Open Source

End-to-end encryption
for any web messenger

Veil encrypts your messages before they leave your browser. The platform only sees ciphertext. No accounts, no servers storing your messages.

Add to Chrome Try the demo
How it works

Three steps to encrypted chat

1

Create an invite

Click "Start Session" in the Veil popup. An invite code is generated using your ephemeral key pair and sent through the chat.

2

Your peer connects

They open Veil, start a session, and the extension automatically detects your invite. A reply code is sent back.

3

Chat encrypted

Both sides derive a shared secret. Every message you type is encrypted with AES-256-GCM before it enters the chat.

Security model

What Veil protects and what it does not

What Veil does

  • Encrypts messages end-to-end with AES-256-GCM
  • Generates fresh ECDH P-256 key pairs per session
  • Derives shared secrets with HKDF
  • Verifies session integrity through fingerprint comparison
  • Detects man-in-the-middle attacks via out-of-band server verification
  • Sends an end signal so both sides wipe keys simultaneously

What Veil cannot protect

  • Device-level compromise (malware, spyware, keyloggers)
  • Physical access to an unlocked device
  • Metadata: who you talk to, when, and how often
  • Screenshots or screen recording by the platform or OS
  • A compromised browser or extension store supply chain
Verification

Every session generates a short fingerprint code. Veil checks it through three independent channels so you know no one is intercepting.

🔍

In-band

Automatic check through the messenger itself. Catches bugs and accidental mismatches.

🖥

Server

Independent check through Veil's relay server. Catches active man-in-the-middle attacks.

📞

Out-of-band

Compare the fingerprint through a call or different app. The strongest guarantee.

Privacy

Designed to know nothing about you

🚫

No accounts

No sign-up, no email, no phone number. Install and use.

💭

Keys in RAM only

Session keys live in chrome.storage.session — memory only, never written to disk. Close the browser and they are gone.

🔓

Open source

Every line of code is public. Audit it, fork it, build on it.