Difuzzion

Safety & Privacy

Encryption and digital identity. Learn how Difuzzion protects your data, your identity, and your communications — and what tools you have to control your experience on the platform.

Your Cryptographic Identity

On Difuzzion your identity is not an account held by a corporation — it is a cryptographic key pair generated entirely in your browser. The private key is encrypted with your password before it leaves your device; the server only ever stores the encrypted version (enc_private) and the public key.

Your 12-word recovery phrase is the sole backup of your identity. Difuzzion has no access to it and cannot reset it on your behalf. If you lose the phrase, your account is irrecoverable.

lightbulb

Pro Tip

Write your 12-word recovery phrase on paper and store it in a safe place. Never share it with anyone — not even Difuzzion support staff.

Connection Security

All communication with Difuzzion servers uses HTTPS/TLS (certificates provided by Let's Encrypt). WebSocket connections for the signaling server also go through WSS (WebSocket Secure) via the Nginx reverse proxy.

Your session is maintained through a token cookie with the following security flags:

  • HttpOnly — The cookie is not accessible to JavaScript, preventing XSS-based theft.
  • SameSite=Lax — Protects against cross-site request forgery (CSRF).
  • Secure — The cookie is only transmitted over HTTPS.

Attack Protections

Difuzzion implements multiple layers of defense:

  • CSRF — Anti-CSRF tokens are embedded in login and registration forms.
  • Brute-force — A progressive Proof of Work (PoW) challenge activates after 5 failed login attempts, making automated attacks computationally expensive.
  • XSS — All user inputs are sanitized with htmlspecialchars before rendering.
  • SQL Injection — Every database query uses prepared statements with parameterized bindings.
  • Timing attacks (creator IP) — A 10-minute server relay hides the IP of the original uploader when new content is published.

Privacy Controls

You have several tools to control who can interact with you:

  • Channel visibility — Set your channel to Public, Private, or Hidden from Profile → Settings.
  • Message policy — Choose who can send you messages: Everyone, Only followers, or Nobody.
  • Blacklist — Block specific usernames, keywords, hashtags, or title/description words. Blocked content is completely hidden from your feed.
  • Content visibility — Each piece of content can be set as Public (everyone), Private (followers only), or Hidden (only you).

Reporting & Blocking

If you encounter inappropriate content, tap the ⋮ menu on the content card and select "Report". Choose a reason (Spam, Harassment, Impersonation, Sexual, Violent/Repulsive, or Other) and provide additional details.

To block a user, tap ⋮ → Block on their profile or content. Blocked users cannot interact with you and their content disappears from your feed entirely.

Anonymous Usage

You can browse Difuzzion without an account as a guest, with limited functionality. To publish content you need to create an account — but registration requires only a username and password. No email address or personal information is required.

As with any P2P/WebRTC connection, your IP address is visible to peers you connect with. However, the 10-minute relay protection at publish time ensures no one can correlate the first seeder with the content creator.

lightbulb

Pro Tip

If you want an extra layer of anonymity, consider using a VPN or Tor browser when connecting to Difuzzion. The platform does not block these tools.

Safety & Privacy

radio_button_checked Your Cryptographic Identity radio_button_unchecked Connection Security radio_button_unchecked Attack Protections radio_button_unchecked Privacy Controls radio_button_unchecked Reporting & Blocking radio_button_unchecked Anonymous Usage

Safety & Privacy

Encryption and digital identity. Learn how Difuzzion protects your data, your identity, and your communications — and what tools you have to control your experience on the platform.

Your Cryptographic Identity

On Difuzzion your identity is not an account held by a corporation — it is a cryptographic key pair generated entirely in your browser. The private key is encrypted with your password before it leaves your device; the server only ever stores the encrypted version (enc_private) and the public key.

Your 12-word recovery phrase is the sole backup of your identity. Difuzzion has no access to it and cannot reset it on your behalf. If you lose the phrase, your account is irrecoverable.

lightbulb

Pro Tip

Write your 12-word recovery phrase on paper and store it in a safe place. Never share it with anyone — not even Difuzzion support staff.

Connection Security

All communication with Difuzzion servers uses HTTPS/TLS (certificates provided by Let's Encrypt). WebSocket connections for the signaling server also go through WSS (WebSocket Secure) via the Nginx reverse proxy.

Your session is maintained through a token cookie with the following security flags:

  • HttpOnly — The cookie is not accessible to JavaScript, preventing XSS-based theft.
  • SameSite=Lax — Protects against cross-site request forgery (CSRF).
  • Secure — The cookie is only transmitted over HTTPS.

Attack Protections

Difuzzion implements multiple layers of defense:

  • CSRF — Anti-CSRF tokens are embedded in login and registration forms.
  • Brute-force — A progressive Proof of Work (PoW) challenge activates after 5 failed login attempts, making automated attacks computationally expensive.
  • XSS — All user inputs are sanitized with htmlspecialchars before rendering.
  • SQL Injection — Every database query uses prepared statements with parameterized bindings.
  • Timing attacks (creator IP) — A 10-minute server relay hides the IP of the original uploader when new content is published.

Privacy Controls

You have several tools to control who can interact with you:

  • Channel visibility — Set your channel to Public, Private, or Hidden from Profile → Settings.
  • Message policy — Choose who can send you messages: Everyone, Only followers, or Nobody.
  • Blacklist — Block specific usernames, keywords, hashtags, or title/description words. Blocked content is completely hidden from your feed.
  • Content visibility — Each piece of content can be set as Public (everyone), Private (followers only), or Hidden (only you).

Reporting & Blocking

If you encounter inappropriate content, tap the ⋮ menu on the content card and select "Report". Choose a reason (Spam, Harassment, Impersonation, Sexual, Violent/Repulsive, or Other) and provide additional details.

To block a user, tap ⋮ → Block on their profile or content. Blocked users cannot interact with you and their content disappears from your feed entirely.

Anonymous Usage

You can browse Difuzzion without an account as a guest, with limited functionality. To publish content you need to create an account — but registration requires only a username and password. No email address or personal information is required.

As with any P2P/WebRTC connection, your IP address is visible to peers you connect with. However, the 10-minute relay protection at publish time ensures no one can correlate the first seeder with the content creator.

lightbulb

Pro Tip

If you want an extra layer of anonymity, consider using a VPN or Tor browser when connecting to Difuzzion. The platform does not block these tools.