Make the web private without changing platforms.
Quack is a browser extension that enables end-to-end encrypted messaging on any website. Communicate privately on YouTube, Twitter, Reddit, or anywhere—without requiring anyone to switch platforms.
People want secure communications, but moving friends to new platforms is nearly impossible. Signal is secure, but requires everyone to leave their existing apps.
Quack solves this by encrypting the web itself.
- Encrypt anywhere — YouTube comments, Twitter DMs, Reddit posts, anywhere
- No platform switching — Use existing websites with end-to-end encryption
- Quantum-resistant — Post-quantum cryptography (ML-KEM-768) + AES-256-GCM
- Wallet-grade security — MetaMask-style vault with master password protection
- Stealth mode — Hide who you're messaging from observers
git clone https://github.com/0xneves/quack.git
cd quack
npm install
npm run buildThen load in Chrome:
- Open
chrome://extensions/ - Enable "Developer mode" (top right)
- Click "Load unpacked"
- Select the
dist/folder
Chrome, Edge, Brave, and any Chromium-based browser.
- Click the Quack extension icon
- Create a master password (this protects your vault)
- Generate your first encryption key
- Share your public key with trusted contacts (via Signal, in-person, etc.)
- Type
Quack://in any text field on any website - A secure compose window opens (isolated from page scripts)
- Write your message and select which group to encrypt with
- Optional: Enable 🥷 Stealth Mode to hide the recipient
- Click "Duck it" — the ciphertext is copied to clipboard
- Paste into the original field and send
Messages are automatically decrypted when you visit a page:
- The extension scans for
Quack://...patterns - If you have the matching key, plaintext appears with a lock indicator
- Only you (and others with the key) can read the message
Create groups to share encrypted keys with multiple people:
Creating a group:
- Go to Dashboard → Groups → Create Group
- Name your group — a shared AES-256 key is generated
Inviting members:
- The person must already be in your Contacts (you need their public key)
- Select the contact → an invite is created encrypted specifically for them
- Share the invite link — only the intended recipient can decrypt it
Accepting an invite:
- Receive the invite string (
Quack://INV:...) - Your extension detects it automatically (or paste into Dashboard)
- Your private key decrypts the invite → you receive the group key
- Now you can encrypt/decrypt group messages
When enabled, messages are encrypted without revealing the recipient fingerprint. The message format becomes Quack://_:[iv]:[ciphertext] — observers can't tell who it's for.
Recipients with Stealth Decryption enabled will try all their keys to decrypt. Slightly slower, but maximum privacy.
Type Quack:// to open an isolated composer — protected from page analytics, keyloggers, and tracking scripts.
Extension automatically detects and decrypts Quack:// messages using your saved keys.
Create shared encryption groups. Invites are encrypted per-recipient using Kyber key exchange — only the intended contact can accept.
Export/import your entire vault with AES-256 encryption. Safe to store in cloud storage.
- Auto-Lock Timer — Configure how long the vault stays unlocked (1-999 minutes, or disable entirely)
- Stealth Decryption — Toggle whether to try decrypting stealth messages (brute-force with all your keys)
| Purpose | Algorithm | Notes |
|---|---|---|
| Key Exchange | ML-KEM-768 | Post-quantum (NIST FIPS 203). Used for secure group invitations. |
| Message Encryption | AES-256-GCM | Symmetric encryption for all messages. |
| Vault Encryption | AES-256-GCM + PBKDF2 | Master password derives key via PBKDF2 (100k iterations). |
- Post-quantum resistant key exchange (ML-KEM-768)
- Keys encrypted at rest with master password
- Session-only storage (keys never written to disk while unlocked)
- Isolated compose window (no page script access)
- Stealth mode hides message recipients
- Spam protection (10 auto-decrypts per viewport)
- No forward secrecy (static keys)
- No sender authentication (no signatures yet)
- Metadata visible to platforms (message length, timing)
npm run build # Production build
npm run dev # Development mode with watch
npm run test # Run test suite
npm run test:watch # Run tests in watch mode
npm run type-check # TypeScript type checking
npm run lint # ESLintsrc/
├── background/ # Service worker
├── content/ # Content script modules
├── crypto/ # Cryptographic operations
│ ├── aes.ts # AES-256-GCM
│ ├── kyber.ts # ML-KEM-768 (post-quantum)
│ ├── pbkdf2.ts # Key derivation
│ ├── message.ts # Message format
│ └── group.ts # Group key management
├── popup/ # React popup UI
├── storage/ # Vault and settings
└── types/ # TypeScript definitions
npm test54 tests covering cryptographic operations, message encoding/decoding, vault operations, export/import flows, and group key management.
- Guilherme Neves (@0xneves)
- Jarvis (@Javis_Third)
MIT — see LICENSE
This is experimental software. Use at your own risk. Always share keys via secure channels.