS 203, Security Level 3) - a lattice-based key encapsulation mechanism designed to resist quantum attacks. By combining it with the classical key, your session is protected even if one layer is eventually compromised.

Yes. We believe privacy tools must be fully transparent. Don't just trust our claims - read the code or audit the cryptography. The entire source code is available on GitHub: https://github.com/nullroomio/nullroom.io

Quick check: Look for the small dot in the bottom-left corner of any page. Click it to see an integrity audit — it shows how many loaded modules match the build manifest and links directly to the GitHub Attestation for the running commit. This check happens entirely in your browser with zero network calls.

Independent verification: nullroom's Docker build is fully deterministic — the same source code always produces the same compiled output, byte for byte. Every push to main is cryptographically signed by GitHub Actions using Artifact Attestations, creating a tamper-proof receipt tied to the exact commit.

Verify it yourself with two commands:

gh run download --repo nullroomio/nullroom.io -n asset-checksums
gh attestation verify asset-checksums/checksums.sha256 --repo nullroomio/nullroom.io

Note: The in-app audit compares data served by the same server. For true independent proof, confirm the commit hash shown in the audit panel matches the attested commit on GitHub, or use the CLI commands above.

For the full technical details, see VERIFICATION.md.