Traditional file sharing services like Google Drive, Dropbox, and WeTransfer all share a fundamental flaw: your files pass through their servers. Even with "encryption," these services hold the keys. We built something different—a peer-to-peer file sharing system where files transfer directly between browsers, encrypted end-to-end, with zero server-side storage. Here's exactly how it works.

The Problem with Traditional File Sharing

When you upload a file to a traditional service, it follows this path:

┌──────────────┐      ┌──────────────┐      ┌──────────────┐
│    Your      │      │   Provider   │      │  Recipient   │
│   Browser    │ ───► │   Servers    │ ───► │   Browser    │
└──────────────┘      └──────────────┘      └──────────────┘
                            │
                            ▼
                      Files stored,
                      accessible by
                      the provider

This architecture creates several vulnerabilities:

1. Server Access: The provider can access your files
2. Data Breaches: Stored files are targets for hackers
3. Legal Requests: Governments can compel providers to hand over data
4. Metadata Leakage: Upload times, file names, and access patterns are logged
5. Permanent Storage: Files may persist indefinitely on their servers

Our Architecture: True Peer-to-Peer

Private File Share eliminates the server from the file transfer path entirely:

┌──────────────┐                              ┌──────────────┐
│    Your      │◄────── Direct P2P ──────────►│  Recipient   │
│   Browser    │       (WebRTC Data)          │   Browser    │
└──────────────┘                              └──────────────┘
       │                                             │
       │            ┌──────────────┐                 │
       └───────────►│   Signaling  │◄────────────────┘
                    │    Server    │
                    └──────────────┘
                           │
                    Only coordinates
                    the connection,
                    NEVER sees files

The server's sole purpose is to help two browsers find each other. Once the WebRTC connection is established, files flow directly between browsers—encrypted before they leave your device.

Technical Architecture Overview

The Four Pillars of Our System

┌──────────────────────────────────────────────────────────────────────┐
│                        FILE SHARE                                    │
├─────────────────┬─────────────────┬────────────────┬─────────────────┤
│   ENCRYPTION    │    CHUNKING     │    WEBRTC      │   SIGNALING     │
├─────────────────┼─────────────────┼────────────────┼─────────────────┤
│ • AES-256-CBC   │ • 64KB chunks   │ • P2P connect  │ • Room mgmt     │
│ • PBKDF2 keys   │ • Progress track│ • Data channel │ • Peer discovery│
│ • SHA256 verify │ • Reassembly    │ • Binary xfer  │ • Auto-cleanup  │
└─────────────────┴─────────────────┴────────────────┴─────────────────┘

Encryption: Military-Grade Protection

Why AES-256-CBC with PBKDF2?

We chose this combination for maximum security:

The Encryption Flow

┌─────────────────────────────────────────────────────────────────────┐
│                     ENCRYPTION PROCESS                              │
└─────────────────────────────────────────────────────────────────────┘

Step 1: Key Derivation
┌──────────┐    ┌─────────────┐    ┌──────────────┐
│ Password │ +  │ Random Salt │ ─► │   PBKDF2     │ ─► 256-bit Key
└──────────┘    │  (128-bit)  │    │ (10K rounds) │
                └─────────────┘    └──────────────┘

Step 2: Encryption
┌──────────┐    ┌───────────┐    ┌────────────────┐
│   File   │ +  │ 256-bit   │ +  │  Random IV     │ ─► Encrypted Data
│   Data   │    │    Key    │    │  (128-bit)     │
└──────────┘    └───────────┘    └────────────────┘

Step 3: Package for Transfer
┌────────────────────────────────────────────────────┐
│  Salt (16B)  │  IV (16B)  │  Encrypted Content     │
└────────────────────────────────────────────────────┘
         ▲            ▲                 ▲
         │            │                 │
    For key      For decrypt     Your protected
    derivation   initialization       data

Decryption (Receiver Side)

┌─────────────────────────────────────────────────────────────────────┐
│                     DECRYPTION PROCESS                              │
└─────────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────────────────┐
│  Salt (16B)  │  IV (16B)  │  Encrypted Content     │
└──────┬───────┴─────┬──────┴──────────┬─────────────┘
       │             │                 │
       ▼             │                 │
┌──────────────┐     │                 │
│  + Password  │     │                 │
│      ▼       │     │                 │
│   PBKDF2     │     │                 │
│      ▼       │     │                 │
│  256-bit Key │─────┼─────────────────┤
└──────────────┘     │                 │
                     ▼                 ▼
              ┌─────────────────────────────┐
              │     AES-256 Decryption      │
              └──────────────┬──────────────┘
                             ▼
                    ┌─────────────────┐
                    │  Original File  │
                    └─────────────────┘

Cryptographic Properties Summary

File Chunking: Reliable Large File Transfer

WebRTC data channels work best with smaller packets. We split files into manageable pieces:

Why 64KB Chunks?

