Want to send E2E encrypted messages and video calls with no downloads, no sign-ups and no tracking?
This prototype uses PeerJS to establish a secure browser-to-browser connection. Using browser-only storage—true zerodata privacy!
Check out the pre-release demo here.
NOTE: This is still a work-in-progress and partially a close-source project. To view the open source version see here. It has NOT been audited or reviewed. For testing purposes only, not a replacement for your current messaging app.
- Docs: https://positive-intentions.com/docs/category/sparcle
- Reddit: https://www.reddit.com/r/positive/_intentions
- Mastodon: https://infosec.exchange/@xoron
- More: https://positive-intentions.com/
How it works:
PeerJS allows users to connect with a unique string. A crypto-random ID is generated automatically on the frontend and used for the connection.
To connect, you can share your unique ID. Strangers are not able to guess your ID. Upon the initial connection, new encryption keys are exchanged and persisted to browser storage. These are used to encrypt message payloads to be sent over the WebRTC connection as created with PeerJS.
After a page reload (or future session), the app automatically pings the “known peers”. If connecting to to a peer ID that is already registered, the previsously establish encryption keys are used to authenticate the user. This helps prevent MITM.
Does it have a github repository?
the org can be found here: https://github.com/positive-intentions
the prerelease demo linked in the post is not open source.
Excellent. Thanks.
Won’t work in Edge.
thanks for letting me know, i’ll take a look.
edit: perhaps this could be your issue… consider that your user-ID is the same one used when you reload the page or open it on another tab. if you open a new browser tab, it will try to connect to the peerjs server with an ID thats already in use… instead try with one incognito browser window (or a separate device).
The error is actually in the HTTP headers:
do you perhaps have something running on localhost at those ports? i was trying something out, but i will disable it so it doesnt have this issue when users try to selfhost themselves.
it isnt well explained or demonstrated, but i was trying to do something as described in the link below, where i could connect a selfhosted federated module and have it work as a drop-in replacement.
https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure
the purpose was to see if there is any benefit to allowing users to host their own federated modules. i think there isnt a distinct advantage so it looks like i will remove that feature entirely.
The error is stating that the code is trying to run in an iframe and the content security policy of the frame source (your code?) doesn’t allow the parent site to embed the iframe
Why call it whatsapp clone? Messaging existed before whatsapp and will exist after.
im still think of a better name for the project before i promote it properly as stable and secure. “positive-intentions” is understandably not well recieved.
i call it a “whatsapp clone” to better describe what it can be used for. this is in contrast to calling it a “p2p instant messaging app”… that just sounds too verbose.
