Fork me on GitHub

Secure email for everyone.


Big brother is here. Mass surveillance with breadth, depth, and immediacy.

With a few keystrokes, bureaucrats can read the emails you got this morning.

You should care, even if you have nothing to hide.


This is a work in progress.

Ideas, bug reports, and code reviews are much appreciated.


Scramble is end-to-end encrypted webmail. For conversations between Scramble addresses, the servers never have access to the plaintext message or body of your mail--only From and To.

It uses public-key encryption. That leads to the tricky problem of key exchange. Our solution is make your email the hash of your public key. For example,

(That's me. Feel free to send me a note!)

The bad news is that you can't memorize it. The good news is that you can look up someone's public key from an untrusted server, and easily verify its correctness. This is the same tradeoff that Tor Hidden Services make.

Address book

Your address book is now very important: since your contacts' email addresses are just a jumble of letters and numbers, you need the address book in order to send mail or know who a received message is from.

To preserve your anonymity, the server stores your address book encrypted with your own public key. When you log in, you download the encrypted address book, and decrypt it in your browser. If you add new entries, the client encrypts the modified address book, again in the browser, and sends it back to the server. Thus, not only are the Subject and Body of each email unknown to the server, but the real names associated with From and To can also be anonymous.


Some users will opt for less security and more convenience.

For compatibility, you can exchange email with addresses outside of Scramble. Those messages are sent in plaintext. Incoming plaintext messages are encrypted with your public key for storage, so nobody can obtain the records from Scramble after the fact.

Be careful about doing this, especially if you want to keep your address anonymous. The security guarantees here are, of course, weaker than for conversations between Scramble users.

The Old Threat Model

The old threat model was simple. Hackers from faraway countries, scammers, or just the troll sharing an open cafe WiFi network with you. Those people shouldn't be able to read your email.

Existing webmail services, such as Gmail, address this threat adequately. They use HTTPS, they use secure SMTP, they support two-factor authentication, and so on.

A Brave New World

The new threat is more complex. Centralized adversaries, such as the Chinese government or the NSA, compromise the privacy of entire populations. Existing services have proven to be insecure.

A few months ago, for example, a Chinese root CA issued a false certificate for This allowed the government to run a MITM attack against certain activists. With the green lock logo still there, the victims had no easy way to know anything was amiss. This is not Google's fault--it's an inherent limitation of HTTPS. Centralized adversaries, unlike typical hackers, control root CAs.

Then, a few weeks ago, we learned that American government takes an even more direct approach. Using a secret judgement, rendered by a secret court and based on secret laws, they go to the places where data already resides--such as Google's servers--and compel the owners to provide secret access. That is, Google is not allowed to tell its users that they're being spied on.

The new threat model is harsh: all data not stored by yourself or your recipient is available to the adversary. Hence, Scramble servers store only ciphertext.

Down the Rabbit Hole

Another possibility goes further than demanding email records: centralized adversaries could simply commandeer our servers. For now, that threat is just theoretical, but given recent events it's never too early to start planning.

Users of webmail are inherently not secure against such an attack. The adversary can simply serve them modifed Javascript, designed to reveal their passpharse, private key, or plaintext emails.

To protect against this, we plan to offer a browser extension soon. Once installed, you'll have the same UI you know and love---but the HTML, CSS, and Javascript will be served from local disk. An adversary cannot serve you tainted code, and they cannot access any of your plaintext, even if they control the server. The server is fully untrusted, and everything you send to or receive from it is already encrypted!

Why Not PGP?

PGP has been around for a very long time, yet almost nobody uses it. This is a shame.

We see three problems with PGP:

Scramble is our attempt to fix these shortcomings.

Opt-In Security

Scramble is for everyone. Hence, we want to accomodate a lot of choices.

Users who care most about convenience can use the webmail client. They can check their email anywhere, even on a library computer. They can exchange mail with regular, unencrypted addresses. Even then, they get better protection than current webmail offers: because the server encrypts all mail with the recipient's public key before storing it, nobody can retroactively ask us for the contents of your inbox. We don't know what's there.

Users who want even stronger security can keep their address secret except from people they trust. To spies, the address is anonymous. They can also use the browser extension intead of webmail.

Here's the full set of options and the threat models they protect against.

Eavesdrop Demand Records SSL Wiretap Full compromise
Scramble Webmail
Scramble Extension


You'll notice that since the server never sees the contents of an email, it knows nothing about its users. So targeted advertising isn't possible... and even if were, we don't like it.

Scramble is free and ad-free. Its our gift to you. We want you to exercise your Fourth Amendent freedoms, to communicate without fear of "unreasonable search and seizure".

If you'd like to help, check out the Github repo

Special thanks to Moxie for inspiration, Feross for a lot of good ideas, and many other friends.