1w ago

P2P WhatsApp Clone

IMPORTANT NOTE - READ FIRST:

NONE of my projects have been audited or reviewed. I provide them for testing and demo purposes only. NOT to replace any other app you use.

BE RESPONSIBLE WHEN USING UNAUDITED SOFTWARE... DO NOT USE FOR SENSITIVE PURPOSES.

Now that I've hit you over the head with caution...

Want to send encrypted WebRTC messages and video calls with no downloads, no sign-ups and no tracking?

This prototype uses WebRTC to establish an encrypted browser-to-browser connection. Everything is stored locally in browser storage and cleared when you clear the site data from your browser - true zerodata privacy!

Demo: https://chat.positive-intentions.com/
Github: https://github.com/positive-intentions/chat
Website: https://positive-intentions.com/
Mastodon: https://infosec.exchange/@xoron

6 comments

This project is aiming to create the most secure and private chat app. It will heavily depend on how you use it. Here are some reccomended security optimizations/advice to keep your data secure and private:
Use a self-hosted instance of the app.
Use a VPN to protect your data from being intercepted.
Only connect to trusted peers.
Validate public key hashes.
You and your peer should use a secure device/os/browser with the latest updates.
use general security practices like not sharing sensitive information, not clicking on suspicious links, etc.
These recommendations are bizarre.
Is it really P2P if you need to a host your own instance?
Use a VPN? So a company can now track you instead of the ISP?
If it's aiming to be safe, then why not share sensitive information?
If you want secure and private, then I would first look at Session.
- For testing and demo purposes only. NOT to replace any other app you use.
  Session, Signal, Simplex and countless more apps are better for privacy and security. I can only hope to get to that level on my project.
  Selhosting and a vpn are optional depending on your use case; the app works with niether to help users try it out and get started. Like all secure messaging apps, its better to selfhost given the option.
  I've put effort into how the app is working, but ultimately i dont think its appropiate for me to suggest this code is ready for your sensitive data when it hasnt been reviewed or audited.
  
  Selhosting and a vpn are optional depending on your use case; the app works with niether to help users try it out and get started. Like all secure messaging apps, its better to selfhost given the option.
  I'd say self-hosting is done for control over your data, not security. A typical end user will not know how to self-host, how to pick a privacy-respecting VPN, let alone secure their system. If your aim is to get to that same level of security, then I feel like the current direction is flawed, at least from what I took away from the readme.
  Or, in other words, "self-hosting is more secure given the option" sounds kind of like "writing your own software is more secure".
I feel like this would pair well with Nostr for discovery.
I want to say "Why not Matrix?" Since the uses are same (e2e chats, calls, video, and VR), but the fact that yours is focused on less server involvement is cool. I wonder if you removed the peer id generation from the page, could you have the connection page be totally static (i.e. I could just open a html file either locally, from a server, or IPFS link, and from there add the peer details myself).
- Thanks.
  It's possible to have it entirely static and broker webrtc connections client-side, but I haven't figured out a user experience that would make it "work".
  https://github.com/positive-intentions/chat/issues/6

6 comments