The real interface. Simulated.
Type DRIFT commands below — /help lists eleven of them. This is a faithful simulation of the real Textual TUI.
No accounts. No phone numbers. No trust required — the relay publishes cryptographic proof, every 60 seconds, that it cannot read your messages or name who sent them.
protocol spec · crypto core · terminal + desktop clients · federated relay · live proof layer — all open, all MIT
Unsigned builds (Windows & macOS) — install instructions & why →
Not an app. A protocol stack.
DRIFT is seven things that ship together: a written protocol spec (DRIFT-P/1), a crypto core with zero hand-rolled primitives, a terminal client, a desktop app with Tor bundled, a federated relay you can run on a Raspberry Pi, a live proof layer (WITNESS), and an adversarial harness that attacks all of it (the Gauntlet). Twenty-seven thousand lines of Python, built in the open.
~30 CLI commands · 38 test files · MIT license · Python 3.11+ · desktop needs no Python at all
"Every property is enforced by cryptography on the endpoints, never by policy on the server. If a guarantee depends on the relay behaving, it is not a guarantee of this protocol."
— PROTOCOL.md, the design rule everything else follows
The relay cannot comply.
A compelled relay can stop publishing. It cannot silently comply. Most privacy tools ask you to trust a server; DRIFT's relay publishes a live cryptographic proof — a blindness certificate — every 60 seconds. It commits to what the relay structurally cannot know: zero sender identities (sealed sender), zero recipient identities (rotating stealth addresses), zero readable content (end-to-end encryption), zero linked conversations (unlinkable envelopes).
The certificates are hash-chained and signed with the relay's long-term Ed25519 key. Every certificate embeds the SHA-256 of the previous one — a tamper-evident transparency log. A relay cannot rewrite its past without its private key, and cannot silently start logging without breaking a chain anyone can watch.
You can verify this yourself with nothing but openssl and hashlib — no DRIFT code required. And every relay serves /cannot-see: the page a surveillance request lands on, rendering in plain English exactly what that request would find. Nothing.
Self-hosted relays expose /cannot-see — a human-readable certificate page for anyone who asks.
How DRIFT stacks up.
Honest comparison. Green means the claim holds. Red means it doesn't — including our own red marks. The maturity axis is where DRIFT loses, and we plot it anyway.
| Dimension | DRIFT | Signal | Telegram | Wire | |
|---|---|---|---|---|---|
| No phone number | ✓ | ✗ | ✗ | ✗ | ✓ |
| No account required | ✓ | ✗ | ✗ | ✗ | ✗ |
| E2E encrypted (default) | ✓ | ✓ | ~1 | ✓ | ✓ |
| Forward secrecy | ✓ | ✓ | ✗ | ✓ | ✓ |
| Relay blindness proof | ✓ | ✗ | ✗ | ✗ | ✗ |
| Stealth addresses | ✓ | ✗ | ✗ | ✗ | ✗ |
| Cover traffic | ✓5 | ✗ | ✗ | ✗ | ✗ |
| Tor transport | ✓ | ~2 | ✗ | ✗ | ✗ |
| Open source (full) | ✓ | ✓ | ~3 | ✗ | ✓ |
| Independent audit | ✗4 | ✓ | ✗ | ✓ | ✓ |
| No central server | ✓ | ✗ | ✗ | ✗ | ✗ |
| Terminal / headless | ✓ | ✗ | ✗ | ✗ | ✗ |
Precise claims. No snake oil.
Security claims mean nothing without saying against whom. Here is the honest scope.
Being precise here is what separates a serious tool from snake oil.
Built different.
Every message you receive lands at a fresh, random, unlinkable address — Monero-style dual-key stealth addressing, applied to messaging. A scan key to find your mail, a spend key to read it, split so a watch-only device can detect but never decrypt. The relay sees a stream of unrelated blobs — no inbox, no account, nothing that points to you. Your identity is a keypair you generated locally. Nothing more.
A live, hash-chained, Ed25519-signed blindness certificate published every 60 seconds. Not a privacy policy. Not a promise. A cryptographic proof you can verify yourself with openssl and hashlib. The chain is tamper-evident: silence or deviation are both detectable.
Cryptographic chatrooms with no server-side representation. A room is pure math: a shared secret derived from its name. No row in any database, no object the relay owns, nothing to subpoena. Three tiers: open, invite-only, and dark (name is a random secret, not a word). Honest limit: rooms use a shared key — no forward secrecy inside a room. Pairwise chats keep full FS.
Full forward secrecy from the very first message. X3DH bootstraps the handshake; the Double Ratchet turns on every message. Steal today's keys and past messages stay unreadable. The conversation self-heals after a transient compromise.
