my app is a sideproject. its aiming to be a regular messaging app (like whatsapp, signal, etc). im not breaking any rules by being a webdeveloper developing a webapp (i already asked this question on reddit). im actively trying to turn this into something that can support me.

i dont see myself moving my work away from github. i dont know what benefits it could bring. being anonymous is not something i see as valuable when trying to create a product.

“private and secure chat app”

I don’t think it’s a solved problem. There are countless nuances to it. So it’s good to have various approaches.

https://positive-intentions.com/blog/docker-ios-android-desktop

this a yet another approach to a “private and secure chat app” because its a unique approach to the same problem which id like to investigate.

its a work in progress and hope to get to a point its comparable to Signal and OnionShare.

for now, the purpose is to present open-source code to demonstrate a concept. like mentioned in the post it isnt ready to replace any existing tools.

sorry for the delay in responding. personal matters required more focus and to reply to you i wanted to set aside some time to write well for clarity.

… Might as well get real-life practice at writing.

im not entirely bad at writing (technical or otherwise) to get to where i am now in the project, i usually write with my own words like now. the blog articles you see on the website are from old reddit posts. questions like your are understandably frequent and so it made sense to create the website and blog to address FAQ’s. i think its important to note how im using AI here. while i can say to AI “here are some bullet points, now turn it into an article…”, i have written the content and details myself and then have AI reword it for clarity. i think the resulting content is better for clarity.

What is the lifetime of each user’s public/private keypair? What is the lifetime of the symmetric key shared between two communicating users?

the implementation sits ontop of a webrtc connections which mandates its own encryption keys. my app adds an additional set of public/private keypair and symmetric keys. these are persisted to browser storage (indexedDB). the keys are cleared if the user performs a logout (its all client-side, so there is no actual “logout”, it clears the local data).

key rotation is a work-in-progress and not testable in the app. while i can have a button that says “rotate keys”, im planning to frame it as something like “block contact”. this is because it makese to keep user ID’s static, so that in future sessions, the app can automatically connect to “known peers”. in the case you want to block someone, it makes sense to abandon that ID so they cannot ping you with it. when you connect to a “know peer” that doesnt know your new ID, it can use the previsously establish keys to verify each other and update the contact details accordingly.

its also possible to export the data to a file to then load from that profile. its currently static and unencrypted. there will be an option to have it all password encrypted. https://www.reddit.com/r/cryptography/comments/1lhjpxk/veracryptlike_functionality_from_a_browser/

I take substantial notice whenever a promise of “true privacy” is made

completely understandable. as mentioned in the post cybersecurity is full of caveats. here is a previsous attempt to outline some details: https://www.reddit.com/r/cryptography/comments/1evdby4/is_this_a_secure_messaging_app/

im also investigate various approaches to exchanging data offline with QR codes.

(written by me): https://www.reddit.com/r/positive_intentions/comments/1b5j424/file_sharing_by_qr_code/ (written by having AI transcribe my wording): https://positive-intentions.com/blog/qr-codes-as-a data-channel

id also like to investigate other things a browsers can do like exchange encryption data over NFC.

it isnt use-friendly yet, but i also have some basic functionality around p2p broker connections to avoid needing the peerjs-server (which acts as the broker.). some unclear details which could do with AI clarification can be seen here: https://github.com/positive-intentions/chat/issues/6

If a secure medium existed, then secure key exchange would already be solved

the existing key exchange should be already secure enough… but users would understandably want to be sure my code doesnt have a critical-bug and validating hashes provides that bit extra.

many others have also tried their hand at secure messaging, with more fails than successes.

i have seem some other myself, and i still believe my approach is unique. there are of course limitations in the webapp form-factor, but it also provides a lot of flexibility in just being able to run on a browser. while many try/succeed/fail, this is my attemp. i have been refining my approach with feedback and there is still much to do. at this point i dont consider it insecure, but the UI is pretty ugly and combined with various UI bugs, is deterring users. with the code being course source, i often try to present some concepts in a more digestable way with code examples as seen:

• https://cryptography.positive-intentions.com/?path=%2Fstory%2Fcryptography-introduction--welcome
• https://github.com/positive-intentions/cryptography

there is a lot to learn but by breaking things into small parts, i can better learn how it can all fit together.