┌─────────────────────────────────────────────────────────────────────┐
│                    CHUNKING STRATEGY                                │
└─────────────────────────────────────────────────────────────────────┘

Original File (e.g., 10 MB)
┌─────────────────────────────────────────────────────────────────────┐
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
└─────────────────────────────────────────────────────────────────────┘
                              │
                              ▼ Split into 64KB chunks
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐        ┌─────┐
│  1  │ │  2  │ │  3  │ │  4  │ │  5  │  ...   │ 160 │
│64KB │ │64KB │ │64KB │ │64KB │ │64KB │        │64KB │
└─────┘ └─────┘ └─────┘ └─────┘ └─────┘        └─────┘
   │       │       │       │       │              │
   └───────┴───────┴───────┴───────┴──────────────┘
                         │
                         ▼
            Each chunk sent via WebRTC
            with sequence number for
            proper reassembly

Benefits of This Approach

The Complete Transfer Pipeline

SENDER BROWSER                                      RECEIVER BROWSER
┌────────────────┐                                  ┌────────────────┐
│ 1. Select File │                                  │                │
│       ▼        │                                  │                │
│ 2. Encrypt     │                                  │                │
│    (AES-256)   │                                  │                │
│       ▼        │                                  │                │
│ 3. Chunk       │                                  │                │
│    (64KB each) │                                  │                │
│       ▼        │      WebRTC Data Channel         │       ▼        │
│ 4. Send ───────┼─────────────────────────────────►│ 5. Receive     │
│                │         (Direct P2P)             │       ▼        │
│                │                                  │ 6. Reassemble  │
│                │                                  │       ▼        │
│                │                                  │ 7. Verify      │
│                │                                  │    (SHA-256)   │
│                │                                  │       ▼        │
│                │                                  │ 8. Decrypt     │
│                │                                  │       ▼        │
│                │                                  │ 9. Download    │
└────────────────┘                                  └────────────────┘

WebRTC: The P2P Connection Layer

What is WebRTC?

WebRTC (Web Real-Time Communication) enables direct browser-to-browser connections without plugins. Originally designed for video calls, its data channels are perfect for file transfer.

The Connection Dance

┌─────────────────────────────────────────────────────────────────────┐
│                  WEBRTC CONNECTION ESTABLISHMENT                    │
└─────────────────────────────────────────────────────────────────────┘

    SENDER                    SERVER                    RECEIVER
      │                         │                          │
      │ 1. Create Room          │                          │
      │────────────────────────►│                          │
      │                         │                          │
      │   Room code: XY7K2M     │                          │
      │◄────────────────────────│                          │
      │                         │                          │
      │         (User shares code externally)              │
      │                         │                          │
      │                         │        2. Join Room      │
      │                         │◄─────────────────────────│
      │                         │                          │
      │  3. Peer Joined!        │                          │
      │◄────────────────────────│                          │
      │                         │                          │
      │ 4. WebRTC Offer         │                          │
      │────────────────────────►│─────────────────────────►│
      │                         │                          │
      │                         │     5. WebRTC Answer     │
      │◄────────────────────────│◄─────────────────────────│
      │                         │                          │
      │ 6. ICE Candidates       │    6. ICE Candidates     │
      │◄───────────────────────►│◄────────────────────────►│
      │                         │                          │
      ├─────────────────────────┼──────────────────────────┤
      │                         │                          │
      │     DIRECT P2P CONNECTION ESTABLISHED              │
      │◄══════════════════════════════════════════════════►│
      │                         │                          │
      │     Files transfer directly, server not involved   │
      │                         │                          │

ICE Servers: Finding the Path

We use STUN servers to help browsers discover their public addresses and find the best path to connect:

┌─────────────────────────────────────────────────────────────────────┐
│                      NETWORK PATH DISCOVERY                         │
└─────────────────────────────────────────────────────────────────────┘

┌──────────┐         ┌───────────────┐         ┌──────────┐
│  Sender  │────────►│ STUN Servers  │◄────────│ Receiver │
│  Browser │         │ (Google/Twilio)│         │  Browser │
└──────────┘         └───────────────┘         └──────────┘
     │                      │                        │
     │    "What's my        │      "What's my       │
     │    public IP?"       │       public IP?"     │
     │                      │                        │
     ▼                      ▼                        ▼
┌─────────────────────────────────────────────────────────────────┐
│            ICE candidates exchanged via signaling               │
│                                                                 │
│    Browsers find optimal path: direct, STUN-assisted, or TURN   │
└─────────────────────────────────────────────────────────────────┘

The Signaling Server: Minimal by Design

Our signaling server is intentionally simple—it coordinates connections but never touches file data.

What the Server NEVER Sees

┌─────────────────────────────────────────────────────────────────────┐
│               SERVER VISIBILITY COMPARISON                          │
└─────────────────────────────────────────────────────────────────────┘

                    TRADITIONAL              OUR DESIGNED
                    FILE SHARING             FILE SHARING

File Contents       ██████████ YES           ░░░░░░░░░░ NO
File Names          ██████████ YES           ░░░░░░░░░░ NO
File Sizes          ██████████ YES           ░░░░░░░░░░ NO
Encryption Keys     ██████████ YES           ░░░░░░░░░░ NO
User Identity       ██████████ YES           ░░░░░░░░░░ NO
Transfer Metadata   ██████████ YES           ░░░░░░░░░░ NO

Room Code           ░░░░░░░░░░ N/A           ██████████ YES
Password Hash       ░░░░░░░░░░ N/A           ██████████ YES
Expiration Time     ░░░░░░░░░░ N/A           ██████████ YES