The relay never sees your IP. It also cannot link your messages to each other — the ratchet header that would make them linkable is encrypted inside the payload. What the relay sees per message: one unlinkable address, one opaque blob.
Toggle with Ctrl+K. Every keystroke re-scrambles the on-screen input so keyloggers and screen scrapers see only noise. Scrollback history is wiped from memory. Paste is ignored. Defeats software keyloggers, screen scrapers, shoulder-surfing, and clipboard sniffers. Hardware keyloggers and OS-level memory forensics are out of scope.
A second passphrase that silently wipes your identity or opens a believable decoy instead of your real account. Both passphrases go through the same Argon2id KDF and constant-work unlock path — no timing difference, no error. Honest limit: the wipe variant is single-shot; the decoy variant is better where a second forced unlock is plausible.
Anyone can run a relay. Relays gossip blobs to each other, each holding only opaque ciphertext with a TTL. No single server to compel or kill. For the truly paranoid: serverless P2P mode over a Tor onion service with no relay at all.
Poisson-scheduled dummy envelopes and a uniform wire size make your real messages statistically indistinguishable from noise. An observer can't tell your 2 a.m. message from scheduled static. Three settings: off, low, high.
Pairwise Double Ratchets fan out to up to 10 members — every pair keeps full forward secrecy, and no server-side group object exists anywhere. Honest limit: pairwise fan-out costs O(n) bandwidth by design; sender-keys for larger groups are on the roadmap.
Verify a contact with a human phrase (river-amber-tiger-92) and a deterministic randart block you can compare at a glance. Share your contact code by paste or QR. Need discovery? Short-lived beacons bind a handle to your code for ≤10 minutes, and one-time driftinvite: links self-delete on first resolve (≤24h TTL).
A dial that makes the relay's delivery hints deliberately noisy — decoy matches drown out real ones at a rate you control. Even the pattern of "something arrived for someone" degrades into static.
Best-effort remote erasure and timed disappearance. Burn tokens are single-use — a replayed burn request is rejected. Honest limit: "best-effort" means exactly that. A recipient's client must cooperate; already-read plaintext cannot be recalled.
Your contact knows the message is from you. Nobody else can ever prove it was. The ratchet authenticates the channel, not the transcript — everything is deniable after the fact.
Eight steps. All invisible to the user.
On first run, your identity, scan, and spend keys are created on your machine and never transmitted anywhere.
Your public keys are encoded into a compact drift:... string you share however you like — paste, QR, or voice.
Your client fetches the recipient's prekey bundle, verifies the signature, and derives a shared root secret. Forward secrecy is complete from this moment.
Every message advances the ratchet and is sealed with XChaCha20-Poly1305. Compromise one message key and no others are affected.
relay sees: nothing yet — this all happens on your machine
The ratchet header — the field that would make messages linkable — is encrypted inside the payload. The relay cannot correlate your traffic.
relay sees: one opaque blob, uniform size, no sender field at all
Your real IP never reaches the relay. The relay sees an onion-routed connection and an opaque blob addressed to a one-time stealth address.
relay sees: a Tor exit, never your IP
The recipient's client derives the one-time address from the ephemeral key, recognizes the message, and decrypts. The relay never knew it was theirs.
relay sees: a fetch on the shared channel — could be anyone, for anything
Between real messages, the client emits Poisson-scheduled dummies at uniform size. An observer can't tell your 2 a.m. confession from scheduled noise.
relay sees: a steady hum of identical envelopes, real and fake alike
Built in the open. Shipping in public.
Every green card is merged, tested, shipped code — version numbers are receipts, not promises. Three cards remain.
Phase 7 deferred — multi-device ratchet sync is an unsolved problem. We'll do it right or not at all.
Build on this.
DRIFT is open source and designed to be extended. The architecture is modular by phase — you can contribute to the protocol, the relay, the TUI, the desktop app, the crypto layer, or the test harness without touching the rest.
Run python scripts/gauntlet.py and try to make a probe fail. Write a new probe that tests something we missed. Every broken invariant is a bug report — open an issue with your finding and the probe that exposed it.
Clone the repo, run python -m relay.server, and you're part of the federated network. If you run it publicly, open an issue to get listed as a community relay. Pi Zero nodes especially welcome — see Phase 4 docs.
The entire cryptographic surface is in drift/crypto/ and drift/protocol/. The internal audit found and resolved five findings — the remaining deferred items (L2, L4) are documented openly. Fresh eyes on the stealth address math and the X3DH prekey pool are especially welcome.
