Gone

What is Gone?

Go + One = Gone

Gone is a tool for sharing secrets privately, readable only one time. The server component is written in Golang, a language designed for simplicity and efficiency by Google. The client-side application is built with vanilla JavaScript and modern WebCrypto APIs to perform encryption and decryption directly in your browser.

Gone is open source software. The source code is available on GitHub under the GNU Affero GPL v3.

What encryption does Gone use?

Gone uses AES-256-GCM provided by WebCrypto APIs for client-side encryption, which is the same encryption trusted by banks, governments, and security-conscious organizations worldwide.

How Gone Keeps Secrets Secret

Gone is designed so the server never learns your secret. The critical cryptography happens entirely in your browser before anything is sent over the network.

High Level Flow

1. You type a secret into the form. Before it leaves your device, the browser generates a fresh, random encryption key.
2. Client-side encryption (using modern WebCrypto primitives) transforms the plaintext into an opaque blob.
3. Only the encrypted blob is sent to the Gone server. The key never leaves the browser.
4. The server stores just that blob plus minimal metadata (TTL & one-time marker).
5. A shareable URL is produced. The secret key is embedded in the URL fragment (the part after #) or query component so the server still never sees it during retrieval.
6. The recipient loads the URL; their browser extracts the key locally and fetches the encrypted blob.
7. Decryption happens client-side; the server remains blind to the plaintext the entire time.
8. One-time consumption: after first successful retrieval the stored blob is deleted, preventing reuse.

Why This Matters

• Zero server knowledge: Compromise of the storage tier yields only ciphertext.
• Ephemeral access: One-time retrieval shrinks the attack window.
• Short TTLs: Automatic expiry further limits exposure if a link lingers.
• No password reuse risk: You never transmit existing credentials in the clear.

Threat Model Notes

• Always verify you are on HTTPS (the app warns if not).
• The secrecy guarantee assumes the sender's and recipient's browsers are not compromised.
• Anyone who obtains the full share URL (including its key component) can decrypt the secret until first read or expiry.

What is the GNU Affero GPL v3, and what does it mean for users?

• For people who simply use Gone, but aren't hosting their own instance, you have no obligations.
• For people who modify Gone and host their own instance, you must share your changes.
• The GNU Affero General Public License version 3 (AGPLv3) is a free, copyleft license for software and other kinds of works, specifically designed to ensure cooperation with the community in the case of network server software.
• It is similar to the GNU General Public License (GPL), but with an additional requirement that if you run a modified program on a server and let other users interact with it there, your server must also allow them to download the source code corresponding to the modified version running there.
• This ensures that users who interact with the software over a network have access to its source code, promoting transparency and collaboration.
• It also ensures that for-profit companies that use the software must also share their modifications with the community, improving the software for everyone not just shareholders.
• For more information, or to view the full text of the license, visit the GNU website.