[skip ▸]
// INTERACTIVE DEMO

The real interface. Simulated.

Type DRIFT commands below — /help lists eleven of them. This is a faithful simulation of the real Textual TUI.

sidebar hidden on mobile
DRIFT · v0.20.0 TOR 🔒 E2E 👁 WITNESS
CONTACTS
alice
ROOMS
# general
alice drift:aV9k7Hk2mNpQ3rS5tU8vW1xY4zA6bC9dE2fG7hJ0kL3mN
[14:21:03] alice hey, you there?
[14:21:09] you yeah, running fine on my end
✓ addr:3f9a…c2 ratchet:#001
forward secrecy active · X3DH complete
you ›
DRIFT v0.20.0 · matrix

No accounts. No phone numbers. No trust required — the relay publishes cryptographic proof, every 60 seconds, that it cannot read your messages or name who sent them.

protocol spec · crypto core · terminal + desktop clients · federated relay · live proof layer — all open, all MIT

Unsigned builds (Windows & macOS) — install instructions & why →

Not an app. A protocol stack.

DRIFT is seven things that ship together: a written protocol spec (DRIFT-P/1), a crypto core with zero hand-rolled primitives, a terminal client, a desktop app with Tor bundled, a federated relay you can run on a Raspberry Pi, a live proof layer (WITNESS), and an adversarial harness that attacks all of it (the Gauntlet). Twenty-seven thousand lines of Python, built in the open.

$ drift stack --map 7 components · 1 repo
PROTOCOL.md ──▶ drift/crypto ──▶ TUI · Desktop ──▶ relay/ (federated · Pi-ready) DRIFT-P/1 no hand-rolled Textual · Tauri ├─▶ WITNESS (proof · 60s) wire spec primitives Tor bundled └─▶ Gauntlet (10 probes · 0 mercy)
16,900+ lines of app code
624 tests, all green
10/10 adversarial probes
34 modules

~30 CLI commands · 38 test files · MIT license · Python 3.11+ · desktop needs no Python at all

"Every property is enforced by cryptography on the endpoints, never by policy on the server. If a guarantee depends on the relay behaving, it is not a guarantee of this protocol."

— PROTOCOL.md, the design rule everything else follows

The relay cannot comply.

A compelled relay can stop publishing. It cannot silently comply. Most privacy tools ask you to trust a server; DRIFT's relay publishes a live cryptographic proof — a blindness certificate — every 60 seconds. It commits to what the relay structurally cannot know: zero sender identities (sealed sender), zero recipient identities (rotating stealth addresses), zero readable content (end-to-end encryption), zero linked conversations (unlinkable envelopes).

The certificates are hash-chained and signed with the relay's long-term Ed25519 key. Every certificate embeds the SHA-256 of the previous one — a tamper-evident transparency log. A relay cannot rewrite its past without its private key, and cannot silently start logging without breaking a chain anyone can watch.

You can verify this yourself with nothing but openssl and hashlib — no DRIFT code required. And every relay serves /cannot-see: the page a surveillance request lands on, rendering in plain English exactly what that request would find. Nothing.

# watch a relay's full 24-hour certificate chain # four counters, all provably zero: senders · recipients · contents · linked drift witness verify ws://localhost:8765 # live canary — loud alert the instant the chain breaks drift witness subscribe ws://localhost:8765

Self-hosted relays expose /cannot-see — a human-readable certificate page for anyone who asks.

WITNESS — live certificate stream

How DRIFT stacks up.

Honest comparison. Green means the claim holds. Red means it doesn't — including our own red marks. The maturity axis is where DRIFT loses, and we plot it anyway.