Automatic Cleanup

┌─────────────────────────────────────────────────────────────────────┐
│                    AUTO-CLEANUP MECHANISMS                          │
└─────────────────────────────────────────────────────────────────────┘

1. EXPIRATION TIMER (per room)
   ┌─────────────────────────────────────────┐
   │ Room Created ──► Timer Started          │
   │                       │                 │
   │                  15min/30min/1hr/24hr   │
   │                       │                 │
   │                       ▼                 │
   │               Room Auto-Deleted         │
   └─────────────────────────────────────────┘

2. PERIODIC CLEANUP (every 5 minutes)
   ┌─────────────────────────────────────────┐
   │ Server scans all rooms                  │
   │         │                               │
   │         ▼                               │
   │ Removes any expired rooms               │
   │         │                               │
   │         ▼                               │
   │ Notifies connected peers                │
   └─────────────────────────────────────────┘

3. DISCONNECT CLEANUP
   ┌─────────────────────────────────────────┐
   │ All peers disconnect                    │
   │         │                               │
   │         ▼                               │
   │ Room immediately deleted                │
   │         │                               │
   │         ▼                               │
   │ No trace remains                        │
   └─────────────────────────────────────────┘

Security Features Beyond Encryption

Rate Limiting Protection

┌─────────────────────────────────────────────────────────────────────┐
│                    RATE LIMITING                                    │
└─────────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────┐
│ Per IP Address, Per Minute:            │
├────────────────────────────────────────┤
│ • Max 30 total requests                │
│ • Max 5 failed password attempts       │
│                                        │
│ Exceeds limit?                         │
│     ▼                                  │
│ Request rejected with error            │
│ Prevents brute force attacks           │
└────────────────────────────────────────┘

Input Validation

┌─────────────────────────────────────────────────────────────────────┐
│                    INPUT VALIDATION                                 │
└─────────────────────────────────────────────────────────────────────┘

Every input is validated before processing:

┌─────────────────┬──────────────────────────┬───────────────────────┐
│ Input           │ Validation Rule          │ Purpose               │
├─────────────────┼──────────────────────────┼───────────────────────┤
│ Room Code       │ Exactly 6 alphanumeric   │ Prevent injection     │
│ Password Hash   │ Valid SHA-256 format     │ Ensure proper hashing │
│ Expiration      │ Max 7 days               │ Limit resource usage  │
│ Max Downloads   │ Predefined values only   │ Prevent abuse         │
└─────────────────┴──────────────────────────┴───────────────────────┘

Download Limits

┌─────────────────────────────────────────────────────────────────────┐
│                    DOWNLOAD LIMIT ENFORCEMENT                       │
└─────────────────────────────────────────────────────────────────────┘

    Receiver attempts to join
              │
              ▼
    ┌─────────────────────┐
    │ Check download count│
    │ vs. max downloads   │
    └─────────────────────┘
              │
     ┌────────┴────────┐
     │                 │
     ▼                 ▼
┌─────────┐      ┌─────────────┐
│ Under   │      │ Limit       │
│ Limit   │      │ Reached     │
└────┬────┘      └──────┬──────┘
     │                  │
     ▼                  ▼
 Allow join        Reject with
 & increment       error message
 counter

How We Compare to Alternatives

┌─────────────────────────────────────────────────────────────────────┐
│                    FEATURE COMPARISON                               │
└─────────────────────────────────────────────────────────────────────┘

                    Our Design   WeTransfer   Google     OnionShare
                                            Drive
┌───────────────────┬──────────┬───────────┬─────────┬────────────┐
│ Server sees files │    NO    │    YES    │   YES   │     NO     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ True E2E encrypt  │   YES    │    NO*    │   NO*   │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ P2P transfer      │   YES    │    NO     │   NO    │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ Requires software │    NO    │    NO     │   NO    │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ Auto-delete       │   YES    │   YES     │   NO    │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ Password protect  │   YES    │   PAID    │   YES   │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ Download limits   │   YES    │   PAID    │   NO    │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ No account needed │   YES    │   YES     │   NO    │    YES     │
├───────────────────┼──────────┼───────────┼─────────┼────────────┤
│ Max file size     │  500MB   │  2GB free │  15GB   │ Unlimited  │
└───────────────────┴──────────┴───────────┴─────────┴────────────┘

* These services offer encryption but hold the decryption keys themselves

Real-World Transfer Flow

Complete Sender Journey

┌─────────────────────────────────────────────────────────────────────┐
│                    SENDER EXPERIENCE                                │
└─────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────┐
│ STEP 1: Select Files                                             │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     document.pdf (10 MB)                                   │   │
│ │     photo.jpg (2 MB)                                       │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────────┐
│ STEP 2: Configure Options                                        │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     Expiration: 30 minutes                                 │   │
│ │     Max Downloads: 5                                       │   │
│ │     Password: ••••••••                                     │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────────┐
│ STEP 3: Create Share Link                                        │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     Room Created!                                          │   │
│ │     Code: XY7K2M                                           │   │
│ │     Waiting for receiver...                                │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────────┐
│ STEP 4: Transfer (after receiver joins)                          │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     P2P Connected!                                         │   │
│ │     Sending: document.pdf                                  │   │
│ │  ████████████████████░░░░░░░░░░ 65%                        │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘

