Transport encryption

Desktop and mobile clients create an encrypted realtime session before messages, presence, calls, or screen sharing traffic is exchanged. Session keys are established during connection setup and are not reused as permanent workspace keys.

Realtime traffic includes replay protection so old packets cannot simply be resent and accepted as new activity. Media streams tolerate normal network reordering without accepting stale packets.

Server identity is trust-on-first-use. Clients store the server fingerprint and detect later changes that could indicate a replaced server identity or man-in-the-middle attempt.

File transfer, history sync, browser meetings, identity-provider provisioning, diagnostics, and account pages are served over HTTPS in production.