We've made a service that will save an E2E encrypted text message to a database, and then delete it after it has been read some number of times. The message is E2E encrypted before it gets to our server, so no one ever sees your message unless you give them the link.
This uses an encryption scheme detailed in this blog post. The short version is that we create a secret key in your web browser, and add it to the URI fragment, which is never sent to the server.
Because the server never learns the key, you are able to send the URL directly to the viewer, thus E2E encrypting the message. After you create a message, you will see a link that you can send to the recipient out of band (via email, Signal, etc.).
Where do we have to trust someone?
We do not need to trust that the server operator will not read our messages, because the server has no way to decrypt the message.
In addition, we give you the ability to set a "read limit" on a given message. That means the server will delete your message after it has been read some number of times.
You are trusting that the server will delete the given encrypted message after a specified number of views. You can verify that the server does not serve a message anymore by making a request for it. Other than that, you are taking my word that I really did delete the message.
What can I, the server operator, learn about you?
I can see the time that a message was submitted, I can see the number of reads that are allowed, and I can probably see the IP address that sent the message, if you are not using a VPN. I don't look at your IP address, though, because I have no reason to.
What about the people who read your message?
I can see the IP address that is requesting a given message. So in that way I would be able to link a poster's IP address to a viewer's IP address, if neither of you are using a VPN.
See vanishing.page
Dependencies
The cryptography used by this page can be seen here: bicycle-codes/simple-aes