$ drift compare --all scanning...
Feature-by-feature comparison of DRIFT against Signal, Telegram, WhatsApp, and Wire across twelve privacy and security dimensions. A check mark means the feature is present, a cross means it is absent, and a tilde means it is partial or conditional.
Dimension DRIFT Signal Telegram WhatsApp Wire
No phone number
No account required
E2E encrypted (default) ~1
Forward secrecy
Relay blindness proof
Stealth addresses
Cover traffic 5
Tor transport ~2
Open source (full) ~3
Independent audit 4
No central server
Terminal / headless
1 Telegram: E2E only in Secret Chats. Groups and standard chats are not E2E.
2 Signal: proxy support only, not Tor-native.
3 Telegram: client open source, server closed.
4 DRIFT: internal audit only. No third-party audit yet. We say this loudly.
5 DRIFT: Poisson-scheduled dummy envelopes + uniform wire size, off/low/high dial. Shipped v0.15.0.
privacy coverageradar
Maturity score reflects audit status and production readiness. DRIFT scores 4/10 — honestly.

Precise claims. No snake oil.

Security claims mean nothing without saying against whom. Here is the honest scope.

[OK] DRIFT defeats
Passive surveillance — ISP or nation-state wire-tapping learns nothing about content or participants.
Subpoenaed relay — the server holds no plaintext, no contact graph, no linkable addresses. There is nothing useful to hand over.
Key theft — forward secrecy means past messages stay safe. Post-compromise security means the conversation self-heals.
Social graph analysis — sealed sender and Tor transport hide who talks to whom.
Infrastructure takedown — no single server to kill. Federated relays, P2P fallback, Tor transport.
Timing and volume analysis — Poisson-scheduled cover traffic and uniform envelope sizes (off/low/high dial, shipped v0.15.0) make your send patterns statistically noisy.
Compelled relay — WITNESS means a relay served with a surveillance order can shut down, but cannot silently comply. The chain breaks in public.
[WARN] DRIFT does not defeat
Compromised endpoint — malware on your machine reads the screen. No messenger fixes this.
Global passive adversary — cover traffic raises the cost sharply; an adversary watching every wire on earth is still out of scope. We do not claim to solve it.
User error — sharing keys carelessly, screenshotting chats, getting phished.
Room forward secrecy — sovereign rooms use a shared key; pairwise chats have full forward secrecy, rooms do not. Burn and single-use invites are best-effort, not guarantees.

Being precise here is what separates a serious tool from snake oil.

Built different.

[addressing]shipped v0.2.0
Rotating Stealth Addresses

Every message you receive lands at a fresh, random, unlinkable address — Monero-style dual-key stealth addressing, applied to messaging. A scan key to find your mail, a spend key to read it, split so a watch-only device can detect but never decrypt. The relay sees a stream of unrelated blobs — no inbox, no account, nothing that points to you. Your identity is a keypair you generated locally. Nothing more.

[witness]shipped v0.13.0
WITNESS — Verifiable Relay Blindness

A live, hash-chained, Ed25519-signed blindness certificate published every 60 seconds. Not a privacy policy. Not a promise. A cryptographic proof you can verify yourself with openssl and hashlib. The chain is tamper-evident: silence or deviation are both detectable.

[rooms]shipped v0.14.0
Sovereign Rooms

Cryptographic chatrooms with no server-side representation. A room is pure math: a shared secret derived from its name. No row in any database, no object the relay owns, nothing to subpoena. Three tiers: open, invite-only, and dark (name is a random secret, not a word). Honest limit: rooms use a shared key — no forward secrecy inside a room. Pairwise chats keep full FS.

[ratchet]shipped v0.4.0
Double Ratchet + X3DH

Full forward secrecy from the very first message. X3DH bootstraps the handshake; the Double Ratchet turns on every message. Steal today's keys and past messages stay unreadable. The conversation self-heals after a transient compromise.

[transport]shipped v0.6.0
Sealed Sender + Tor

The relay never sees your IP. It also cannot link your messages to each other — the ratchet header that would make them linkable is encrypted inside the payload. What the relay sees per message: one unlinkable address, one opaque blob.

