This is interesting information. I have to check with the person who built the site wether this is true or not.

The only thing I can say is that the information I got from the secrets is the secret itself. I have no possibility to connect a secret with a person. 

Anyway this information makes my statement even more clear: "They" are able to check everything from us.

I'm convinced that even if there would be a genius encryption system on the site "they" would be able to hack it.

The fact our virtual information is possibly hacked must be a challenge for all of us to think about new ways of using internet, mail, facebook etc.

A friend of mine sent me a link to a recent project of yours (http://www.atelierblanchefosse.nl/SCRTS-CNFSSNS/index.php), and while I like the idea I have a couple issues with the implementation...

First, all data submitted to the form is transmitted to the server as plain-text, which directly contradicts your statement that "all revelations will be encrypted before sending." Sending the data in plain-text form allows anyone spying on your users to see exactly what they wrote. And since this data is received and processed by the server, anyone with access to the server will also have access to the plain-text data.

Second, the returned string appears to simply be a base64-encoded copy of the submitted text. This is not encryption, and does not make the original text difficult to recover. The base64 version of the text is the exact same content, simply represented in a different manner. It's equivalent to rewriting the decimal number 2 in binary as 10.

These combined ensure that nothing about this is either secure or anonymous, which seems to go against the motivation for your project. If you actually receive confessions which could be of interest to an organization like the NSA, you have done nothing to safeguard the privacy of your contributors and may be doing them a disservice by giving them a false sense of security. And if none of the confessions you receive could be of interest to such an organization, then why have the "encryption" step at all?

It's also not clear to what extent you have access to the server at atelierblanchefosse.nl, and you do not publish the code you're running or discuss its implementation. To me, this raises the question of whether the submissions are even anonymous from your perspective, and to what extent the server retains logs of these sessions.

I would suggest at a minimum to at least serve the page over HTTPS. It would also be nice if you encrypted the data on the client-side (in Javascript, perhaps), so the server never sees the unencrypted content. Ideally this could be done with a public key you create for yourself, then you could decrypt the data with your private key and have some degree of confidence that you are the only one with the decrypted data (you could use something like GnuPG to generate the keys: http://en.wikipedia.org/wiki/GNU_Privacy_Guard ). Doing this will ensure that even if someone was being monitored by NSA or another organization, all the org would know is that they visited your page, not what they wrote.

It would also be nice (just as a generally-reassuring gesture) if you shared on your project page some more detail about how the server is handling the data you receive, perhaps by publishing the source code you're running and discussing the extent to which user data is logged by the system.

I apologize if my tone is a little harsh, and I hope that this is more informative than anything. I would love to see people become more aware of cryptography in general, and to think more about how their data moves through the 'net.