Complete Receiver Journey

┌─────────────────────────────────────────────────────────────────────┐
│                    RECEIVER EXPERIENCE                              │
└─────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────┐
│ STEP 1: Enter Room Code                                          │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     Room Code: [ XY7K2M ]                                  │   │
│ │     Password:  [ •••••• ]                                  │   │
│ │     [Join Room]                                            │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────────┐
│ STEP 2: View Available Files                                     │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     document.pdf (10 MB)                                   │   │
│ │     photo.jpg (2 MB)                                       │   │
│ │  [Download Selected]                                       │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────────┐
│ STEP 3: Download                                                 │
│ ┌────────────────────────────────────────────────────────────┐   │
│ │     Receiving: document.pdf                                │   │
│ │  ████████████████████████████ 100%                         │   │
│ │     Checksum verified                                      │   │
│ │     Decrypted successfully                                 │   │
│ │     Saved to Downloads                                     │   │
│ └────────────────────────────────────────────────────────────┘   │
└──────────────────────────────────────────────────────────────────┘

Performance Considerations

Transfer Speed Expectations

┌─────────────────────────────────────────────────────────────────────┐
│                    TYPICAL TRANSFER SPEEDS                          │
└─────────────────────────────────────────────────────────────────────┘

Network Scenario                    Expected Speed
─────────────────────────────────────────────────────────────────────
Same local network                  Near wire speed (100+ Mbps)
Same ISP                            50-100 Mbps typical
Cross-country                       10-50 Mbps typical
International                       5-20 Mbps typical

Note: Actual speeds depend on both parties' connections and network path

File Size Limits

┌─────────────────────────────────────────────────────────────────────┐
│                    SIZE CONSTRAINTS                                 │
└─────────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────┐
│ Per File Maximum:        500 MB        │
│ Per Session Maximum:     1 GB total    │
│ Chunk Size:              64 KB         │
└────────────────────────────────────────┘

Why these limits?
• Browser memory constraints
• WebRTC reliability
• User experience (reasonable wait times)

The Security Guarantee

What Makes This Truly Zero-Knowledge

┌─────────────────────────────────────────────────────────────────────┐
│                    ZERO-KNOWLEDGE ARCHITECTURE                      │
└─────────────────────────────────────────────────────────────────────┘

                    SENDER                    RECEIVER
                    BROWSER                   BROWSER
                       │                         │
    ┌──────────────────┴──────────────────┬──────┴────────────────────┐
    │                                     │                           │
    ▼                                     ▼                           ▼
┌───────────┐                        ┌────────┐                 ┌───────────┐
│ Encryption│                        │Signaling│                │ Decryption│
│ happens   │                        │  Only   │                │ happens   │
│ HERE      │                        │         │                │ HERE      │
└───────────┘                        └────────┘                 └───────────┘
                                          │
                                          ▼
                                    ┌───────────┐
                                    │  Server   │
                                    │  CANNOT:  │
                                    │           │
                                    │ • Read    │
                                    │   files   │
                                    │           │
                                    │ • Decrypt │
                                    │   content │
                                    │           │
                                    │ • Access  │
                                    │   keys    │
                                    └───────────┘

Even If Compromised...

┌─────────────────────────────────────────────────────────────────────┐
│            WHAT AN ATTACKER WOULD FIND                              │
└─────────────────────────────────────────────────────────────────────┘

If our server was completely compromised, an attacker would find:

✗ No files (they never touch our server)
✗ No encryption keys (generated and used only in browsers)
✗ No passwords (only hashes, and only for room authentication)
✗ No user identities (no accounts required)
✗ No transfer history (rooms auto-delete)

Only:
✓ Temporary room metadata
✓ WebRTC signaling data (useless without the actual connection)

Conclusion: Privacy Through Architecture

The most secure system is one where even the operator cannot access your data. By using:

• Client-side encryption: Files encrypted before leaving your browser
• P2P transfer: Files never touch our servers
• In-memory signaling: No persistent storage
• Automatic cleanup: Rooms self-destruct

We've built a file sharing system that is private by design, not by policy. Even if our servers were compromised, attackers would find only WebRTC signaling data—no files, no encryption keys, no metadata.

This is the future of file sharing: zero knowledge, zero trust, zero compromise.

Why “Stateless by Design” Is the Missing Principle in Browser Security

Modern browser security has improved significantly over the last decade. Sandboxing, site isolation, HTTPS by default, and improved permission models have all reduced the impact of entire classes of attacks. Yet, despite these advances, browsers remain a high-value target for tracking, session abuse, and credential compromise.

A key reason is that most browser security improvements operate within fundamentally stateful execution models. This article argues that statelessness by design-rather than incremental state cleanup-represents a missing architectural principle in browser security.

The Hidden Cost of Persistent Browser State

Browsers accumulate state continuously:

• Cookies and authentication tokens
• Cached resources and service workers
• IndexedDB, local storage, and session storage
• Rendering and fingerprinting artifacts

While much of this state is necessary for usability, it also becomes a long-lived attack surface. Once created, state often persists far beyond the context in which it was required.

