Security

What sTELgano Protects Against.

And what it doesn't.

2026-03-28 6 min read

Honest Security

Most security products oversell. They use words like "military-grade" and "impenetrable" and imply they protect against everything. They don't. Nothing does.

We think honesty is better security practice. If you understand exactly what sTELgano protects against and what it doesn't, you can make an informed decision about whether it's the right tool for your situation. Overselling creates a false sense of security, and false security is worse than no security.

What We Protect Against

Casual Device Snooping

There's no app to find on your home screen. No chat history to scroll through. If someone picks up your phone, they see contacts—normal. If they somehow find the sTELgano URL, they see a blank form with two fields. Nothing to explain.

Shoulder Surfing

The UI is minimal by design. No message previews outside the active chat session. No notification badges. No typing indicators visible on the home screen. Someone looking over your shoulder sees nothing useful.

ISP and Network Inspection

All data is encrypted in transit via TLS and at rest via AES-256-GCM. Your ISP can see you connected to a server. They cannot see what you sent, who you're talking to, or the content of any message.

Database Breaches

The server stores only SHA-256 hashes and AES-256-GCM ciphertext. A complete database dump reveals room hashes, access hashes, and encrypted blobs. Without the client-side key, none of this data can be reversed or decrypted.

Browser Forensics

sTELgano uses sessionStorage exclusively—no localStorage, no IndexedDB, no cookies for session data. Close the browser tab and the session is gone. There's no cache to inspect, no persistent storage to recover.

Device Seizure

There's no app installed on the device. No application data directory. No SQLite database with chat logs. The steg number is saved as a normal phone contact, indistinguishable from any other number in your contact list.

What We Don't Protect Against

Nation-State Surveillance

If a government targets you specifically with dedicated surveillance infrastructure, sTELgano is not your tool. Nation-states can compromise devices, install rootkits, perform traffic analysis at scale, and compel service providers. This is an adversary class beyond our threat model.

Law Enforcement Subpoenas

We can be compelled to hand over what we store: hashes and ciphertext. The data is cryptographically useless without the client-side key, but we're transparent about the fact that we can be compelled to produce it. We cannot produce what we don't have (plaintext, keys, phone numbers).

Targeted Malware and Keyloggers

A keylogger on your device captures everything you type regardless of encryption. If your device is compromised with targeted malware, all bets are off. sTELgano encrypts data in your browser, but it can't protect against an attacker who has already compromised the browser's environment.

Physical Coercion

If someone physically forces you to reveal your PIN, no amount of encryption can help. Cryptography protects data at rest and in transit. It does not protect against a human being compelled to divulge a secret. This is a fundamental limitation of all encryption systems.

Compromised Browser

If your browser itself is backdoored—through a malicious extension, a compromised update, or a supply chain attack on the browser vendor—the Web Crypto API cannot be trusted. The encryption happens in the browser; if the browser is hostile, the encryption is theatre.

The Threat Model

sTELgano protects against intimate-access attackers—a partner, family member, or colleague with physical access to your device.

This is the scenario we optimise for. The person who picks up your phone while you're in the shower. The colleague who glances at your screen. The family member who "borrows" your device. Against this threat class, sTELgano provides strong, layered protection.

When to Use Something Else

We'd rather you use the right tool than use ours in the wrong situation:

  • Government surveillance: Use Tor, Tails, or a hardened operating system designed for high-threat environments.
  • Legal pressure or subpoena risk: Consult a lawyer. Technology alone cannot protect you from legal compulsion.
  • Compromised device: Re-image the device from a trusted source before using any secure communication tool.
  • Life-or-death stakes: Use multiple layers of protection. No single tool is sufficient. Seek expert operational security guidance.

sTELgano is for everyday discretion, not extraordinary threat environments. We're honest about that because your safety depends on choosing the right tool for the right threat.

Back to Blog Try sTELgano Now