https://github.com/positive-intentions/chat
I’m excited to share with you an instant messaging application I’ve been working on that might interest you. This is a chat app designed to work within your browser, with a focus on browser-based security and decentralization.
What makes this app unique is that it doesn’t rely on messaging servers to function. Instead, it works based on your browser’s javascript capabilities, so even low-end devices should work.
Here are some features of the app:
- Encrypted messaging: Your messages are encrypted, making them more secure.
- File sharing: Easily share files using WebRTC technology and QR codes.
- Voice and video calls: Connect with others through voice and video calls.
- Shared virtual space: Explore a shared mixed-reality space.
- Image board: Browse and share images in a scrollable format.
Your security is a top priority. Here’s how the app keeps you safe:
- Decentralized authentication: No central server is required for login, making it harder for anyone to gain unauthorized access.
- Unique IDs: Your ID is cryptographically random, adding an extra layer of security.
- End-to-end encryption: Your messages are encrypted from your device to the recipient’s device, ensuring only you and the recipient can read them.
- Local data storage: Your data is stored only on your device, not on any external servers.
- Self-hostable: You have the option to host the app on your own server if you prefer.
The app is still in the early stages and I’m exploring what’s possible with this technology. I’d love to hear your feedback on the idea and the current state of the app. If you have any feature requests or ideas, I’m all ears in the comments below!
Looking forward to hearing your thoughts!
Where is the crypto documented? I’m immediately dubious of messengers that do not provide LENGTHY documentation about the crypto. Did you roll your own? Are you using libraries? Which ones? Etc… It’s not s good start to see that you have the self signed certs hard-coded in the repo…
An understandable view. Not sure what you mean by lengthy, but I can confirm my app is not well documented. If the MDN docs count, its a fairly thin wrapper around the functionality provided by the browser of your choice.
I’m using webpack 5 module federation to import that file at runtime. Perhaps over-engineered, but it’s so I can keep the crypto functionality maintained separately. That repo is in need of more attention for things like unit tests, but the crypto implementation there is pretty basic.
This doesn’t really explain how the whole protocol works. Are the keys exchanged for example? Are they rotated? If so when and how? From a quick glance at this bit of code this is just RSA? So no forward secrecy?
The app is a active work in progress. I try to make this clear in my post. Any “protocol” being used, is subject to change as I make improvements.
You raise some good points about rotating keys and forward secrecy. These are things I will be including, but the app is far from finished.
Maybe this helps a bit (I know it’s not what you want, but it’s the best I got at the moment without diving into the code): https://positive-intentions.com/docs/research/authentication/
You’ll probably want to layer in a quantum resistant crypto too. E.g. encrypt the plaintext with old school encryption like you are, then encrypt the cyphertext with quantum resistant encryption. This is essentially one part of what signal does
https://www.reddit.com/r/cryptography/comments/1bs7slv/help_me_understand_postquantum_cryptography/
Sorry to redirect to Reddit. I’m new to Lemmy.
Tldr; there are several approaches to this issue. In the case of webapps, relying on the offering from the browser should be enough.
I’m also investigating if wasm could also be a way to introduce real-world-entropy to key generation (because I noticed it isn’t possible to seed the browser key generation)
But we already have decentralized encypted chat, it’s XMPP.
Is yours truly P2P? What about clients behind NAT? Does it use STUN/TURN servers?
I’m using peerjs-server. I’m also investigating other ways to achieve peer discovery which itself could be quite a discussion.
Maybe look at how syncthing works
Thanks. I want to also investigate if YJS could also fit into the app.
Can users self host that and set up clients to use their own servers?
Users can selfhost the frontend and backend independently. When creating a profile, you can set it to use your own peerjs-server (set preferences)
The frontend is only run as client-side JavaScript. There isn’t a step to “set up clients”.
Yeah a lot of ISPs are putting people behind CG-NAT these days. Good luck getting around that with out some kind of relay.
Dude, I can’t wait to have IPv6 everywhere and have our own IP addresses for everyone.
Nothing against this, but isn’t this basically Matrix?
It’s similar to matrix in many ways. The key difference is with mine it’s is purely browser based. Unlike traditional solutions like matrix where you have a (self)hosted server, mine does not require things like registration or installation.
It’s an interesting idea. If it can make it easier to share files with friends then I’d be in. Voice and video have always been challenging as I understand it, so I’m expecting that to come later. Very ambitious, but cool if you can pull it off!
There is a lot to be fixed throughout but file transfer and video calls should be working if you try out the live app.
All right I tried out the live app, to connect my phone to my desktop. Couldn’t get it to work. Tried the link method both ways, once normal and once animals. Tried the QR code too. All it does is bring me to a “contacts” page, which is essentially the same screen, or to a “new peer” one. Tried looking at the docs but didn’t see what I might be doing wrong there. Do certain plug ins mess it up like ublock origin? Anything else?
Sorry. It’s quite buggy.
- Its best to start off by clearing all site data from the browser settings.
- Do not have multiple tabs of the app on the same device.
- It doesnt hurt to refresh to page.
What you’re describing might be related to there being 2 tabs of the app running. This results in both reacting to the new-connection-event, but ultimately resulting in a data conflict.
Plugins shouldn’t be an issue. For stronger security, i have CSP headers to try to prevent browser plugins reading data.
If nothing works then the egg is squarely on my face and my buggy app is too buggy.
Interesting project, cool to see that you are passionate about this. Nostr does much of this and can do it entirely in-browser without having to trust any particular relay like AP/Lemmy/Mastodon does. It has encrypted DMs. Might want to check out the protocol.
Thanks. It’s been mentioned before and I’d like to take a look at it when I can make the time.
What encryption protocol u using? I wpuld strongly recommend using signal protocol but i dont exactly know how the implementation of that in js would work
The project it’s in its early stages. There isn’t anything as formal as a protocol yet. That is also why there isn’t good documentation about it… The best I have for your question is:
https://positive-intentions.com/docs/research/authentication
Sounds to me that it would have been easier to create a web-based client for an existing messaging system with such features (like Briar).
perhaps.
it started of very vanillajs, but i found that users didnt like the appearance. so i added a faily basic implementation of material ui.
existing frameworks were not compatible with the look, feel and funtionality i was after. i still havent achieved it, but im happy with the progress.