MikroFilm: Simple Secure Obfuscated Offline Image Transfer

Edit bis: New version 0.3-Archspire, see last thread post for changelog

Edit: Version updated to 0.2-No Fluff , thanks to @AstraKitten & @faxe

Greetings Privacy Guides community

Since this is my first post here, I thought I’d start with a quick introduction first. After being a silent and passionate reader of this great forum for some time, I wanted to take a more proactive turn and start actually participating in a more concrete way to the global counter surveillance effort with simple yet effective tools within the limits of my capacities.

That said, I’d like to introduce you to MikroFilm, a tool to transfer images without uploading any file anywhere that works 100% locally within your browser:

MikroFilm1410×963 77.4 KB

DL LINK:
https;//gitlab.com/NoBravado/mikrofilm

How it works:

Encrypt & share image:

1. You choose the image you want to encrypt/share either by using the choose file button, drag & drop it or paste it
2. You choose a password and decide if you want to keep or scrap the image metadata
3. You press the Encrypt button and wait for MikroFilm to encrypt the image
4. You copy the wordlist MikroFilm gives you

I would of course recommend using secure channels of your choice to share the mikrofilm wordlist, preferably using separate apps if possible to share the wordlist and the password for opsec reasons.

Decrypt Images:

1. Press the decrypt tab
2. Paste the mikrofilm wordlist & enter the password
3. You can either just watch the image thumbnail or if you press it, enlarge it by clicking on it
4. Press Burn to completely wipe the image from memory

Some technical details:

Encryption Algorithm: AES-256-GCM (Galois/Counter Mode)
Key Derivation: PBKDF2-SHA256, 100,000 iterations
Salt Length: 16 bytes (128-bit)
IV Length: 12 bytes (96-bit, optimal for GCM)
Integrity Hash: SHA-256 (256-bit)
Word Dictionary: 256 unique English words
Maximum File Size: 5MB per image
Browser API: Web Crypto API (native, no libraries)
Memory Model: Volatile RAM-only processing

Advanced Security Features:

Browser-Level Hardening: Anti-Fingerprinting (Canvas poisoning, screen spoofing, WebGL blocking), Memory Protection (Heap spray protection, timing attack mitigation), Developer Tools Detection with real-time monitoring and security warnings, Context Blocking (disabled right-click, text selection, printing, drag operations).

Anti-Forensics System: Secure Memory Wiping with multi-pass overwriting of sensitive data structures, DOM Sanitization with complete clearing of form inputs and cached elements, Inactivity Timer with automatic 5-minute cleanup, Decoy Traffic with randomized network noise generation every 30 seconds, Volatile Storage with RAM-only operation simulation.

Operational Security (OpSec): Burn Function for complete data destruction with page reload and memory reset, Process Timing Randomization to prevent timing-based side-channel attacks, WebRTC Leak Detection that blocks real IP exposure in VPN/Tor environments, Service Worker Cleanup to prevent persistent storage mechanisms.

There are a few downsides to the app though: the mikrofilm wordlists are quite long. I have tried different methods to compress and limit it to around 200 words but unfortunately with no success yet. And another downside is it won’t work on mobile browsers.

MikroFilm being my very first public tool and me not being an experienced developer, I do know it could certainly be better on many aspects and I would love for the experienced members in this community to give it a try and take part in making it better

Hopefully it will be of use to some of you and all feedback & user experience is welcome. More in-depth information can be found in the repo and in the “About” section of the app.

Big thanks in advance to everyone who will take time to test and use MikroFilm and to this inspiring community for its constant effort to maintain our fundamental privacy rights.

Why not argon?

Absolutely all of this is useless.
It is a huge red flag that you either:

• know it is useless and are misleading people
• don’t understand that it is useless, in which case you shouldn’t be trusted to write programs of such context

Translation: “I made some AI slop”

Please everyone, avoid this proprietary trash.

@moderators, how did this get approved?

