SECURITY

How we protect your files

Encryption Standard

AES-256-GCM

Your files are encrypted using AES-256-GCM, the same standard used by governments, banks, and military organisations worldwide. With a 256-bit key space, brute-force attacks are computationally infeasible — it would take billions of years with current technology.

Client-Side Encryption

Encryption happens entirely in your browser before any data leaves your device. The encryption key is generated locally and never transmitted to our servers.

Key in URL Fragment

The decryption key is embedded in the URL fragment (the part after #). URL fragments are never sent to web servers — they exist only in your browser. We literally cannot see your key.

What We Store

Encrypted file blob Encrypted
Original filename Encrypted + Padded
File size (approximate) Visible
Expiry time Visible
Decryption key Never stored
Your IP address Not logged
File contents Impossible to access

What We Protect Against

  • Server breach — attackers get only encrypted blobs
  • Man-in-the-middle attacks — HTTPS + key never transmitted
  • Database leaks — no plaintext, no metadata, no logs
  • Unauthorised access — burn-after-read deletes on first view
  • Filename analysis — padded to fixed length

What We Cannot Protect Against

  • Compromised devices — malware on your computer sees everything
  • Link interception — if someone intercepts the share link, they can access the file
  • Recipient actions — once decrypted, the recipient can save or share the file
  • Malicious browser extensions — these can read page content
  • Coercion — we cannot protect against legal or physical compulsion

For maximum security, share links via encrypted messaging (Signal, WhatsApp) rather than email or SMS.

Technical Details

Algorithm AES-256-GCM
Key derivation Web Crypto API (cryptographically random)
IV (nonce) 96-bit, unique per encryption
Authentication GCM provides built-in authentication tag
Filename padding 256 bytes fixed length
Hash verification SHA-256

Quantum Resistance

AES-256 is considered quantum-resistant. While Grover's algorithm could theoretically reduce the effective key strength to 128 bits against a quantum computer, this still provides strong security. No known quantum attack can break AES-256-GCM in practice.

Contact

Security Disclosures

Found a vulnerability? Report it securely.

security [at] burnbox [dot] au
Abuse Reports

Report illegal content or misuse. Include the drop ID if known.

abuse [at] burnbox [dot] au

PGP Key

For sensitive communications, encrypt your message with our public key.

D18E 42E3 77C8 A5B3 B520 1DD3 2A86 CA1C F21B B6E8
Download Public Key

Responses will be signed with this key. Verify the fingerprint.