Both services use a URL fragment so the key never hits the server. The difference is in the details: Privnote uses an older encryption algorithm with a shorter key in the link, and the interface is cluttered with ads and trackers. ConfiMsg uses AES-256-GCM, a full 256-bit key, and zero third-party tracking.
Try ConfiMsg — no account neededPrivnote pioneered self-destructing notes and the core idea still holds: the key lives in the URL fragment and never reaches the server. But the implementation hasn't kept up. The encryption algorithm is older, the key embedded in the link is short — meaning a weaker cryptographic guarantee — and the page itself loads third-party ad scripts and tracking every time someone opens it.
For sending a one-time note with a password to a friend, that's probably fine. For anything sensitive — credentials, tokens, legal content — the combination of a weaker cipher, shorter key, and external trackers observing every visit is a meaningful step down in security posture.
ConfiMsg was built to fix exactly these three things: stronger cipher (AES-256-GCM), full-length key, no ads or trackers of any kind.
Same zero-knowledge URL fragment approach — but with a modern cipher, a proper key length, and no third-party noise.
GCM mode gives you authenticated encryption: any tampering with the ciphertext is detected before decryption. Privnote's algorithm is not publicly documented.
The key in the URL fragment is a full AES-256 key — not a short passphrase. A shorter key means a smaller brute-force search space. ConfiMsg doesn't cut corners here.
No Google Ads, no analytics scripts, no third-party pixels. Privnote loads external ad networks on every page — including the page where your recipient reads the note.
Attach files alongside your message, encrypted with the same key. Privnote is text-only.
| Feature | ConfiMsg | Privnote |
|---|---|---|
| Encryption algorithm | ✓ AES-256-GCM (authenticated) | Older algorithm, not publicly documented |
| Key length in link | ✓ Full 256-bit AES key | Short passphrase (~9 chars) |
| Key location | ✓ URL fragment (never sent to server) | ✓ URL fragment (never sent to server) |
| Self-destructs on read | ✓ Yes | ✓ Yes |
| No account required | ✓ Yes | ✓ Yes |
| File attachments | ✓ Supported (encrypted) | ✗ Not supported |
| Ads & trackers | ✓ None | ✗ Google Ads + third-party scripts |
Under the hood, ConfiMsg uses the Web Crypto API — the same cryptographic primitives your browser uses for HTTPS — to guarantee confidentiality before a single byte leaves your machine.
Write your secret note and optionally attach a file. A random AES-256 key is generated locally in your browser — it never touches any server.
Your browser encrypts the content with AES-256-GCM. The resulting ciphertext is uploaded. The decryption key is appended to the link as a URL fragment — the server never receives it.
The recipient's browser downloads the ciphertext, extracts the key from the URL fragment, and decrypts locally. The ciphertext is then permanently deleted from storage.
Not marketing claims. Verifiable technical properties baked into how ConfiMsg works:
AES-256 in GCM mode provides both confidentiality and authenticated encryption — any tampering with the ciphertext is detected. The same cipher used to protect classified government communications.
The decryption key exists only in the link's hash fragment. Browsers never include hash fragments in HTTP requests. This is not a policy — it is a structural guarantee enforced by the HTTP protocol itself.
The encrypted payload is purged from storage on first access, server-side. No copy is retained. Even if the server were compromised after the message was read, there is nothing to recover.
No email, no password, no profile. Sender anonymity is preserved by design. The service collects no identifying information that could be subpoenaed or leaked.
No account. No tracking. Your message encrypted in your browser before it ever leaves your device.
Create a secure message →Free to use · AES-256-GCM · Self-destructs on read
Specific to the ConfiMsg vs Privnote comparison: