FAQ


Compare Sonar with other comunication methods

WebsiteRemove own messagesEnd to end removalEnd to end encryptionSelf destructionPlain text disabledEncrypted db Storage
SonarYesYesYes2YesYesYes
DreadYesYesYes2xxx
ForumsYesxYes2xxx
EmailYesxYes2xxx
XMPPYesxYes1xxx
TelegramYesYesYes3YesYesx
SignalYesYes4YesYesYesx
1 It is possible using OTR or Omemo
2 It is possible using your own PGP encryption
3 It is active in secret chats
4 Support has been added at the end of 2019 but with several limitations


  1. How does Sonar work ?

    Sonar is a web messenger that allows you to send and receive messages. Sonar supports two types of messages:
    
    1.- Server-side encrypted messages
    2.- Client-side encrypted messages (using PGP)
    
    You can use PGP to encrypt sensitive messages and all messages you send, whether they are encrypted or not, will be stored encrypted by Sonar.
    
    That is the main benefit with Sonar compared to other websites. Most websites like Dread, forums, emails and markets allow you to send plain text messages and they store plain text messages. Sonar does not support plain text and uses server-side encryption instead, which is more secure.
    
    All messages in Sonar are stored encrypted, including the message body and the subject.
    
  2. What is server-side encryption ?

    Sonar creates a pgp key pair (public key and private key) for every user that registers on the service.
    
    When you write a message to another user, this message is encrypted with his public key and only he can decrypt it with his private key.
    
    When somebody writes a message to you, it is encrypted with your public key and only you can decrypt it with your private key.
    
    It is similar to PGP encryption. The difference is that private keys and public keys are stored in Sonar, so all the messages can be encrypted automatically.
    
  3. How do I use Sonar ?

    Using Sonar is very simple. You only need to create an account and share your account with your peers so they can contact you.
    
    If you want to get the highest privacy, take into consideration the following tips:
    
    - Always encrypt sensitive or private information using 4096-bit PGP keys.
    - If you are extra paranoid, you can also encrypt non sensitive information.
    - Setup a self destruction time as short as you can.
    - Remove sent and received messages that are highly critical as soon as you no longer need them.
    - Never save a copy of the messages unless it is really necesary and you can store that copy encrypted.
    
  4. Why should I use Sonar ?

    Sonar offers more security features than any other communication method in Tor, you can see that in our comparison tables.
    
    If you care for your privacy, you should consider using Sonar.
    
  5. Sonar vs Private messages

    Private messages in forums like dread or the hub are not really private. Anybody with access to the server or the database can read those messages.
    
    There are several benefits in Sonar compared to private messages in forums:
    
    - All the messages are stored encrypted
    - The messages, both for the receiver and the sender can be removed by one of the parties
    - You can configure a self destruction for all your messages
    - API to check your inbox and to send messages
    
  6. Sonar vs Email

    This are the benefits of Sonar compared to emails:
    
    - All the messages are stored encrypted 
    - When you remove a message, it will be removed for you and the person that received the message
    - It does not use javascript (some webmail services do)
    - You can configure a self destruction for all your messages 
    - API to check your inbox and to send messages
    
  7. Do you keep any logs ?

    Sonar does not keep any logs with sensitive information.
    
    When a message is sent, a single copy of that message with all its metadata is stored encrypted in the database. When that message is removed, the entire message including all the metadata is removed.
    
    Sonar does not store the subject and message in any logs.
    
    We keep web server logs for 14 days, but those logs do not contain any sensitive information, only urls. Since we use Tor, the user IP does not appear in the logs.
    
  8. Can I stop using PGP ?

    No. Sonar is not a replacement for PGP.
    
    You need to keep encrypting the messages in the same way you encrypt them now. With Sonar, you get some additional security features, but that does not mean that you can stop using PGP.
    
    PGP encryption is particularly important for senstive information. If you use Sonar + PGP for your sensitive information, you will get the best security.
    
  9. isn't PGP better than Sonar ?

    PGP and Sonar are different tools and provide different features.
    
    PGP provides data encryption and Sonar provides message delivery.
    
    This means that you can use Sonar and PGP together to encrypt and send all your messages.
    
  10. Why should I trust your tool?

    Nobody should ever fully trust an online messaging service. Whether it's Sonar, Telegram, a forum, or an email provider does not matter.
    
    As stated in the previous section, Sonar is not a means of replacing PGP encryption, but it is a tool that seeks to further secure your PGP encrypted communications in a user-friendly environment.
    
    Using Sonar, you can encrypt all your messages with PGP and you will still get better security than with any other communication method in Tor.
    
    If you want to know more about us, we have created three tools that you can check: Sonar, Dark Eye and DarkNet Trust.
    
    We have created this tools because we believe in privacy, in freedom of speech and because we believe people should be free to do whatever they want as long as they don't hurt others (including animals and our planet).
    