“cryptography engineer” and not a cryptographer

i like that term. its new to me. i normally just call myself a webdeveloper to clarify my expertise. its more so the case than a cryptography engineer. i open sourcemy work for transparency, but also great for my own learning.

thanks for the good wishes. hopefully i get to a stage where its better presented as a product and not just a proof-of-concept.

thanks for taking a look.

firstly i would like to apologise for throwing the following blocks of AI text at you. i often used AI to create documentation for the project. im not much of a writer, im sure its more clear from AI than if i did it myself.

• how the authentication works: https://positive-intentions.com/docs/research/authentication
• how security works: https://positive-intentions.com/blog/security-privacy-authentication

the ID’s are cryptographically random to make it reasonably certain that strangers cannot connect (because its an ungussable ephemental string). this is used with peerjs-server (open source and documented) to connect with a predictable ID. when this ID is shared “through some other trusted channel” (e.g. whatsapp, qrcode), the peers connect and establish encryptions keys (see links above). afer the first connection (expected to be secure!), the previously establish encryption keys can be used to authenticate the user (to prevent MITM).

Was that document crafted for this project specifically?

long story short… this is my sideproject and im trying to get it off the ground. as i post more about the project, i decieded to create a website to “document” the project. there are understandable questions like yours, so made sense to answer them in the website. this includes things like the threat-model… while one-shotting is a thing you can do with AI, the threat model took several days of learning, thinking and consideration. i also posted about it on reddit for feedback and updated it accordingly.

Was it prepared by a cryptographer?

am i a cryptographer yet? having worked on this project i must have picked some stuff up. i still find that i need to learn much more.

And was it generated using an AI/LLM?

i hope admitting i used AI doesnt undermine the effort i put in. i try to communicate details in places like lemmy and the code is open source. AI enables me to demonstrate granular functionality that is easier for me to test as well present to professionals; in contrast to presenting overwhelmingly complicated code on github. for example for my cryptography functionality i created a separate repo to try things out for my learning: https://cryptography.positive-intentions.com/?path=%2Fstory%2Fcryptography-introduction--welcome

there are good and bad ways to using AI and i believe im doing it responsibly. i have been a coder for 15+ years. i can do it myself, i simply cant type as fast as AI making it indespensible when working on a project of this scale. i completely understand your concerns and im all ears for advice on a reddit post i asked: https://www.reddit.com/r/CyberSecurityAdvice/comments/1lekrsx/what_advicebestpractices_are_there_for_creating/

(its why like in all my app, website and posts (like this), i try to strike caution.)

I don’t think it’s possible over a channel that has active interest in breaking your encryption. It’s the recipe for a mitm attack.

It would be possible to use password encrypted keys on the public channel and rotate the keys immediately after establishing a connection.

I try to provide ways to transfer data offline. I don’t have a working example, but it would be possible to exchange keys over a series of QR codes or NFC… But this would require peers to be at the same physical location.

I’m sure there are many approaches for exchanging keys here that balance between convenience and security.

Ultimately it’s worth noting we are talking about encryption on a browser where the operating system could just as easily be taking screenshots.

Im also working on something similar. I was thinking with a browser extension I could “scan” a page for some kind of blob that the extension would have produced. Something like a webcomponent tag (but not that because a good website would have sanitized for that) then inject a webcomponents from the extension to show it decrypted. The idea is pretty difficult to describe without a working example, but I think it would allow for reasonably secure messaging on public channels (because the payload would be encrypted).

As for exchanging keys securely, the app is using crypto-random ID’s to connect peers. On the initial connection, it’ll establish the nessesary keys.

https://positive-intentions.com/docs/research/authentication/

Thanks. Can you tell me more about how a P2P system can get infiltrated. I’m fairly confident in my approach. I hope I’m not being too naive.

Users can always make mistakes/bad-choices and so I’ve tried to create some guidelines to follow.

https://github.com/positive-intentions/chat#security-and-privacy-recommendations

Thanks for your thoughts. I’m sure many others share your opinions.

I’m no expert on that matter, but I assume many people work on open source for various reason. For me, This is something I hope will lead to supporting me.

