[//] CIPHAR

Encrypted Chat for Journalists & Sources

The first contact between a reporter and a potential source is the most fragile moment in any sensitive story. The source has not yet decided whether to trust the reporter; the reporter does not yet know who the source is or what they have. Asking either party to install an app, register a phone number, or even reveal an email address before that first exchange will lose most sources.

The threat model

  • The source must remain unidentifiable to the reporter's organization, the source's employer, and any third party that might subpoena messaging-app records.
  • The reporter must not be tricked into exposing other sources by careless backups, contact-list syncs, or persistent message history.
  • Neither side wants a permanent searchable archive of the conversation living on either device.
  • The encryption must be real, not nominal — content has to be unreadable by the relay.

How Ciphar fits

A reporter publishes a Ciphar channel link (and access key) in their bio, on a tip-line page, or shares it directly with a known intermediary. The source loads the URL in any browser — no install, no account, no phone number. They type the access key, pick a callsign, and they are talking. Sixty minutes later, the channel and every byte of ciphertext is gone.

For ongoing coverage, the reporter can rotate channels daily and post the new link in a known place. The relay never sees plaintext, so even a compelled disclosure produces only opaque blobs that have already been deleted.

Workflow checklist

  • Open the channel from a clean browser session, ideally over Tor or a trusted VPN if your jurisdiction warrants it.
  • Share the URL and the access key over different channels (e.g., URL on a public bio page, access key in a Privnote link). The link alone is useless without the key.
  • Pick a callsign that does not identify either party.
  • Keep sensitive identifiers (real names, locations, dates) out of the channel name itself — the name is visible to the relay.
  • For follow-ups beyond an hour, agree on the next channel name in-channel before the timer expires.

What Ciphar is not for

Ciphar is for the early, anonymous, ephemeral contact. Once a working relationship is established and both parties trust each other with persistent identifiers, a long-lived encrypted messenger like Signal is a better tool for the actual document handoff and the long tail of follow-up.

Read more: Security & threat model · How Ciphar works · Ciphar vs Signal.

Open a tip channel in 5 seconds. No account.
Forge channel →