Private browsing modes attempt to reduce this exposure by limiting what is written to disk, but they do not fundamentally change the execution model. Browser processes, profiles, and underlying operating system resources remain long-lived, and cleanup depends on correct behavior across multiple layers.

Security mechanisms that rely on selective deletion tend to fail at scale.

Cleanup Is Not the Same as Statelessness

Most browser privacy controls focus on what to delete:

• Clear cookies
• Disable cache
• Block trackers
• Reset profiles

This approach assumes that:

1. All sensitive state can be identified
2. Cleanup logic is complete and correct
3. No residual artifacts remain elsewhere in the system

In practice, these assumptions rarely hold. Residual state is difficult to reason about, and incomplete cleanup is common.

Stateless systems take a different approach:

Instead of deciding what to remove, they eliminate the environment entirely.

Statelessness as a Security Primitive

In distributed systems, statelessness is widely used to:

• Improve scalability
• Reduce failure modes
• Simplify recovery

The same principle applies to browser security.

A stateless-by-design browser execution model enforces:

• A fixed session lifecycle
• No shared persistent execution context
• Deterministic teardown after use

Rather than trusting cleanup logic, the system guarantees that nothing survives the session boundary.

This shifts security reasoning from best-effort hygiene to structural enforcement.

Ephemeral Execution as an Enabler

Statelessness at the browser level is difficult to achieve on traditional desktop environments. However, ephemeral execution environments-such as disposable containers or isolated runtime sandboxes-make this model feasible.

In an ephemeral browser system:

1. A clean execution environment is created per session
2. All state is scoped to that environment
3. The environment is destroyed when the session ends

The browser does not “forget” state - the system ceases to exist.

This model aligns naturally with privacy goals without making claims of anonymity or invulnerability.

What Statelessness Does Not Solve

Statelessness is not a silver bullet.

It does not:

• Prevent phishing during an active session
• Eliminate network-level tracking
• Protect against user-initiated disclosure

However, it significantly limits post-session exposure, credential reuse, and long-term tracking based on accumulated artifacts.

Security improvements that are honest about their scope tend to age better than those that promise total protection.

Rethinking Browser Security Priorities

Browser security discussions often revolve around:

• Better detection
• Smarter blocking
• More permissions

Stateless-by-design reframes the question:

“What if persistence itself is the vulnerability?”

By treating state as a liability rather than an asset, browser security architectures can reduce entire classes of failure without increasing complexity.

Conclusion

Browser security has largely focused on managing persistent environments more carefully. Stateless-by-design systems propose a different direction: eliminating persistence altogether where possible.

Ephemeral browser execution environments demonstrate that statelessness is not merely theoretical-it is an achievable architectural property. While not a complete security solution, statelessness provides a powerful foundation for reducing long-term exposure in web-based workflows.

As threats continue to evolve, architectural simplicity may prove more resilient than increasingly complex cleanup mechanisms.

Author Note

This article reflects ongoing exploration of privacy-preserving execution environments and lifecycle-based security models in modern computing systems.

Introduction

Remote and ephemeral execution environments are increasingly used to isolate sensitive workloads from untrusted endpoints. Examples include remote browsers, disposable development environments, ephemeral CI runners, and short-lived compute sessions for administrative access.

While these architectures offer strong security properties, they also introduce non-trivial trade-offs in performance, cost, usability, and operational complexity.

This article examines the security trade-offs inherent in remote and ephemeral execution environments, focusing on:

• What risks are meaningfully reduced
• What new risks are introduced
• Why certain design compromises are unavoidable
• How to reason about these systems realistically

The goal is not to advocate for a single approach, but to provide a framework for informed architectural decisions.

Defining the execution model

At a high level, remote and ephemeral execution environments share three core properties:

1. Execution occurs outside the user’s local device
2. Each session has a defined lifecycle
3. State is intentionally discarded

Instead of treating the endpoint as a trusted execution surface, these systems shift trust to:

• A controlled runtime
• A centralized control plane
• Enforced lifecycle management

This fundamentally changes where security boundaries exist.

Security benefits: What improves meaningfully

Reduced Endpoint Risk

By executing workloads remotely:

• Sensitive data never touches the local disk
• Malware on the endpoint has limited visibility
• Shared or unmanaged devices become viable

This is particularly valuable in:

• Contractor workflows
• Public or semi-trusted networks
• Bring-your-own-device environments

Trade-off accepted: Reduced offline capability.

Session-level containment

Ephemeral execution environments are designed around forced session termination.

Security improvements include:

• No long-lived credentials
• No cross-session contamination
• Automatic cleanup of artifacts

Unlike traditional systems that rely on user behavior (“log out”, “clear cache”), ephemerality is enforced, not optional.

Trade-off accepted: No session continuity or recovery.

Smaller blast radius

When compromise occurs:

• Impact is limited to a single session
• Persistence mechanisms are ineffective
• Attacks must succeed within a constrained time window

This shifts the attacker’s economics, increasing cost and reducing payoff.

Trade-off accepted: Higher infrastructure complexity.

New risks introduced by remote execution

Security is never free. Moving execution off-device introduces new concerns.