I find myself recently unemployed (it happens). And so I have to figure out my next steps in life. I’d like to work on this project full-time, yet without funding, I can only continue part-time. I’m motivated to work on the project because I see its still fairly unique, but without any way for it to support me, it’s future on shaky grounds… Especially when faced with issues I can’t ignore like unemployment.

It’s also why I’m reluctant to invite collaborators at this unstable stage because then going close-source becomes immoral.

The app is only using (local-only) browser storage (specifically indexedDB).

So in a P2P interaction, the traditional concept of “the cloud” is just the physical devices connected over a direct webrtc

Thanks for the tip. The future of the encryption is still under consideration. I’m not against the tox protocol… The signal protocol seems better regarded.

thanks for your thoughts. npm is popular for a reason and vanillajs doesnt scale very well. so any deps used could be an issue.

i was also considering if with the webcomponent approach it could be “furture-proof” as it seems to be the rhetoric i hear around. im sure i wont have a great implementation any time soon, but id like to try out a few ideas to see if it holds-up. hopefully to lead to a “secure javascript ui framework” (which itself could be a whole discussion).

but based on all the feedback ive recieved, it seem for the messaging app refactor, i’ll be fine to use react on it. which is great because i already have a working-ish demo.

thanks for your thoughts.

thats not quite what im asking. im wondering if there are nuanced benefits to using webcomponents over something like react. with the key difference being the native support.

i hope with the webcomponent approach it could be “furture-proof” as it seems to be the rhetoric i hear around. im sure i wont have a great implementation any time soon, but id like to try out a few ideas to see if it holds-up. hopefully to lead to a “secure javascript ui framework” (which itself could be a whole discussion). i hope that by having it open source, i can point to an example to discuss and improve it.

it seem for the messaging app refactor, i’ll be fine to use react on it. which is great because i already have a working-ish demo.

https://positive-intentions.com/blog/async-state-management/ https://positive-intentions.com/blog/bottom-up-storage/

the state management with the useStore hook seem tricky to explain and can be a whole separate dicussion. i try to explain a bit in those posts. im still working on it more and while it isnt document anywhere, but im also investigating having it store data encrypted-at-rest.

thanks. thats what id like to aim for and i dont think its far off. the build script there is mainly for the storybook statics (as seen in the link provided for “website”).

couple things i hope to do soon, remove lit as a dependency - i use this right now because its useful for template rendering and lifecycle methods. webcomponents have a an ugly approach to this which Lit makes easier, and so i pushed it back, but its still on the todo.

after that i should be able to have a more vanilla web dx.

Thanks!

https://www.reddit.com/r/cryptography/comments/1cint8h/what_are_your_thoughts_on_subtlecrypto_vs_wasm/

Tldr; I had that question before myself. It doesn’t seem to introduce any improvement over WebCrypto API which itself should have gone through peer-review and auditing. (“Choose your browser wisely” could be considered the advice here.)

I’d like to still look into wasm for several other details of the project, but it seems the built-in browser cryptography functions are performant and generally pretty good if used correctly.

no-installation. easy to get started without registration. can share with any device with a browser.

as a PWA, there is no need for you or your peer to already be part of the ecosystem.

the difference with my approach is that there is no registration or installation. as a webapp its easier for users to get started.

localsend is a good approach and my project isnt anywhere near the quality seen there (or several other examples). i hope to be able to create something competative in the space.

(i am investigating providing the app natively for various platforms for better reach, but the core requirement for my app is to have a modern browser)

the implementation is based on WebRTC which mandates encryption as part of the spec browsers have to confirm to.

in the app i have a concept of “contacts” in the app. when establishing a new contact, i use that webrtc channel to do a diffie-helman key-exchange (with RSA asymmetric keys used to exchange to AES symmetric keys). (im using vanilla os/browser cryptography tools as seen here: https://github.com/positive-intentions/cryptography/blob/staging/src/stories/components/Cryptography.tsx)

https://positive-intentions.com/docs/research/authentication

in my setup, all data that is being sent over webrtc, is already encrypted specific to a recipient. that encryption is a redundency over the WebRTC offering.

there is a performance hit with this redundency, but then allows me to have things like a way to verify public keys with a peer to prevent MITM vulnerbilities.

https://positive-intentions.com/blog/security-privacy-authentication