WH15P3R

User Security Guide · Post-Quantum Edition

PURPOSE This guide explains how to use WH15P3R securely based on your threat level. Not all users face the same risks. Choose the appropriate security measures for your situation.

Quick Navigation

Understanding Your Threat Level
Level 1: Basic Security
Level 2: Enhanced Security
Level 3: High Security
Level 4: Maximum Security
Browser Compatibility
What Is Protected
What Is NOT Protected
Emergency Procedures
Frequently Asked Questions

UNDERSTANDING YOUR THREAT LEVEL

Select the security approach that matches your risk profile:

LOW RISK MEDIUM RISK HIGH RISK EXTREME RISK

LEVEL 1: BASIC SECURITY

LOW RISK

Who This Is For

Privacy-conscious individuals
Casual secure communications
Avoiding corporate surveillance
Basic confidentiality needs

Quick Start

Use a modern browser: Chrome 142+, Edge 142+, or Firefox 120+
Visit: wh15p3r.link
Look for: POST-QUANTUM READY
Confirm VPN/Tor usage: Check the security confirmation box
Click: "Text only" to generate session code
Share code with your contact via separate channel
Verify: Status shows PQ SECURE
Chat safely: Messages are quantum-resistant encrypted
End session: Close browser when finished

✓ PROTECTED AGAINST • Commercial data harvesting
• ISP surveillance
• Network eavesdropping
• Future quantum computers

LEVEL 2: ENHANCED SECURITY

MEDIUM RISK

Who This Is For

Journalists communicating with sources
Business professionals with confidential information
Activists in partially-free countries
Anyone facing moderate surveillance threats

Additional Requirements

Browser & Network Protection

RECOMMENDED: Use Tor Browser for maximum privacy Download: torproject.org
Benefit: Hides your IP address from both server and chat partner

Alternative: Use VPN (ProtonVPN, Mullvad, IVPN)

Connect to VPN before accessing WH15P3R
Choose privacy-focused providers
Avoid free VPN services

Session Code Verification (CRITICAL)

When you generate a session code, you must verify it with your contact:

SECURITY CHECK: Verify session code out-of-band

For maximum security:
• Call your contact on a separate phone
• Verbally confirm the session code matches
• Or exchange codes in person

Why this matters: Prevents man-in-the-middle attacks

Safe verification methods:

Phone call on different device: Read code aloud, confirm it matches
In-person exchange: Show codes on screens, verify they match
Existing secure channel: If you already use Signal securely, that works

⚠ NEVER share session codes via • SMS (not encrypted)
• Email (stored on servers)
• Social media (monitored)
• Insecure messaging apps

Operational Security

Access location: Avoid using from home/work if possible
Device security: Ensure device is clean, updated, trusted
Message discipline: Keep messages brief, avoid unnecessary details
Session hygiene: End sessions immediately when finished
Browser cleanup: Close browser completely after session

✓ ADDITIONALLY PROTECTED AGAINST • Targeted surveillance (moderate)
• Man-in-the-middle attacks (with verification)
• IP address correlation (with Tor/VPN)
• Metadata analysis (reduced)

LEVEL 3: HIGH SECURITY

HIGH RISK

Who This Is For

Individuals in authoritarian countries
Whistleblowers with sensitive information
Human rights activists facing real threats
Anyone under active government surveillance

CRITICAL At this threat level, digital security alone is insufficient. You must combine cryptographic protection with rigorous operational security and physical security measures.

Operating System Requirements

OPTION 1: Tails OS (Recommended for Desktop)

Tails = The Amnesic Incognito Live System

Characteristics:
• Boots from USB drive
• Runs entirely in RAM
• Leaves no traces on computer
• Includes Tor Browser pre-configured
• All data destroyed on shutdown

Download: tails.boum.org
IMPORTANT: Verify cryptographic signature

Usage:

Download Tails and verify signature
Create bootable USB drive
Boot computer from USB (nothing on hard drive)
Access WH15P3R through built-in Tor Browser
Shut down = all traces erased

OPTION 2: GrapheneOS (Mobile)

Hardened Android OS for Pixel phones
Enhanced privacy and security features
Regular security updates
Install from: grapheneos.org
Use with hardened browser or Tor Browser (Android)

Access Location Protocol

NEVER access from • Your home
• Your workplace
• Regular locations
• Anywhere with cameras showing your face
• Same location twice

ALWAYS access from:

Random public WiFi (libraries, cafes, airports)
Different location every time
High-traffic areas with many people
Locations you've never been to before
Vary timing and neighborhood

Session Code Exchange (High Security)

BEST PRACTICE: In-Person Verification

Arrange meeting at random public location
Use counter-surveillance awareness
Exchange codes face-to-face
Verify codes match exactly
Memorize if possible, destroy paper immediately
Leave separately by different routes
Wait 2-6 hours before connecting
Connect from completely different locations

ACCEPTABLE: Burner Phone Voice Call

Use burner phone purchased with cash
Remove battery between uses
Call from public location
Read code using phonetic alphabet
Destroy SIM after single use
Never reuse burner for same contact

LEVEL 4: MAXIMUM SECURITY

EXTREME RISK

Reality Check

IF YOU ARE SPECIFICALLY TARGETED BY A WELL-RESOURCED INTELLIGENCE AGENCY No digital communication system—including WH15P3R—can provide complete protection. Adversaries with unlimited resources can:

• Deploy zero-day exploits against any browser
• Compromise devices via supply chain interdiction
• Install hardware-level implants
• Conduct comprehensive physical surveillance
• Use legal coercion or violence

If You Must Communicate Digitally

Hardware Security

Use air-gapped devices for sensitive work (never connected to internet)
Disposable devices: Burner laptops purchased with cash, used once
Hardware verification: Inspect for tampering
Faraday bags: Store devices in RF-blocking bags when not in use

Communication Strategy

PRIMARY RULE: Use WH15P3R for meeting coordination only.
          Discuss actual sensitive topics in person.