Control plane as a high-value target

Centralized orchestration systems become critical infrastructure.

Risks include:

• Unauthorized session creation
• Policy bypass
• Abuse of provisioning APIs

Mitigations require:

• Strong authentication
• Fine-grained authorization
• Audit logging
• Rate limiting

This creates a single point of control, which must be secured accordingly.

Expanded network attack surface

Remote execution relies on:

• Session streaming
• Control channels
• Network connectivity

These layers introduce:

• Man-in-the-middle risks
• Latency-based attacks
• Availability concerns

While data exposure is reduced, availability and integrity become more prominent risks.

Browser and runtime vulnerabilities still matter

Isolation reduces persistence, but does not eliminate:

• Zero-day exploits
• Sandbox escapes
• Browser engine flaws

Ephemerality limits long-term damage, but does not replace patching, monitoring, or defense-in-depth.

Performance vs Security: A deliberate tension

Cold start latency

Ephemeral environments often incur:

• Container startup delay
• Browser initialization cost

Mitigations include:

• Pre-warmed pools
• Lightweight base images
• Optimized startup paths

However, eliminating cold starts entirely often undermines isolation guarantees.

Security-first systems accept some latency.

Resource overhead

Isolated sessions consume:

• Dedicated CPU
• Dedicated memory
• Network resources

Shared execution models are cheaper but weaken security boundaries.

This trade-off is architectural, not accidental.

Usability vs Determinism

No “Resume Session”

Ephemeral systems typically do not support:

• Session restoration
• Long-lived personalization
• Persistent local state

From a security perspective, this is a feature, not a bug.

From a user perspective, it introduces friction.

Well-designed systems:

• Make lifecycle expectations explicit
• Optimize workflows around short-lived usage
• Avoid pretending persistence exists when it does not

Explicit Security Boundaries

Users must adapt to:

• Intentional session endings
• Clear separation between trusted and untrusted workflows
• Purpose-driven usage

This encourages security-aware behavior, but requires education.

Cost vs Predictability

Ephemeral execution environments trade:

• Lower long-term risk
  for
• Higher per-session cost

However, they also offer:

• Predictable cleanup
• Bounded resource usage
• Clear accounting

For many organizations, predictability is worth more than raw efficiency.

When this model makes sense

Remote and ephemeral execution environments are well-suited for:

• Administrative access
• Financial and compliance workflows
• Client demos
• Research on untrusted content
• Short-lived, high-risk activities

They are less suitable for:

• Long-running creative work
• Offline-first workflows
• Highly personalized environments

Understanding this boundary is critical to correct adoption.

Conclusion

Remote and ephemeral execution environments do not eliminate security risk — they reshape it.

By accepting:

• Higher infrastructure complexity
• Intentional user friction
• Increased per-session cost

These systems gain:

• Strong containment guarantees
• Reduced persistence risk
• Clear, enforceable security boundaries

Security architecture is ultimately about choosing which problems to solve decisively, and which trade-offs are acceptable. Ephemeral execution environments represent a deliberate shift toward determinism, containment, and recoverability.

This analysis reflects design decisions applied in the development of a privacy-first, ephemeral browser platform focused on secure professional workflows.

Introduction

Web browsers have evolved into powerful execution environments, routinely handling authentication tokens, privileged credentials, internal dashboards, and sensitive user data. Yet, most security controls still treat browsers as long-lived, trusted endpoints.

Disposable or ephemeral browser environments challenge this assumption by introducing session-scoped isolation and automatic destruction as first-class security controls.

This article presents a structured threat model for disposable browser environments, analyzing:

• Key threat categories
• Attack surfaces
• Mitigation strategies
• Residual risks and trade-offs

Security assumptions and scope

In scope

• Browser-level threats
• Session persistence risks
• Web-based attacks
• Untrusted networks and endpoints
• Data remanence across sessions

Out of scope

• Host kernel compromise
• Physical attacks
• Hardware-level exploits
• Insider threats with infrastructure access

The goal is risk containment, not absolute security.

Threat model overview

Disposable browser environments shift the security boundary from the endpoint to the session runtime.

Key Principle

A compromised session must never compromise another session.

Description:

• Users interact through a thin client
• Sessions are provisioned by a control plane
• Browsers run inside fully isolated, short-lived containers
• All state is destroyed at session termination

Threat categories

Persistent tracking & fingerprinting

Threat

• Cookies, IndexedDB, local storage
• Browser fingerprint correlation
• Cross-session tracking

Impact

• Identity correlation
• Behavioral profiling
• Privacy violations

Mitigation

• Per-session container runtime
• No shared filesystem
• Fresh browser instance per session

Credential & token leakage

Threat

• OAuth tokens cached in browser storage
• Saved credentials
• Session hijacking

Impact

• Unauthorized account access
• Privilege escalation

Mitigation

• No persistent storage
• Forced session TTL
• Container destruction guarantees cleanup

Malicious web content

Threat

• Drive-by malware
• Cryptomining scripts
• Persistent XSS payloads

Impact

• Long-term compromise
• Data exfiltration

Mitigation

• Process isolation
• Network sandboxing
• Non-persistent execution environment

Shared endpoint risk

Threat

• Public Wi-Fi
• Shared workstations
• Contractor devices

Impact

• Session reuse
• Local data leakage

Mitigation

• Browser runs remotely
• Endpoint receives only rendered output
• No sensitive data stored locally

Attack surface analysis

Reduced Surfaces

• Local disk persistence
• Cross-session contamination
• Credential reuse

Remaining Surfaces

• Browser engine vulnerabilities
• Control plane misconfiguration
• Session streaming layer

Disposable environments reduce blast radius, not eliminate all risk.