[lockdown]shipped v0.15.0
Lockdown Mode

Toggle with Ctrl+K. Every keystroke re-scrambles the on-screen input so keyloggers and screen scrapers see only noise. Scrollback history is wiped from memory. Paste is ignored. Defeats software keyloggers, screen scrapers, shoulder-surfing, and clipboard sniffers. Hardware keyloggers and OS-level memory forensics are out of scope.

[panic]shipped v0.8.0
Panic Key + Decoy Vault

A second passphrase that silently wipes your identity or opens a believable decoy instead of your real account. Both passphrases go through the same Argon2id KDF and constant-work unlock path — no timing difference, no error. Honest limit: the wipe variant is single-shot; the decoy variant is better where a second forced unlock is plausible.

[federation]shipped v0.7.0
Federated Relays

Anyone can run a relay. Relays gossip blobs to each other, each holding only opaque ciphertext with a TTL. No single server to compel or kill. For the truly paranoid: serverless P2P mode over a Tor onion service with no relay at all.

[cover]shipped v0.15.0
Cover Traffic Dial

Poisson-scheduled dummy envelopes and a uniform wire size make your real messages statistically indistinguishable from noise. An observer can't tell your 2 a.m. message from scheduled static. Three settings: off, low, high.

[groups]shipped v0.11.0
Group Messaging

Pairwise Double Ratchets fan out to up to 10 members — every pair keeps full forward secrecy, and no server-side group object exists anywhere. Honest limit: pairwise fan-out costs O(n) bandwidth by design; sender-keys for larger groups are on the roadmap.

[identity]shipped
Safety Numbers, Beacons + One-Time Invites

Verify a contact with a human phrase (river-amber-tiger-92) and a deterministic randart block you can compare at a glance. Share your contact code by paste or QR. Need discovery? Short-lived beacons bind a handle to your code for ≤10 minutes, and one-time driftinvite: links self-delete on first resolve (≤24h TTL).

[fmd]shipped v0.9.0
Fuzzy Message Detection

A dial that makes the relay's delivery hints deliberately noisy — decoy matches drown out real ones at a rate you control. Even the pattern of "something arrived for someone" degrades into static.

[burn]shipped
Burn + Disappearing Messages

Best-effort remote erasure and timed disappearance. Burn tokens are single-use — a replayed burn request is rejected. Honest limit: "best-effort" means exactly that. A recipient's client must cooperate; already-read plaintext cannot be recalled.

[deniable]free with the ratchet
Deniable Authentication

Your contact knows the message is from you. Nobody else can ever prove it was. The ratchet authenticates the channel, not the transcript — everything is deniable after the fact.

Eight steps. All invisible to the user.

01 —
Keypair generated locally

On first run, your identity, scan, and spend keys are created on your machine and never transmitted anywhere.

02 —
Contact code shared out of band

Your public keys are encoded into a compact drift:... string you share however you like — paste, QR, or voice.

03 —
X3DH handshake

Your client fetches the recipient's prekey bundle, verifies the signature, and derives a shared root secret. Forward secrecy is complete from this moment.

04 —
Double Ratchet encrypts the message

Every message advances the ratchet and is sealed with XChaCha20-Poly1305. Compromise one message key and no others are affected.

relay sees: nothing yet — this all happens on your machine

05 —
Sealed sender wraps the envelope

The ratchet header — the field that would make messages linkable — is encrypted inside the payload. The relay cannot correlate your traffic.

relay sees: one opaque blob, uniform size, no sender field at all

06 —
Tor routes the packet

Your real IP never reaches the relay. The relay sees an onion-routed connection and an opaque blob addressed to a one-time stealth address.

relay sees: a Tor exit, never your IP

07 —
Recipient scans, derives, decrypts

The recipient's client derives the one-time address from the ephemeral key, recognizes the message, and decrypts. The relay never knew it was theirs.

relay sees: a fetch on the shared channel — could be anyone, for anything

08 —
Cover traffic hides the rhythm

Between real messages, the client emits Poisson-scheduled dummies at uniform size. An observer can't tell your 2 a.m. confession from scheduled noise.

relay sees: a steady hum of identical envelopes, real and fake alike

Built in the open. Shipping in public.

