TYST · tyst.site/threat-model

THREAT MODEL

what tyst protects against · and what it does not

// ASYMMETRIC DEFENSE MODEL

MASS SURVEILLANCE

Impossible. E2E encryption. Zero logs. Ephemeral data. No identity stored.

TARGETED ATTACK

Expensive. Blast radius = 1 message. Stand-alone design. No session keys.

LEGAL COERCION

Exhausting. Finland jurisdiction. Data gone before process ends. Nothing to produce.

TYST does not claim to be unbreakable. Breaking TYST costs more than the information is worth. This is asymmetric defense — the same principle that makes smaller forces survive against larger adversaries.

// honest disclaimer

How is TYST different from WhatsApp disappearing messages? WhatsApp knows your phone number, who you message, and when. Their servers hold your messages before delivery. Disappearing messages hide content from your screen — not from Meta's servers or legal requests. TYST holds only ciphertext it cannot decrypt, collects no identity, and operates under Finnish law outside US jurisdiction. There is nothing to produce to any authority.

What the server technically cannot know: message content (E2E encrypted on your device), sender identity (optional and unverified), or recipient's private key. Even under legal compulsion, we cannot produce what we do not hold. Finnish law requires bilateral process of 6–18 months minimum — by which time all data is long destroyed.

No system is perfect. This document exists because we believe you deserve to know exactly what TYST can and cannot protect you from before you use it. If our limitations don't match your threat model, don't use TYST. Use something better suited to your needs.

We will update this document when our threat model changes. Last updated: 2026-05-23

// whatsapp vs tyst vs tyst + tor

	WHATSAPP	TYST	TYST + TOR
knows your identity	phone number required	no phone · no email	no phone · no email
knows your IP	always visible	visible to Hetzner	hidden via Tor
knows who you message	contact graph stored	server cannot see	server cannot see
can read message content	server holds plaintext	E2E · ciphertext only	E2E · ciphertext only
jurisdiction	US · CLOUD Act	Finland · EU GDPR	Finland · EU GDPR
can comply subpoena	yes	nothing to produce	nothing to produce
message retention	server + cloud backup	destroyed 5s after read	destroyed 5s after read

// what tyst protects against

✓

server compromise

An attacker who gains full access to our server gets only ciphertext. Messages are encrypted on your device before leaving. Our server never holds plaintext, ever.

✓

sender identity linkage

The server does not log your IP. Messages are forwarded via relay. A random 2–47 second delay breaks timing correlation. We cannot tell you who sent a message — and we mean that technically, not just as policy.

✓

message size analysis

All messages are padded to a multiple of 256 bytes before encryption. An observer watching traffic cannot determine message length from ciphertext size.

✓

message retention

Messages are destroyed from the server 5 seconds after the recipient opens them. There is no backup. No log. Once destroyed, not even we can retrieve them.

✓

identity collection

We collect no phone number, email address, or government ID. A username is the only identifier. It is not linked to any real-world identity by us.

✓

legal compulsion — content

If legally compelled to hand over message content, we cannot. We hold only ciphertext. The recipient's private key — which we never have — is required for decryption. Legal coercion is exhausting by design. Finnish jurisdiction: any legal request requires bilateral process minimum 6-18 months. Cleanup runs every 15 minutes. Messages destroyed 5 seconds after reading. Nothing to produce. Finnish law governs.

// what tyst does NOT protect against

✗

device compromise

Your private key is stored in localStorage. Anyone with physical or remote access to your device can extract it. TYST protects against server-side attacks, not device-side attacks. If your device is compromised, assume all messages are compromised.

✗

recipient betrayal

The recipient can screenshot, photograph, or copy any message before it self-destructs. We cannot prevent this. Trust your recipient, not just the technology.

✗

network-level surveillance

TYST does not use onion routing by default. Your ISP and Hetzner can see that you connected to tyst.site — but not what you sent or to whom.

For transport anonymity, use our Tor hidden service: jd34xoogv4b2qawdrxj665zhzvrvf3t2echid5zb4wksas3qsgf3void.onion via Tor Browser. With Tor, no party knows your IP, who you message, or that you use TYST at all. The 2–47 second relay delay further breaks timing correlation. Attack cost increases significantly.

✗

quantum attacks

ECDH P-256 is not post-quantum secure. A sufficiently advanced quantum computer could break the key exchange. This is a theoretical risk today, not a practical one. We will implement post-quantum hybrid cryptography in a future version.

✗

relay trust

TYST's relay is centralized and operated by us. Unlike Session (decentralized nodes) or SimpleX (self-hostable), you must trust that our relay is not logging your IP. Our warrant canary (updated monthly), Caddy access logs discarded, and Finnish jurisdiction partially mitigate this. We plan to open-source the relay configuration. For full transport anonymity, use our Tor onion address.

✗

infrastructure transparency

Hetzner Helsinki, Finland. PocketBase self-hosted. Zero access logs discarded. Finnish jurisdiction. EU GDPR. Outside 5 Eyes. Outside CLOUD Act. Zero external dependencies, all assets self-hosted. Tor hidden service available. Ciphertext only, ephemeral.

✗

formal security audit

TYST has not yet undergone a formal third-party security audit. Our crypto layer is open source and we invite community review. A formal audit (Trail of Bits, Cure53, or similar) is planned once we have the resources. For highest-assurance use cases, combine TYST with Tor Browser via our onion address and verify pubkey fingerprints out-of-band.

// threat level matrix

threat

protection

notes

curious friend

strong

message self-destructs, no record

corporate surveillance

strong

no identity collected, ciphertext only

data broker

strong

nothing to sell — we have no PII

server seizure

strong

ciphertext + usernames only, no plaintext

Finnish law enforcement

partial

ciphertext handover possible, content unreadable

ISP traffic analysis

partial

knows you connected to tyst.site — use Tor

device seizure

weak

private key in localStorage — device controls access

nation-state adversary

weak

not designed for this threat level — use Tor Browser via our onion address for maximum anonymity

cryptographic primitives
key exchange     · ECDH P-256 (ephemeral keypair per message)
encryption      · AES-GCM 256-bit (random 12-byte IV)
key derivation · HKDF-SHA256 (salt: 32 zero bytes, info: "whisper-v2")
padding         · PKCS-style to 256-byte block boundary
private key storage · Web Crypto API localStorage (device-side only)

open source
crypto engine   · open source · community review welcome
audit scope     · key exchange · encryption · padding · IV generation
infrastructure
hosting         · Hetzner Helsinki HEL1 · AS24940 · Finland
jurisdiction    · Finnish law · EU GDPR · not Five Eyes
relay           · centralized · header-stripped · 2–47s random delay
database        · Pocketbase self-hosted · SQLite · no external service
tls             · Caddy · auto-renewed Let's Encrypt

// who tyst is right for

→

Lawyers communicating with clients — no server-side record, nothing to produce under subpoena, no identity collected

→

Journalists communicating with sources — sender identity unknown to server, message destroyed before legal process completes

→

Business decisions requiring confidentiality — no phone number, no email, no contact graph stored

→

Anyone who needs messages that technically cannot be retrieved, forwarded to authorities, or linked to their identity

// who tyst is NOT right for

✗

Journalists facing nation-state adversaries (NSA, FSB, MSS level) — use SecureDrop for document transfer. TYST + Tor onion serves as secondary coordination channel.

✗

Anyone whose device is already compromised — TYST secures the server side, not the device. A compromised device defeats all messaging tools equally.

✗

Communications requiring formally audited cryptography — community audit completed, third-party audit (Cure53 / Trail of Bits) planned but not yet complete.