Control plane threats

The control plane becomes a high-value asset.

Threats

• Unauthorized session creation
• TTL bypass
• Policy misconfiguration

Controls

• Strong authentication
• Session lifecycle enforcement
• Audit logging
• Rate limiting

Security shifts from endpoint sprawl to centralized enforcement.

Trade-offs and residual risks

Performance

• Cold start latency
• Resource overhead

UX

• No session resume
• No personalization persistence

Cost

• Compute per session

These are intentional trade-offs made to achieve deterministic security behavior.

Conclusion

Disposable browser environments introduce a fundamentally different security model — one that assumes compromise is possible and designs for containment and automatic recovery.

By enforcing:

• Isolation by default
• Short-lived execution
• Mandatory destruction

This architecture significantly reduces the risk of data leakage, session hijacking, and long-term compromise.

The threat model outlined here informed the design of a browser platform I am currently building, focused on privacy-first, ephemeral browsing for professional use cases.

Why browser isolation is still hard

Modern browsers have become the primary interface to sensitive systems — cloud consoles, financial dashboards, internal admin tools, customer data platforms, and third-party SaaS applications.

Despite this, browsers remain fundamentally stateful:

• Cookies persist across sessions
• Local storage and IndexedDB accumulate data
• Browser fingerprints remain stable
• Cached credentials and artifacts survive far longer than intended

Common mitigations such as incognito mode, VPNs, or endpoint hardening solve only parts of the problem. They do not address session-level contamination, especially when the same machine is used for:

• Client demos
• Administrative access
• Research on untrusted sites
• Work from public or semi-trusted networks

The core issue is simple:

Browsers were never designed to be disposable.

This article explores a practical architecture for ephemeral browser sessions, where each browsing session is isolated, short-lived, and destroyed by design.

What are we actually protecting against?

Before discussing architecture, it’s important to define a realistic threat model.

In-Scope threats

• Cross-session data leakage
  Cookies, tokens, or cached credentials leaking between workflows
• Browser fingerprint persistence
  Trackers correlating activity across sessions
• Residual artifacts
  Files, cache entries, clipboard data, and local storage remnants
• Compromised websites
  Malicious scripts persisting state beyond intended scope
• Shared or semi-trusted endpoints
  Public Wi-Fi, shared laptops, contractor machines

Out-of-Scope (for this design)

• Kernel-level host compromise
• Hardware-based attacks
• Malicious insiders with host access

The goal is risk reduction through isolation, not absolute security.

Architectural overview: Disposable by design

At a high level, the system treats each browser session as a short-lived compute workload, not as an application running on a long-lived device.

Core principle

One session = one isolated runtime = zero persistence

High-level flow

1. User requests a new browser session
2. Backend provisions an isolated container
3. Browser runs inside the container
4. User interacts via a remote stream
5. Session expires or is terminated
6. Container and all state are destroyed

High-level architecture

Isolation mechanisms: How containment is enforced

Process & namespace isolation

Each browser session runs inside its own container with:

• PID namespace isolation
• User namespace isolation
• Dedicated filesystem mount

This ensures:

• No visibility into other sessions
• No shared process state

Filesystem isolation

• Read-only base image
• Ephemeral writable layer
• No persistent volumes

Network sandboxing

Each container receives:

• Isolated network namespace
• Controlled outbound access
• Optional egress filtering

This prevents:

• Lateral movement
• Session-to-session network correlation

Resource constraints

Containers enforce:

• CPU limits
• Memory caps
• Hard session TTL

This guarantees:

• Predictable cost
• Forced termination of stale sessions

Session lifecycle management

Ephemerality must be enforced at the platform level, not left to user behavior.

Lifecycle states

1. Provisioning
2. Active
3. Idle (TTL countdown)
4. Termination
5. Destruction

Design trade-offs and decisions

Cold start latency

• Container startup adds delay
• Mitigations:
  • Warm pools
  • Lightweight images
  • Optimized browser builds

Performance vs isolation

• Full isolation costs more than shared processes
• Chosen deliberately for:
  • Predictability
  • Security clarity
  • Easier reasoning about risk

UX vs Security

• No “resume session”
• No saved state
• Intentional friction to prevent unsafe reuse

These are conscious decisions, not limitations.

Practical applications

This approach is especially useful for:

• Accessing financial or admin dashboards
• Client demonstrations
• Researching untrusted content
• Working from public or semi-trusted networks
• Contractors handling sensitive systems

In all cases, the goal is to limit blast radius.

Conclusion

As browser usage increasingly overlaps with sensitive workflows, traditional endpoint-based security models show their limits.

Ephemeral, isolated browser sessions provide a practical middle ground:

• Strong isolation
• Clear lifecycle boundaries
• Predictable security properties

This architectural approach informed the design of a browser platform I am currently building, focused on privacy-first, disposable browsing for professional use cases.