From a quick look on Gitlab:

provides military-grade image encryption

… yeah, this ain’t it

edit: Dev changed it, see posts below

First of all , thank you for taking time to look at it ,
You’re absolutely right about the PBKDF2 iteration count, i actually chose to use PBKDF2 specifically to maintain zero external dependencies and rely solely on the native Web Crypto API. Which i understand from your feedback is a poor choice in the end and have to be adressed. I really wanted to make it zero dependency but that was a mistake that i’m reconsidering given the security trade-offs.

WebRTC leak detection and some anti-fingerprinting measures do provide value, but I’ll revise the documentation to be more accurate about their limitations and i am defo not trying to mislead anyone here, may have i misled myself with these choices.

Regarding “proprietary trash” - I did not understand in what way you were saying that , the project is fully open-source on GitLab with all code visible. If there are specific features you consider problematic beyond the PBKDF2 issue, I’d appreciate concrete technical feedback so I can address them.

I did use AI to write readme bc i am not great at writing and i wanted a clean readme i should have been more careful at what was said there and will correct it right away.

As i mentioned this is my first tool in its first version , and as i also said i do posted it for feedback and community help to make it better.

no, they do not.
this runs entirely client side, they are just useless fluff.
even if it was hosted on a server, it still has no benefit because the server could just choose to not serve that up or record such information.
such types of protections are only valid if they are implemented by the browser itself.
the red flag still stands.

please learn the difference between open source and source available, your “custom license” means your project is the latter.
source available == proprietary.

why do you expect people to contribute for free to your proprietary project?

Ok , thank you for these additional insights , i now understand your point about WebRTC and you are right 100%
About the licencing being proprietary this was the opposite of my intention , i was actually willing for it to be FOSS and thought that put this way it would impeach anyone making profit out of it. Not for me to be proprietary owner.
I did edit the readme to reflect that , and took away the WebRTC part hopefully in the right manner this time, thank you for your time and feedback

it is not just about the webrtc bit, but the other bits are also useless.

you’d own it regardless.

that would not be FOSS then.

you may be interested in a toxic license such as AGPL, which most companies avoid like the plauge, and then provide custom licenses to businesses who want to integrate it.
but note if you plan to accept outside contributions and dual license it, you must have contributors sign off on some form of cla or remove their code from the commercial version

Yeah i only mentioned WebRTC but indeed took these other bits out as well at the same time.

Thanks a lot for the licence infos, I do not care so much about ownership of anything my core value here is to guarantee that it dont get ‘captured’ for profit by some company so your AGPL advice seems indeed like an option but it also implies some type legal complexities for anyone to participate.

That’s a dilemna i’m facing here, i do understand from what you’re telling me that at the end of the day if i want for anyone to freely contribute without having to go through some type of contractual process i have to sacrifice the idea of the project not being used for profit in some ways, is that correct ?

MikroFilm v0.2.0 - No Fluff Release

Major Cleanup

This release removes ~1500 lines of “fluff” code and focuses on enhanced working cryptography.

What was removed:

• Browser fingerprinting attempts
• Developer tools detection
• misleading or innefective security features

What was improved:

• PBKDF2: 600,000 iterations (OWASP 2025 compliant)
• Fixed steganography word dictionary
• MIT License (truly open source)

Thanks to @AstraKitten for pointing out these issues.

MikroFilm v0.3 beta - Archspire Release

Changelog:

Added

• Single HTML file distribution (merged CSS/JS)
• Image preview with file information display
• Metadata detection (EXIF/GPS/Camera info indicators)
• Password strength warnings (<8 chars, <20 chars)
• File size/dimension validation (5MB/4000×4000)
• XSS prevention (filename sanitization, SVG blocking)
• Progress indicators during operations
• Large text performance optimizations
• Image viewer overlay
• Clear image button

Changed

• Improved memory management
• Enhanced error messages
• Better clipboard/drag-drop handling

Security

• Blocked SVG files (XSS prevention)
• Input sanitization for filenames
• Strict MIME type validation