Skip Navigation
Cryptography @lemmy.ml
positive_intentions @lemmy.ml
75%

Encrypted P2P Chat

https:// chat.positive-intentions.com /

https://github.com/positive-intentions/chat

Is this a secure messaging app? probably not... but id like to share some details about how my app works so you can tell me what im missing. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify... but i want to understand why?

im not an expert on cyber security or cryptography. im sure there are many gaps in my knowlege in this domain.

using javascript, i created a chat app. it is using peerjs-server to create an encrypted webrtc connection. this is then used to exchange additional encryption keys from cryptography functions built into browsers to add a redundent layer of encryption. the key exchange is done like diffie-helman over webrtc (which can be considered secure when exchanged over public channels). the algorithms are fairly easy to use and interchangable as described here.

  • i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have opened sourced my cryptography module. its basically a thin wrapper around vanilla crypto functions of a browser. a prev post on the matter.
  • another concern for my kind of app (PWA) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for selfhosting. selhosting this app has some unique features. unlike many other selfhosted projects, this app can be hosted on github-pages for free (instructions are provided in the readme). im also working on introducing a way that users can selfhost federated modules. a prev post on the matter.
  • to prevent things like browser extensions, the app uses strict CSP headers to prevent unauthorised code from running. selfhosting users should take note of this when setting up their own instance.
  • i received feedback the Signal/Simplex protocol is great, etc. id like to compare that opinion to the observation in how my todo app demo works. (the work is all experimental work-in-progress and far from finished). the demo shows a simple functionality for a basic decentralized todo list. this should already be reasonably secure. i could add handlers for exchanging keys diffie-helman style. which at this point is relatively trivial to implement. I think it's simplicity could be a security feature.
  • the key detail that makes this approach unique, is because as a webapp, unlike other solutions, users have a choice of using any device/os/browser.

i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the frontend and the backend to be hosted independently, im on track for creating a chat system with the "fewest moving parts". im hope you will agree this is true p2p and i hope i can use this as a step towards true privacy and security. security might be further improved by using a trusted VPN.

i created a threat-model for the app in hopes that i could get a pro-bono security assessment, but understandable the project is too complicated for pro-bono work. i contacted "Trail of bits" because of their work on SimpleX and they have quoted me $50,000. the best i can offer is "open-source and communicating on reddit". (note: i asked them if i can share those details... summarized response: the SOW is confidential, but i can share the quote.)

while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find best practices for the functionalities i want to achieve. in particular security practices to use when using p2p technology.

(note: this app is an unstable, experiment, proof of concept and not ready to replace any other app or service. It's far from finished and provided for testing and demo purposes only.)

17
17 comments

  • Personally I'd say unless you plan to have an audit done and/or until you have then there's no real data backing up whether your chat app is secure.

    So likely it is not, or should at least be considered insecure until that point.

    2

    • your view is understandable. security audits can provide confirmation on implementation, especially in sensitive cases relating to security and privacy. this would enable security professionals experts in the field that the implementation is sound.

      considered insecure until that point

      caution is something i try to encourage in my wording throughout the app, docs, posts. (including this post)

      i cant help but think that you might be putting more weight on a security audit than appropriate considering it seems to be prohibitively expensive ($50k). this is simply not something a normal person has expenses for on their sideproject especially for a project that doesnt make money. i have tried to raise funds through things like donations. i think its optimistic for me to see $5 in donation. $50k is simply not happening.

      1

      • Thank you for understanding.

        That's fair and, yeah I think 50K is ridiculous, really it would be nice if there were groups or individuals that recieved funding from elsewhere that did security audits for free for smaller or not well funded (yet still vital) projects.

        I apologise if I hurt you and hope this goes well for you.

        1

  • as the mod of this community i feel inclined to mention here that I posted a comment about this last month in another community, in reply to a previous post OP made about it: https://lemmy.ml/comment/12562836

    1

  • I am not an expert either (anyone claiming to be so is knee-deep in dunning-kruger), but here are some thoughts:

    Why are you adding an additional layer of complexity to webrtc? It has e2ee already?

    How does a user validate that they are actually e2ee? Could a malicious server pretend to support your protocol and decrypt everything?

    -1

    • Why are you adding an additional layer of complexity to webrtc? It has e2ee already?

      the app is more "research + development" than "a product". i started of with a webrtc chat app without the additional encryption and it worked like it does now. i wanted to explore some of the browser based functionalities for encryption and to my surprise, it seems fairly performant so i kept it in. it is a redundent layer of encryption and as long as it doesnt compromize the security or privacy, i dont see why not. similarly, im also investigating the cryptography capabilities from WASM.

      How does a user validate that they are actually e2ee?

      this is where the redundent layer of encryption shines. while webrtc has e2ee, using the browser crytography functions i can generate and exchange keys using the diffie-helman method and ensuring that the message can only be decrypted with the corresponding public-key. something i cant easily verify with webrtc, im just told that its there and it works.

      Could a malicious server pretend to support your protocol and decrypt everything?

      messages can only be decrypted using the public key exchanged after the initial connection (where those keys are generated and stored for future use). malicious actors will exist in any case and so while i think the app is secure for the majority of cases, here is a section where i have suggestions on enhacing your security. (hint: it relies of you being sensible with how you use the app and not connecting to people you dont trust.)

      2
You've viewed 17 comments.