Theory :

After we sleep, we wake up in a new alternative universe. It looks and feels similar but somethings have changed.

written by - Akshat Joshi

Sometime back, I set myself a crazy constraint:

Load only one thing at boot - A Pong game that fits in one floppy disk sector — 512 bytes.

Why would I build this?

I have played with Operating Systems and their workings by customizing them and tweaking their behavior. But this was about pushing constraints to the extreme. Can I have an OS which just loads one PONG GAME ?

The challenge

• No operating system.
• No drivers.
• No libraries.
• Just raw x86 assembly, BIOS interrupts, and the video memory at 0xB800.

The boot sector is the first 512 bytes a computer loads from disk. It has to end with the magic bytes 0x55 0xAA — leaving only 510 bytes for actual code.
I wanted to see if I could fit:

• Player paddle (W/S keys)
• CPU opponent
• Ball with velocity
• Scoring
• Color toggle (C key)
• Full reset (R key)

After learning about Operating systems and the bootup flow, I finally managed to get a pong game running 😄

How it works!

The game runs in 80x25 text mode (VGA mode 03h) using BIOS interrupt 10h.
Everything is drawn directly into video memory (0xB800) with stosw — of course no graphics libraries here.

Controls

W / S — Move your paddle
C — Cycle paddle and midline colors
R — Reset game (reboots the sector)

It’s a deterministic ball-tracking logic. It checks the ball’s Y position every frame:

• If ball is above paddle → move up
• If below → move down
• Never goes off-screen

Simple. Fast. Fits in 510 bytes.

Key Technical Highlights

• Video Memory Direct Access Used ES:DI = 0xB800:0000 and rep stosw to clear screen in one instruction.
• Efficient Positioning - imul di, [playerY], 160 → converts row to video offset (80 cols × 2 bytes per char).
• Real-Time Input - BIOS int 0x16 with ah=1 (peek) → non-blocking keyboard check.
• Physics & Collision - Ball velocity stored in single bytes (ballVeloX, ballVeloY). Reversed on wall/paddle hit using neg byte.
• Delay Loop - Used BIOS timer at 0x46C for frame pacing — no hlt, no busy-wait burn.
• Color Cycling - C key increments drawColour by 0x10 → rotates through 16 background colors.

The Full Code

The entire game is in one file: pong.asm
Publicly available on GitHub:
https://github.com/akshat666/-bootponggame

Run It Yourself

1. Clone the repo
2. Assemble with NASM
3. Run in QEMU (or burn to USB and boot on old hardware)

Not long ago, most developers could get away with saying “hardware will catch up.” If code wasn’t perfectly optimized, faster processors, more memory, and better infrastructure usually masked inefficiencies. But today, things have changed.

With AI becoming part of nearly every product and workflow, performance is no longer optional—it’s mission critical.

AI Brings Power… and Latency

AI is amazing. It can generate text, analyze images, predict outcomes, and automate tasks at a level we couldn’t imagine even a few years ago. But let’s be honest—AI isn’t cheap or instant.

Running large models takes serious compute. Inference can add seconds where users expect milliseconds. Add in the steps around AI—preprocessing data, calling APIs, moving results back and forth—and suddenly even a simple action feels heavy.

Users don’t care about why it’s slow. They just feel the lag. And in today’s world of instant apps and real-time responses, even small delays break trust.

Security Adds Another Layer of Delay

Here’s the other piece: security. As companies integrate AI, they can’t afford to ignore risks like prompt injection, adversarial attacks, or data leaks.

The fixes? Extra validation, monitoring, encryption, anomaly detection—all absolutely necessary. But all of them add friction.

So now you’ve got AI latency plus security latency. If your underlying software is bloated or inefficient, that lag multiplies fast.

Why Performance Is a Business Advantage

This is why performant software matters more than ever. It’s not just about cleaner code or faster benchmarks—it’s about business survival.

• Users stay when apps feel snappy. A fast, smooth experience beats fancy features that take too long to load.
• Costs drop when systems run efficiently. AI workloads are expensive. Optimized code means fewer wasted cycles and lower bills.
• Scaling gets easier. Good performance makes it possible to serve more users without throwing endless hardware at the problem.
• Security feels invisible. If your systems are efficient, you can add safety checks without the user noticing the overhead.

Building with Performance in Mind

So what can teams do? It doesn’t mean going back to hand-optimizing assembly code, but it does mean treating performance as a core design principle, not an afterthought.

• Architect simply—don’t add unnecessary layers just for the sake of “modern design.”
• Use model optimization tricks like quantization or distillation to speed up AI inference.
• Profile your systems regularly to catch bottlenecks early.
• Think about parallelization and smart batching where it makes sense.
• Design with both security and performance in mind from the start, not bolted on later.

The Bottom Line

Every company wants AI in their stack. But the ones that succeed won’t just be the ones who have AI—they’ll be the ones who deliver it fast, securely, and seamlessly.

That means writing performant software is no longer just good practice. It’s the foundation of great AI products.

Because in the end, users won’t thank you for the smartest model in the world if it feels slow.

Just throwing in objects on my table onto my book.