Every green card is merged, tested, shipped code — version numbers are receipts, not promises. Three cards remain.

▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░ 14/18 shipped · 1 deferred · 3 open
[✓] PHASE 0 E2E Transport v0.1.0
[✓] PHASE 1 Stealth Addresses + TUI v0.2.0
[✓] PHASE 2 Double Ratchet v0.4.0
[✓] PHASE 3 Tor + Sealed Sender v0.6.0
[✓] PHASE 4 Federated Relays + Pi Zero v0.7.0
[✓] PHASE 5 Panic Key + Duress Vault v0.8.0
[✓] PHASE 6 FMD Dial v0.9.0
[✓] PHASE 8 Group Messaging v0.11.0
[✓] PHASE 9 Codespaces Launch v0.12.0
[✓] PHASE 10 WITNESS System v0.13.0
[✓] PHASE 11 Sovereign Rooms v0.14.0
[✓] PHASE 12 Lockdown + Cover Traffic v0.15.0
[✓] PHASE 13 Tauri Desktop App v0.17.0
[✓] DRIFT-P/1 Protocol Spec · Security Score · Bundled Tor · Lockdown v0.20.0

Phase 7 deferred — multi-device ratchet sync is an unsolved problem. We'll do it right or not at all.

Build on this.

DRIFT is open source and designed to be extended. The architecture is modular by phase — you can contribute to the protocol, the relay, the TUI, the desktop app, the crypto layer, or the test harness without touching the rest.

[protocol]
Break the Gauntlet

Run python scripts/gauntlet.py and try to make a probe fail. Write a new probe that tests something we missed. Every broken invariant is a bug report — open an issue with your finding and the probe that exposed it.

view the gauntlet →
[relay]
Run a Relay

Clone the repo, run python -m relay.server, and you're part of the federated network. If you run it publicly, open an issue to get listed as a community relay. Pi Zero nodes especially welcome — see Phase 4 docs.

relay setup guide →
[crypto]
Audit the Code

The entire cryptographic surface is in drift/crypto/ and drift/protocol/. The internal audit found and resolved five findings — the remaining deferred items (L2, L4) are documented openly. Fresh eyes on the stealth address math and the X3DH prekey pool are especially welcome.

read the audit →
[build]
Ship a Phase

Phases 14–16 are unbuilt and open. Mobile companion, Drift Names resolution, Pi Zero relay image. Each phase has a design doc stub. Pick one, read the architecture, open a discussion issue before writing code.

open issues →
# get started in 60 seconds git clone https://github.com/chickenswaffle/Drift.git cd Drift && pip install -e ".[dev]" python -m pytest tests/ -q # 624 tests, all green python scripts/gauntlet.py # 10 probes, all pass
624 tests passing 10/10 gauntlet probes mypy + ruff clean ~16,900 lines of app code 34 modules DRIFT-P/1 spec published

One iron rule: no hand-rolled primitives. PRs that roll their own crypto will be closed.

Up in under two minutes.

▶  browser — no install

Launch a fully configured DRIFT environment in GitHub Codespaces. Nothing installs on your machine. Relay and client both start automatically. Or grab the desktop app — it bundles everything, including Tor. End users never touch Python.

⌨  local install — watch it run

Local needs Python 3.11+. Codespaces needs only a browser — relay and client auto-start.

// Unsigned by design — verify, don't trust

Why these builds aren't signed. A code-signing certificate doesn't prove software is safe — it proves a certificate authority checked the developer's legal identity and took an annual fee. DRIFT exists so you never have to surrender an identity to communicate; stapling a government-verified name onto every release would contradict the entire premise. A signature tells you who built it, not what it does.