  11. What if somebody gets access to Sonar's database ?

    If somebody was able to hack Sonar and get a copy of the database, they would only get encrypted information. All the messages, including the message itself and the subject are encrypted. The only information they would get is the username that sent the message, the recipient and the time.
    
    Messages that have been deleted, are completely removed, including usernames and times, so there would be no information at all for those messages.
    
    The private keys and other sensitive information are also encrypted. This means that whoever got a copy of the database will not be able to decrypt any message.
    
  12. How should I choose a secure password ?

    The security of your password depends on the characters you use and the length.
    
    It is also important to avoid dictionary words and common patters. But we won't talk about this here, we want to explain the role of length and characters when choosing a password. Do your own research on common words and patterns.
    
    The point we want to make, is that a password made of only lowercase letters can be more secure than a password with symbols depending on the length.
    
    It is easier to crack a password with symbols with 8 characters than an alphanumeric password with 9 characters:
    
    abcdAB9.  	= 1.12 minutes to crack
    abcdAB9bc	= 2.29 minutes to crack
    
    It is also easier to crack a password with symbols with 10 characters than an alphanumeric password with 12 characters:
    
    a!cdABa9a.		= 1 week
    abcdAB9aabbb	= 1 year
    
    Just make sure you use a long password.
    
    This are our recommendations for minimum length depending on the characters you use:
    
    a-z: Make it at least 17 characters long (3.75 centuries to crack)
    
    a-z, 0-9: At least 15 characters long (72 years to crack)
    
    a-z, A-Z: At least 14 characters long (3.43 centuries to crack)
    
    a-z, A-Z, 0-9: At least 14 characters long (40 centuries to crack)
    
    a-z, A-Z, 0-9, symbol: At least 12 characters long (1.74 centuries to crack)
    
    This information has been created based on this calculator and a cracking power of one hundred trillion guesses per second (Massive Cracking Array Scenario): https://www.grc.com/haystack.htm
    
  13. Templates

  14. What are Templates?

    A template is a canned response. It is a message that you send often and you just save it in a template so you don't need to write the same message every time.

  15. How to create Templates?

    You can create new templates in your account settings. When you login in your account, you need to go to Settings and then to Templates. You can create templates there.

  16. How to use Templates?

    When you write a message to somebody or reply a message, instead of writing the full message, you can load a template. Once the template is loaded, you can modify anything you want from the template and send it.

  17. What Templates do?

    Templates make it easy to send the same message many times, because you have a copy of that message and you don't need to write the full message every time.

  18. Mailvelope

  19. What is Mailvelope?

    Mailvelope is an open source Firefox/Tor add-on to securely encrypt your messages with PGP. It has been created primarily for email but we have made some changes to our website so you can now also use it in Sonar. If you want to know more, you can check their website:

    https://www.mailvelope.com/en/

  20. How can I use Mailvelope ?

    If you want to use mailvelope you have to follow this steps:

    1- Install mailvelope in your browser. You can find it in addons.mozilla.org.

    2- Generate or import your pgp key(s)

    3- Go to Sonar website and authorize the domain: Click the Mailvelope icon and select "Authorize this domain". Leave the default options and click Ok.

    4- If you use different Sonar mirrors, you will have to authorize all mirrors.

    Now, when you click "Compose" in Sonar, you will have a new mailvelope icon that allows you to encrypt the message locally.

    In the same way, when you receive a pgp encrypted message, you will see a mailvelope button that will allow you to decrypt it locally.

    You are now using Sonar with e2e encryption.

  21. Do you recommend Mailvelope ?

    It depends on your threat model. This is why it is important for you to understand how each tool can protect you. Once you know the protection that each tool can provide, you can decide which one is better for you.

    If you want the higest privacy, you should only encrypt messages manually with PGP, you should not use Mailvelope and you should never enable js in Tor browser.

    We have added support for this feature because we found it in riseup email and it is never bad to have options available. Different people will have different threat models and we believe some people can benefit from using Mailvelope.

    People using protonmail already use javascript in Tor browser, and they could benefit from using mailvelope instead.

  22. Security considerations

    In order to use Mailvelope you will have to enable javascript in Tor browser and that is a security risk that you need to consider.

    With javascript enabled, any website you visit can potentially hack your browser.

  23. Mailvelope vs Protonmail

    Mailvelope can bring an import security feature to those currently using Protonmail.

    Protonmail stores the pgp keys in their servers, which means they could potentially get access to those keys. Mailvelope stores the pgp keys in your computer, this means Sonar can never access your pgp keys.

  24. More questions ?

    If you have a question that has not been replied, don't hesitate to contact us using the contact form at the bottom of this page.
    
    Thank you for your interest.
    


The private PGP key is stored encrypted so even if the server gets hacked the hacker gets no keys.
For higher security, you can manually encrypt the messages with PGP.


PGP key · FAQ · Contact Us · Donate · API · Sonar-cli

Sonar is listed on
Dark Eye · Raptor