Frequently Asked Questions
Why did you make Orbit?
Orbit was built in response to a problem that affects every popular "encrypted" messenger you've heard of, including Signal, WhatsApp, Telegram, and Threema. The problem isn't with their encryption — it's underneath the apps, at the level of the phone itself.
Here's the short version. When someone sends you a message, your phone has to show you a notification. To do that, the message has to be decrypted briefly, and the decrypted preview gets handed to a system on your phone called the push notification service — Apple's on iPhone, Google's on Android. That system caches the notification on disk so it can show it on your lock screen, on your watch, and to other parts of the operating system.
That cache lives outside the messenger app. The app can't see it, the app can't clear it, and "deleting" a message inside the app doesn't touch it. If someone gets physical access to your phone with the right forensic tools, they can pull messages out of that cache that you thought were long gone — including messages you specifically deleted. This was reported in detail in this writeup on theytelluslies.com: federal agents recovering deleted Signal messages from a seized iPhone, not by breaking Signal's encryption, but by reading Apple's notification cache.
Every major messenger has the same exposure because every major messenger has to use either Apple's push service or Google's push service to deliver notifications. There's no third option. The fix has to come from the messenger choosing to handle notifications differently — most don't.
Orbit is built differently from the start:
- Notifications never contain your messages. When someone messages you, the push notification you receive only says "New encrypted message from <username>". That's all that hits Apple's or Google's notification cache. Your actual message content is never decrypted at the OS level — only when you open the app and the page in your browser does the decryption, in memory, where it stays only until you close the tab. File notifications don't even include the filename.
- The server holds nothing it could turn over. Messages and files are encrypted in your browser before they're uploaded. The server stores only the ciphertext — random-looking bytes — plus an initialization vector. There is no plaintext on the server to subpoena.
- The encryption keys are yours alone. Your browser generates a private key that never leaves your device. Conversations are encrypted with keys derived from a Diffie-Hellman exchange between your private key and your contact's public key. The server only ever sees the public halves — it cannot derive the conversation key, and cannot decrypt anything even if compelled to try.
- The optional Key Vault is encrypted with a passphrase only you know. If law enforcement asked us for "your keys," we genuinely don't have them. We have an encrypted blob and no way to open it.
To be honest about the limits: Orbit can't fix the OS-level cache for other apps on your phone, and it doesn't make your phone immune to forensic tools in general. Anyone who has your unlocked device while Orbit is open can read what's on screen — that's true of any messenger. What Orbit does do is make sure no Orbit message lands in that notification cache in the first place, and no Orbit content sits decrypted on a server somewhere.
What is Orbit?
An end-to-end encrypted Progressive Web App messenger inspired by ICQ. Text, files, images, voice, and video — all encrypted in your browser before they reach the server. You get a unique Orbit number, just like the old days.
Do I need to install anything?
No. It runs in any modern browser at 3133t.net. On Android Chrome and iOS Safari you can also install it as a Progressive Web App from the address bar / Share menu — that gets you a home-screen icon, push notifications for messages and calls, and a smoother launch. On iPhone, installing it is required for notifications to work at all (an Apple rule, not ours).
How is encryption set up between me and a contact?
Automatically — there's nothing to configure. When you create your account, your browser generates a P-256 elliptic-curve keypair. The private key stays on your device; the public key is published to the server. When you message a contact, your browser combines your private key with their public key (an ECDH key agreement) to derive a conversation key that only the two of you can compute. Every message and file is encrypted with AES-GCM under that key, with a fresh random nonce each time. The server only ever relays ciphertext.
To rule out tampering, open a contact's menu and tap Verify safety number. You'll both see the same 6 emoji and 12 number groups — compare them over a channel you trust (in person, a phone call you recognize). If they match, no one is sitting in the middle of your conversation.
What is the Key Vault?
Optional, but strongly recommended. The vault encrypts your private key with a vault passphrase you choose, then backs up the encrypted blob to the server. New device, new browser, or wiped storage? Sign in, enter the vault passphrase, and your key — and with it your entire message history — comes right back. The server can't read the vault: the passphrase is run through 250,000 rounds of PBKDF2 in your browser and never transmitted.
What happens if I forget my vault passphrase (or never set one up)?
If you still have a signed-in device with the key on it: open My Account there and set up a new vault. If you don't, the old key is gone — there is no recovery, by design. You can generate a new key and keep your account and contacts, but messages encrypted to the old key become permanently unreadable, and your contacts will see a "key changed" warning until they verify the new safety number with you. A recovery backdoor would defeat the point.
What happens if I forget my account password?
An admin can reset your account password. That gets you back into your account, but it does not — and cannot — touch your encryption key or vault. Whoever resets your password still can't read your messages.
Why does my contact show as offline even though they're using the app?
"Online" specifically means "their app has a live connection open right now." Mobile browsers drop that connection when the app is backgrounded or the screen is locked, even though the user is still logged in. Your messages and files still arrive — they're stored as ciphertext and a (content-free) push notification fires through the OS. They may also simply have set themselves Invisible.
How big a file can I send?
Up to 100 MB per file. Each recipient's pending storage caps at 5 GB. Files persist until either party deletes them.
Can I use it on iPhone?
Yes. Open the site in Safari, tap the Share icon, then Add to Home Screen. The installed app gets real push notifications for messages and incoming calls. One caveat: iOS purges browser-stored data — including your encryption key — after 7 days of not using an uninstalled web app. Installing Orbit avoids the purge in practice, and setting up the Key Vault makes you immune to it either way.
Are voice and video calls encrypted?
Yes. WebRTC uses DTLS-SRTP between peers natively. The server only relays signaling (offer/answer/ICE); the audio and video stream peer-to-peer when your networks allow it. When a direct path isn't possible (strict NATs, cellular carriers), the call relays through our TURN server — which forwards the already-encrypted stream and cannot decrypt it.
Does the server keep logs of who I message?
The server stores message ciphertext, sender/recipient user IDs, and timestamps so messages survive until pickup. It does not store IP addresses in app logs. Front-end web servers (Caddy) keep standard access logs that include IP and request line, retained briefly for operational debugging.
Can I delete my data?
Yes. The Delete my account button in My Account wipes your account, contacts, messages, files, vault, call history, and push subscriptions immediately and permanently. Removing a contact wipes the conversation on both sides.
Is it open source?
Not at this time. The source is auditable to the extent that the JavaScript runs in your browser — you can read every line of the crypto via the Sources panel of your browser's DevTools.