So this app will most likely never be signed — there's no real reason it should be. Instead of "trust the badge," the whole project is open source and every installer is built in public CI you can read line by line. Reproducibility is the roadmap's answer to signing — the CI workflow that builds these installers is a few hundred lines you can audit yourself. Don't trust us. Verify it.

Cautious? Good. Do this first.

› Scan the file on VirusTotal — drop the .exe or .dmg in and let 70+ engines weigh in. Heads up: unsigned installers and Python-bundled apps routinely trip 1–3 heuristic engines — a couple of generic flags on an otherwise-clean report is the false-positive pattern, not malware.

› Run it isolated until you trust it: Windows Sandbox, a throwaway VM (VirtualBox / VMware / UTM), or a disposable machine over RDP.

› Read the source and the build workflow on GitHub before you run anything.

Install instructions — Windows
  1. Download DRIFT-Setup-Windows-x64.exe.
  2. Windows SmartScreen may say "Windows protected your PC." Click More info → Run anyway. This prompt appears for any unsigned app — clean or not.
  3. Run the installer, then launch DRIFT from the Start menu.
Install instructions — macOS (Intel & Apple Silicon)
  1. Pick your chip — Apple menu → About This Mac. "Apple M-series" → the Apple Silicon dmg; "Intel" → the Intel dmg.
  2. Open the .dmg and drag DRIFT into Applications.
  3. On first launch, Gatekeeper blocks it ("unidentified developer"). Right-click DRIFT → Open → Open.
  4. Still blocked? Clear the quarantine flag in Terminal:
    xattr -dr com.apple.quarantine /Applications/DRIFT.app
Install instructions — Linux
  1. Grab the AppImage from the latest release — it's self-contained, nothing else to install.
  2. Make it executable: chmod +x DRIFT-*.AppImage
  3. Run it: ./DRIFT-*.AppImage. Tor is bundled; the core is frozen — no Python required.
  4. Prefer source? git clone + pip install -e ".[dev]" works on any distro with Python 3.11+.

We show our work.

Serious tools invite scrutiny. Every design decision, audit finding, and known limitation is documented and public. Read it, challenge it, improve it.

[spec]
DESIGN.md

The full protocol specification. Threat model, cryptographic rationale, stealth address math, ratchet design, WITNESS architecture, and every honest tradeoff — all in one document.

read the spec →
[proof]
docs/witness.md

The WITNESS specification in full. Includes the certificate format, the hash-chain verification algorithm, the threat model for the proof layer, and step-by-step instructions for verifying a relay's chain using only openssl and hashlib.

read the proof →
[audit]
docs/audit-2026-06.md

Internal audit: 4 high, 5 medium, 4 low findings — and the resolution log showing each one fixed, commit by commit. All high and medium findings resolved by v0.14.1. Deferred low items documented openly, not papered over.

read the audit →
[protocol]
PROTOCOL.md — DRIFT-P/1

The wire-format spec. Envelope layout, handshake transcript, stealth derivation, WITNESS certificate schema. Written so a second, independent implementation can interoperate — that's the point of a protocol.

read the spec →
[!] DRIFT has not been independently audited. Do not use it for anything where your physical safety depends on it until a formal third-party audit has been completed and published. We will announce results in the repository.
// PRIVACY

No data to collect. No policy needed.

This website collects no personal data. There are no cookies, no analytics, no tracking scripts, no third-party embeds, and no server-side logging of any kind. The interactive demo runs entirely in your browser — no keystrokes, messages, or session data are transmitted anywhere. The only external request this page makes is loading the JetBrains Mono font from Google Fonts.

Under the California Consumer Privacy Act (CCPA) and similar laws: we do not sell, share, or broker personal information because we do not collect it. There is nothing to request, delete, or opt out of.

If you self-host a DRIFT relay, you are responsible for your own relay's privacy posture. Consult the DESIGN.md for the full threat model.

Last reviewed: June 2026 · Open source · MIT License