Id like to introduce you to a decentralized chat app that works purely in the browser. Breaking away from traditional solutions that require registration and installation.
A decentralized infrastructure has many unique challenges and this is a unique approach. Ive taken previsous feedback and made updates. Its important to note, it is still a work-in-progress and provided for testing/review/feedback purposes. it would be great if you can tell me what you think.
Some of the features of the app include:
- Free
- Decentralised
- No cookies
- P2P encrypted
- No registration
- No installing
- Group messaging
- Text messaging
- Multimedia messaging
- Offline messaging (LAN/hotspot)
- File transfer
- Video calls
- Data-ownership
- Selfhosted (optional)
- Screensharing (on desktop browsers)
- OS notifications (where supported)
With no registration or installation required, its easy to get started.
your caution is well placed. this app is not ready to replace any existing app or service. it is only provided for demo and testing.
the feedback ive recieved from security professionals is that the project is too complicated to review without a budget (which is understandable). so i think updating the docs is something i will do when i have the protocol and algorithm better defined. (note: i am already planning on breaking changes, but havent found the time to do them.)
Right that makes sense.
But yeah, after glancing through the links you provided, I’d agree that you’ll definitely need to pay someone for an audit / review, there are so many pitfalls and gotchas when it comes to encryption alone, and depending on the guarantees you want to be able to make you’ll find even more pitfalls and gotchas – especially if you want to make even relatively light guarantees about anonymity. The classic problem is that even with encrypted payloads the metadata / protocol itself leaks information, which might or might not be a problem depending on what your guarantees are.
yeah. i find its difficult to gain traction from security professionals on this project as an individual. because from the onset it is pointed out that im not a cybersecurity professional (which is true).
when looking a security guidelines from things like OWASP i already notice that there are things like having every PR reviewed and other hoops i have to jump through to make the app secure as defined in those guidelines. i also notice there arent any guidelines for p2p apps and if i proceed with my own interpretation, it would undemine the guide. here is a question on reddit on the matter: https://www.reddit.com/r/CyberSecurityAdvice/comments/1cfywjj/security_guidelines_for_p2p_apps/
I have a background in distributed systems and some background in security (I’m by no means a cryptography expert but I do know more about the subject than average developers), and I’d say that at this stage you shouldn’t worry too much about meeting all parts of some guideline or another; they’re often geared more towards bigger teams and slightly more established projects. What I think could benefit you would be first of all to have a clear idea of what exactly you want to accomplish (from a security standpoint, not necessarily so much from a functionality standpoint) if you don’t already have have one, ie. what sort of guarantees do you want to be able to make. Doesn’t have to even be a public document at first, just some notes and sketches for yourself. Then you’d want to find other projects with similar guarantees and aims and see how they did things, find research papers on the subjects and so on. Security guidelines can be useful, but generally it’s more useful to understand why something is in a guideline in the first place. For a project such as yourst I would personally really emphasize design documents and research over code at an early stage, because you need to have a clear goal in mind before you start cranking out code which might turn out to be worthless (at least to some degree) after you run into problems with your approach. Not saying that the documentation has to be public, just that you / the team know exactly what the goal is.
“Encrypted P2P chat” can mean vastly different kinds of projects, with very different aims. For example, do you want perfect forward secrecy? If so, you’d want to find out the challenges associated with it, especially in relation to interactivity since you’re building a P2P architecture, etc. etc. Same with anonymity / user “traceability” like I mentioned earlier; you need to have a clear picture of what kinds of guarantees do you want the users to have to be even able to say what kinds of best practices you’d have to follow.
Sorry, that turned into a bit of a ramble and might be completely obvious to you already, since I have no idea about your background and the level of research you’ve already done.