Digital = coordination: Times, places (in code)
Physical = sensitive info: Meet in person for details
Time delays: Long gaps between digital contact and physical meeting
Dead drops: Physical information exchange
Compartmentalization: Different devices for different contacts

BROWSER COMPATIBILITY

Post-Quantum Encryption Support

Browser	Version Required	PQ Status	Notes
Chrome	142+	FULL SUPPORT	October 2025
Edge	142+	FULL SUPPORT	October 2025
Firefox	120+	FULL SUPPORT	November 2024
Tor Browser	Latest	RECOMMENDED	Based on Firefox
Brave	Latest	RECOMMENDED	Privacy-focused Chromium

Fallback: Older browsers use strong classical encryption (secure against current threats, not quantum-resistant)

WHAT IS PROTECTED

✓ MESSAGE CONTENT • End-to-end encrypted with post-quantum algorithms
• Protected against future quantum computers
• Cannot be decrypted by anyone (including us)
• Remains secure even if traffic is recorded today

✓ NO DATA STORAGE • No messages stored on any server
• No chat history saved
• No user accounts or registration data
• Server cannot be seized for your data (there is none)

✓ EPHEMERAL SESSIONS • Encryption keys exist only during active session
• Keys destroyed when session ends
• Keys never stored or transmitted to servers
• Cannot be reconstructed after session

WHAT IS NOT PROTECTED

✗ ENDPOINT SECURITY CRITICAL LIMITATION: No encryption can protect compromised devices.

If malware, keyloggers, or screen capture software is on your device:
• Messages are visible before encryption
• Messages are visible after decryption
• Keystrokes can be captured
• Screen content can be recorded

MITIGATION: Use trusted devices, Tails OS, regular security audits

⚠ METADATA LEAKAGE Even with perfect encryption, these are visible:
• IP addresses (unless using Tor)
• Connection times and duration
• Message frequency and sizes
• Communication patterns

MITIGATION: Use Tor Browser, vary patterns, access from different locations

⚠ PHYSICAL ATTACKS No cryptography protects against:
• Physical device seizure
• Coercion or torture
• Legally compelled disclosure
• "Rubber hose cryptanalysis"

MITIGATION: Physical security, legal preparation, secure deletion, plausible deniability

EMERGENCY PROCEDURES

If You Suspect Device Compromise

Immediately: End session, close browser, power off device
Do not turn on again until device can be examined
If high-risk: Destroy device and SIM card
Use different device for future communications
Change all patterns: Timing, locations, contacts

If Arrested or Detained

REMEMBER • Remain silent beyond identifying yourself
• Request lawyer immediately and repeatedly
• Do not consent to device searches
• Do not provide passwords or unlock devices
• Do not explain encryption to authorities
• Do not try to convince them of innocence

FREQUENTLY ASKED QUESTIONS

Q: Is this really quantum-resistant?

A: Yes, when using Chrome 142+, Edge 142+, or Firefox 120+. Uses NIST-standardized ML-KEM (FIPS 203) which is designed to resist attacks from quantum computers.

Q: Can the government read my messages?

A: They cannot decrypt messages in transit, even with quantum computers. However, they CAN read messages if your device is compromised before encryption or after decryption.

Q: Why do I need out-of-band verification?

A: To prevent man-in-the-middle attacks. An attacker could intercept your session code and pose as your contact. Verifying via phone call or in-person ensures you're really talking to who you think you are.

Q: What if I can't use Tor Browser?

A: Use a reputable VPN service. This hides your IP address from the signaling server, though not as effectively as Tor. For high-risk situations, Tor is strongly recommended.

Q: How do I know there's no backdoor?

A: The code is open source and can be audited. We use standard browser cryptography (not custom implementations), which is maintained and audited by browser vendors. Transparency is our security model.

Q: What happens if I lose connection?

A: Session ends and all encryption keys are destroyed. You'll need to start a new session with a new code.

FINAL GUIDANCE

DEFENSE IN DEPTH Layer your security:
1. Secure hardware (Tails, trusted devices)
2. Secure network (Tor, VPN)
3. Secure communication (WH15P3R)
4. Secure behavior (OpSec, tradecraft)
5. Physical security (location, awareness)
6. Legal protection (know rights, have lawyer)

No single layer is sufficient. Use them all.

Trust Your Instincts

If something feels wrong:

STOP
ASSESS
CHANGE APPROACH

Better to be paranoid and safe than trusting and caught.

This is a Tool, Not a Shield

WH15P3R provides strong cryptographic protection. It does NOT make you invincible. Use wisely, understand limitations, combine with other security measures, and always prioritize your physical safety.

STAY SAFE • TRUST CAREFULLY • VERIFY EVERYTHING

Document Version: 2.0 (Post-Quantum Edition)

Last Updated: November 2025

For technical details, see: SECURITY.md in project repository

"The goal is not perfect security—that's impossible. The goal is to make surveillance expensive enough that you're not worth the effort."