Frequently Asked Questions
What is Blindflare?
Blindflare is a zero-trust encrypted web system. All encryption, authentication, and validation are performed on your device. The server never sees your secrets.
How is Blindflare different from traditional web apps?
Traditional apps trust the server with your data and passwords. Blindflare never sends plaintext passwords or data to the server. All cryptography is client-side, so the server only stores encrypted blobs.
What is ztStorage?
ztStorage (zero-trust storage) is a model where all data is encrypted on your device before being sent to the server. The server cannot decrypt or understand your data.
How does authentication work?
Authentication is key-based. Clients generate ECC keypairs. Passwords are never transmitted. The server only sees a hash of your private key and your public key.
What happens if the server is compromised?
Attackers gain nothing useful. All data is encrypted and signed client-side. No passwords, plaintext, or private keys are ever stored or transmitted to the server.
Can Cloudflare or reverse proxies see my data?
No. All sensitive data is encrypted above the transport layer. Even if TLS is terminated at a proxy, the payload remains unreadable.
How do I recover my account?
If you use a password-derived key, you can recover your account with your password and salt. If you use a random key, you must back up your private key or mnemonic.
Is Blindflare open source?
Yes. Visit blindflare.org for source code and documentation.
Which cryptography does Blindflare use?
Blindflare uses secp256k1 for keypairs and signatures, ECDH for key agreement, and an AEAD cipher for symmetric encryption. Hashes are used for key derivation, verifiers, and content addressing.
Does Blindflare require JavaScript?
No. The website you are reading is JavaScript-free. Reference implementations of the protocol can run without exposing tracking or analytics.
What about metadata leakage?
Blindflare minimizes metadata by encrypting payloads end-to-end, using content-addressed blobs, and avoiding server-visible identifiers wherever possible.
Can I share data with other users?
Yes. The sender encrypts content to the recipient’s public key or to a shared group key. The server still only sees opaque ciphertext.
How are replays and tampering prevented?
AEAD nonces, counters, and signatures bind requests to contexts. The client rejects modified or replayed messages.
What if I forget my password or lose my key?
There is no server-side recovery. If you used a password-derived key and remember the password and salt, you can recover locally. Otherwise, recovery requires your mnemonic or private key backup.
Is this compatible with reverse proxies and CDNs?
Yes. Proxies can cache and deliver ciphertexts without access to plaintext. Terminating TLS does not reveal application-layer data.
What is the "Room 641A" parallel?
“Room 641A” refers to reports of an AT&T facility used for upstream Internet traffic interception. Large reverse proxies and CDNs have a similar strategic position on today’s web. Blindflare mitigates this by encrypting application payloads above transport, so even if TLS terminates at a proxy, the proxy cannot read the content.
Can enterprises adopt Blindflare?
Enterprises can deploy Blindflare to protect sensitive workloads over untrusted infrastructure, including hybrid and multi-cloud environments.
How does registration work without passwords?
The client registers by publishing its public key and a verifier derived from its private or password-derived key. The server never stores passwords.
What are the performance considerations?
Modern devices handle ECC and AEAD efficiently. Caching of derived keys and compact manifests keeps overhead low.
What licenses apply?
Blindflare is presented as an open protocol and reference content. See the repository for licensing details.