github.com/positive-intentions/chat
I’m excited to share with you an instant messaging application I’ve been working on that might interest you. This is a chat app designed to work within your browser, with a focus on browser-based security and decentralization.
What makes this app unique is that it doesn’t rely on messaging servers to function. Instead, it works based on your browser’s javascript capabilities.
Here are some features of the app:
- Encrypted messaging: Your messages are encrypted, making them more secure.
- File sharing: Easily share files using WebRTC technology and QR codes.
- Voice and video calls: Connect with others through voice and video calls.
- Shared virtual space: Explore a shared mixed-reality space.
- Image board: Browse and share images in a scrollable format.
Your security is a top priority. Here’s how the app keeps you safe:
- Decentralized authentication: No central server is required for login, making it harder for anyone to gain unauthorized access.
- Unique IDs: Your ID is cryptographically random, adding an extra layer of security.
- End-to-end encryption: Your messages are encrypted from your device to the recipient’s device, ensuring only you and the recipient can read them.
- Local data storage: Your data is stored only on your device, not on any external servers.
- Self-hostable: You have the option to host the app on your own server if you prefer.
A decentralized infrastructure has many unique challenges and this is a unique approach. Ive taken previous feedback and made updates. Its important to note, it is still a work-in-progress and provided for testing/review/feedback purposes.
Looking forward to hearing your thoughts!
This screams honeypot. MS-Paint logo, some broad “encryption” claim without mentioning any cyphers at all, the nice “positive-intentions” website… Why are your ‘intentions’ front and center but not the information on what you are doing to keep your clients safe?
The logo is literally a fish, giving me the indication that something fishy is afoot… I don’t trust it.
its open souce but understandably complex to understand.
im using a thin wrapper around browser-based cryptography functions. im using webpack 5 module federation to import that file at runtime.
those functions are used to create a kind-of decentralised authentication as described here: https://positive-intentions.com/docs/research/authentication
the app uses peerjs to send encrypted messages. i have the checkbox only for the user to confirm this is for testing purposes only. it is also worded throughout the docs that users should be responsible for what data they share. the app doesnt need any personal detail to work (ip address - as per requirement of webrtc). im all ears for ideas on a previous post: https://www.reddit.com/r/darknetplan/comments/16qw24o/on_my_decentralized_chat_app_i_want_some_kind_of/
pardon my art skills. i drew it on my phone. i was going for a “whale”. a simple logo was enough. i dont expect version 2 to be any better. as for the domain, it was cheap. i would like to do rebranding at some point but i dont know enough to make any time for it.
I still don’t trust it, but I’ll keep an eye on it - I’ll try to use it as a non-secure communication method until I can wireshark it and verify the claims.
your concerns are well placed. i am not a security expert and the project is not a mature enough for it to have a security professional take a look, so it shouldnt be considered secure or encrypted until someone reputable can verify it.
i open sourced it so i could investigate getting security advice without a budget… but of course its pretty complex to do without a budget. so i’ll settle with what feedback i can get.
- Only in the browser? Doesn’t that mean that chat history doesn’t sync across devices?
- And what happens when the browser is closed? How are messages delivered? Do both participants have to be online?
- How do you find friends?
While the app isn’t fully open-source yet, parts of it are, and we’re keen on opening more in the future.
Why are only parts opensource?
there may be details you are interested in, but the post is quite large. you can search in that that post about how i plan to deal with syncing between devices. the functionality is not working in the app at the moment.
the data is persisted to browser storage, and unsent messages will be queued up when peers are not connected. similarly, the functionlity is not working at the moment.
peer discovery can be a whole separate discussion. the app provides ways to exchange connection data with links and QR codes. it is important that the user shares this with peers they trust, the ID is otherwise cryptographically random. upon first connection asymetric encryption keys are created and used for every future connection (to prevent impersonation).
Why are only parts opensource?
the part that isnt open source is the aws-cdk repo im using for deploying to S3. the app is otherwise open source and i give the instructions to deploy on your own github-pages if you want.
can you explain more about that licence?