thepeoples.io

/transit/

Transit

Encrypt a snippet in your browser, share a link, decrypt on the other end. The plaintext never reaches our servers, and the recipient doesn't need an account.

Transit (transit.thepeoples.io) is a tiny single-purpose app: paste or drop a file, set a passphrase and an expiry, get back a short share URL. The recipient opens the URL and enters the passphrase to decrypt.

The encryption happens in your browser using AES-GCM with a key derived from your passphrase via PBKDF2 (600,000 iterations). The encrypted bytes live in s3://thepeoples-io-transit-prod and expire automatically after 7 days. Transit is anonymous — there is no account and no tracking. Identity Pool credentials give each session its own prefix so sessions cannot read each other's data.

How it works

  1. Open transit.thepeoples.io in any modern browser.
  2. Drop or paste the bytes you want to share. Choose a passphrase (you'll share this out-of-band) and an expiry (default 7 days, max 7 days).
  3. The browser generates a per-session Cognito Identity, derives a per-session key from the passphrase via PBKDF2, encrypts the bytes with AES-GCM, and uploads the ciphertext to uploads/<identity-id>/<base32-id>.
  4. Copy the share URL. It contains the share ID in the path and the decryption key in the URL fragment (the part after #) — the fragment is never sent to the server.
  5. The recipient opens the URL, enters the passphrase (the URL fragment is used to derive the AES key), and downloads the decrypted bytes.

The server only ever sees the ciphertext and the share metadata. Without both the URL and the passphrase, the data is unrecoverable.

Threat model summary

  • Server compromise: only ciphertext is stored. PBKDF2 + AES-GCM prevent offline brute-force within practical bounds for non-trivial passphrases.
  • Network observer: HTTPS in transit; URL fragment (key) is never sent to the server.
  • Recipient device: the recipient's browser performs the decrypt. A compromised recipient endpoint can read the plaintext at decryption time — that is the threat model of any share-by-link tool.

Out of scope for v1: virus scanning, resumable uploads, server-side content moderation, signed manifests, AV integration, persistent ("vault") mode, file preview, social login.