https://github.com/positive-intentions/chat
I’m excited to share with you an instant messaging application I’ve been working on that might interest you. This is a chat app designed to work within your browser, with a focus on browser-based security and decentralization.
What makes this app unique is that it doesn’t rely on messaging servers to function. Instead, it works based on your browser’s javascript capabilities, so even low-end devices should work.
Here are some features of the app:
- Encrypted messaging: Your messages are encrypted, making them more secure.
- File sharing: Easily share files using WebRTC technology and QR codes.
- Voice and video calls: Connect with others through voice and video calls.
- Shared virtual space: Explore a shared mixed-reality space.
- Image board: Browse and share images in a scrollable format.
Your security is a top priority. Here’s how the app keeps you safe:
- Decentralized authentication: No central server is required for login, making it harder for anyone to gain unauthorized access.
- Unique IDs: Your ID is cryptographically random, adding an extra layer of security.
- End-to-end encryption: Your messages are encrypted from your device to the recipient’s device, ensuring only you and the recipient can read them.
- Local data storage: Your data is stored only on your device, not on any external servers.
- Self-hostable: You have the option to host the app on your own server if you prefer.
The app is still in the early stages and I’m exploring what’s possible with this technology. I’d love to hear your feedback on the idea and the current state of the app. If you have any feature requests or ideas, I’m all ears in the comments below!
Looking forward to hearing your thoughts!
Where is the crypto documented? I’m immediately dubious of messengers that do not provide LENGTHY documentation about the crypto. Did you roll your own? Are you using libraries? Which ones? Etc… It’s not s good start to see that you have the self signed certs hard-coded in the repo…
An understandable view. Not sure what you mean by lengthy, but I can confirm my app is not well documented. If the MDN docs count, its a fairly thin wrapper around the functionality provided by the browser of your choice.
https://github.com/positive-intentions/cryptography/blob/staging/src/stories/components/Cryptography.tsx
I’m using webpack 5 module federation to import that file at runtime. Perhaps over-engineered, but it’s so I can keep the crypto functionality maintained separately. That repo is in need of more attention for things like unit tests, but the crypto implementation there is pretty basic.
This doesn’t really explain how the whole protocol works. Are the keys exchanged for example? Are they rotated? If so when and how? From a quick glance at this bit of code this is just RSA? So no forward secrecy?
The app is a active work in progress. I try to make this clear in my post. Any “protocol” being used, is subject to change as I make improvements.
You raise some good points about rotating keys and forward secrecy. These are things I will be including, but the app is far from finished.
Maybe this helps a bit (I know it’s not what you want, but it’s the best I got at the moment without diving into the code): https://positive-intentions.com/docs/research/authentication/
You’ll probably want to layer in a quantum resistant crypto too. E.g. encrypt the plaintext with old school encryption like you are, then encrypt the cyphertext with quantum resistant encryption. This is essentially one part of what signal does
https://www.reddit.com/r/cryptography/comments/1bs7slv/help_me_understand_postquantum_cryptography/
Sorry to redirect to Reddit. I’m new to Lemmy.
Tldr; there are several approaches to this issue. In the case of webapps, relying on the offering from the browser should be enough.
I’m also investigating if wasm could also be a way to introduce real-world-entropy to key generation (because I noticed it isn’t possible to seed the browser key generation)