Phases 14–16 are unbuilt and open. Mobile companion, Drift Names resolution, Pi Zero relay image. Each phase has a design doc stub. Pick one, read the architecture, open a discussion issue before writing code.
open issues →One iron rule: no hand-rolled primitives. PRs that roll their own crypto will be closed.
Up in under two minutes.
Launch a fully configured DRIFT environment in GitHub Codespaces. Nothing installs on your machine. Relay and client both start automatically. Or grab the desktop app — it bundles everything, including Tor. End users never touch Python.
Requires a free GitHub account.
Download for Windows Download for macOS · Apple Silicon Download for macOS · Intel Linux · GitHub releasesPick your chip (Apple menu → About This Mac). Unsigned: install instructions & why →
Local needs Python 3.11+. Codespaces needs only a browser — relay and client auto-start.
// Unsigned by design — verify, don't trust
Why these builds aren't signed. A code-signing certificate doesn't prove software is safe — it proves a certificate authority checked the developer's legal identity and took an annual fee. DRIFT exists so you never have to surrender an identity to communicate; stapling a government-verified name onto every release would contradict the entire premise. A signature tells you who built it, not what it does.
So this app will most likely never be signed — there's no real reason it should be. Instead of "trust the badge," the whole project is open source and every installer is built in public CI you can read line by line. Reproducibility is the roadmap's answer to signing — the CI workflow that builds these installers is a few hundred lines you can audit yourself. Don't trust us. Verify it.
Cautious? Good. Do this first.
› Scan the file on VirusTotal — drop the .exe or .dmg in and let 70+ engines weigh in. Heads up: unsigned installers and Python-bundled apps routinely trip 1–3 heuristic engines — a couple of generic flags on an otherwise-clean report is the false-positive pattern, not malware.
› Run it isolated until you trust it: Windows Sandbox, a throwaway VM (VirtualBox / VMware / UTM), or a disposable machine over RDP.
› Read the source and the build workflow on GitHub before you run anything.
Install instructions — Windows
- Download
DRIFT-Setup-Windows-x64.exe. - Windows SmartScreen may say "Windows protected your PC." Click More info → Run anyway. This prompt appears for any unsigned app — clean or not.
- Run the installer, then launch DRIFT from the Start menu.
Install instructions — macOS (Intel & Apple Silicon)
- Pick your chip — Apple menu → About This Mac. "Apple M-series" → the Apple Silicon dmg; "Intel" → the Intel dmg.
- Open the
.dmgand drag DRIFT into Applications. - On first launch, Gatekeeper blocks it ("unidentified developer"). Right-click DRIFT → Open → Open.
- Still blocked? Clear the quarantine flag in Terminal:
xattr -dr com.apple.quarantine /Applications/DRIFT.app
Install instructions — Linux
- Grab the AppImage from the latest release — it's self-contained, nothing else to install.
- Make it executable:
chmod +x DRIFT-*.AppImage - Run it:
./DRIFT-*.AppImage. Tor is bundled; the core is frozen — no Python required. - Prefer source?
git clone+pip install -e ".[dev]"works on any distro with Python 3.11+.
We show our work.
Serious tools invite scrutiny. Every design decision, audit finding, and known limitation is documented and public. Read it, challenge it, improve it.
The full protocol specification. Threat model, cryptographic rationale, stealth address math, ratchet design, WITNESS architecture, and every honest tradeoff — all in one document.
read the spec →The WITNESS specification in full. Includes the certificate format, the hash-chain verification algorithm, the threat model for the proof layer, and step-by-step instructions for verifying a relay's chain using only openssl and hashlib.
read the proof →Internal audit: 4 high, 5 medium, 4 low findings — and the resolution log showing each one fixed, commit by commit. All high and medium findings resolved by v0.14.1. Deferred low items documented openly, not papered over.
read the audit →The wire-format spec. Envelope layout, handshake transcript, stealth derivation, WITNESS certificate schema. Written so a second, independent implementation can interoperate — that's the point of a protocol.
read the spec →No data to collect. No policy needed.
This website collects no personal data. There are no cookies, no analytics, no tracking scripts, no third-party embeds, and no server-side logging of any kind. The interactive demo runs entirely in your browser — no keystrokes, messages, or session data are transmitted anywhere. The only external request this page makes is loading the JetBrains Mono font from Google Fonts.
Under the California Consumer Privacy Act (CCPA) and similar laws: we do not sell, share, or broker personal information because we do not collect it. There is nothing to request, delete, or opt out of.
If you self-host a DRIFT relay, you are responsible for your own relay's privacy posture. Consult the DESIGN.md for the full threat model.