Thanks. I've com across it before. You can find the corresponding security audit online.

Ive tried to address those concerns and I try to give details about it here: https://lemmy.ml/post/18497337

Thanks for the tip. WebRTC is using aes-128, I see in my code I'm using RSA. It sounds like a good idea like to create a cascading cypher with aes-256 which seems to be regarded as "military grade" (but it seems there is no official spec definition for this).

thanks! i'll make a note of that to add. it looks reletively simple to implement in JS, i'll need to check more about browser compatability. tls 1.3 is already in use. i otherwise have wording throughout that users must trust who they connect to.

as for browser extensions, there are CSP headers set to prevent them from accessing personal details.

impossible to update the software

considering the app amounts to a bunch of statics. they wint update themselves if you dont want it to. the app works in many different forms because all form factors can have nuanced security details. its better for security that if people have the ability to selfhost, then they also have the option to choose the form-factor they use based on their preferences.

Thanks for the advice. I'll try set aside some time for this.

I think my writing is radically improved and maybe even more clear when I use an LLM. In my experience, when I do this, it seems people are more reluctant to reply to a wall of LLM text as it's seen as low-effort.

I think my app has some strange concepts which are hard enough to explain in my own words. Im sure it must look like bs when it's clearly LLM output.

I think just learning to write better can be achieved with more thought and care, but for me it can become a bit obsessive over the use of words and how they might be interpreted. So I usually just go off the cuff.

it started of as another branch "staging" and then i just stuck that that as the main branch. the whole app at this point can be considered experiemental. i guess the code isnt good enough to collab at the moment.

as a side project, i dont have much time to work on it and so some things have to fall by the wayside such as code-quality, unit tests, documentation. i think the project isnt mature enough to burden myself with some details as i create this POC. the app as you see it is being used to understand how something like this app can tie together. a proper version will be in the form of the various federated modules which i am creating in a way to address issues seen in the main app.

it might not be an approach other will agree with, but code quality issues are to be resolved in what im aiming for with a microfrontend architecture as described here. i think ive reached a point that i can plan how things can be broken up and it makes sense to have code separated in this way where it can also contain its own documentation.

thanks for your input. its certainly good to understand how others feel about my work and process. and hopefully i can make things more clear as i go along.

thanks for the advice and insights.

in the post is my learnings of possible attack vectors and how to mitigate them. i try to go into more into exhaustive details in the threat model. do you think something is missing?

unfortunaly i think i may be illiterate in funding and business side of things. i have tried to set up serveral donation platforms as seen on the repo. nobody has ever donated. this isnt a shock, considering its experiemental and unstable. i also dont know how to really ask for donations. is it something like saying "support us on Liberapay" at the end of a post? at best i can only hope to get a spike in donation and not enough for a security audit. ive asked around and it seems a decent assesment would cost a decent amount.

i also tried applying for several grants. this was an exhausing experience and so i stopped. it seems the advice is too keep applying until bingo, but from the onset it isnt something i know anything about so no doubt several more rejections. (one particular rejection mentioned it wasnt as innovative as simplex). the whole process here is not understood, enjoyable or fruitful. i think its sometimes hard to explain concepts about the app on reddit and lemmy... im sure those concepts are further difficult to communicate and understand in an appealing grant application.

i think the jorney to get the app to where it is has been a learning experience. not just about the apps technical details, but how to communicate about it publicly. ive regularly seeked advice on the approach. i dont have any qualifications in the field, which is an important challenge many point to. when can it be said that im a subject matter expert? i can create this app and i can answer questions about it, but im not ready for any cryptography exam.

thanks again for you input.

thanks for taking a look.

there is a tonne of garbage code throughout as i have iterated and improved. its terrible practice for collabboration, but at the moment im just trying things out. in the case of the cryptography module, it was previsously part of the main chat app repo before being refactored into a federated module. its commented it out because i was testing out by toggling the functionality. of course it would be cleaner to remove, but i havent quite finished refactoring the crytography module. it needs things like unit testing. as a sideproject im fairly liberal with my coding practices to achieve what i want to test and things that read like LLM promps, likly are. various LLMs have been used to create the app as you see it. that isnt to say i didnt check and test the code being introduced.

the module federated version of the cryptography module that will replace the crypto functions done in the app can be found here

i started work on a p2p framework similarly to the crypto module (as seen here), i would make it into a federated module. it would make sense to get a review and security audit for that first.

i have asked in the cryptography communities to get feedback about the random generation and i think this implementation works. that isnt to dismiss your concerns, but its important to note the purpose of this is to be unpredictable random when connecting to peerjs-server. such a randomization is possible out of the box with a typical browser. these functions are already audited to be secure (otherwise youre on the wrong browser/os for this app). this is then combined with what can be considered as user-generated entropy (which is arguably redundent). this is my answer to what you elude to about a CLI tool to generate a value... in the app there is something you might see called "crypto signature". this is a htm5 canvas you can draw on. this input gets truned into base64 string and passed through a sha256 hashing function. this value is reasonably unpredictable when combined to the browser-provided random value. (if you try to do your own signature again, its unlikly it would be identical pixel-for-pixel).

i hope that answers some concerns. let me know if something is still unclear or i didnt answer clearly enough.

thanks for the reply! im actively looking for a way to compare it to simplex chat. i hope you can offer some advice.

here is a prev post about it. i think signal is a good app and works similarly to mine in many ways. but mine is distinct in that its provided as a PWA. the goal is specifically to create a secure chat app on a browser. simple provides all other offerings and perhaps came across feedback like i did that javascript is inherently insecure (to which, this app is my disagreement).

my app works similarly to how to derscribe simplex to work. in my app what you see as a "pod" is basically a chat room. the app doesnt have the group-chat functionality working as expected, but its a work in progress. the following is an attempt to explain how it works. it will work in a way that a room has an id to which users can send messages p2p. this is how it works for regular chat. it works with a slight different that the messages are stored on a blockchain structure. it isnt related to cryptocurrencies or anything. just blockchain as a dastructure. this becomes useful for group chat because it could allow for offlike messaging by something like user A, B and C have a group chat. C goes offline while A and B continue to chat. then A goes offline and C comes online to talk to B. when C connects to B for the second time, the messages from A will be shared and resolved via the blockchain functionality. i make an attempt to explain the benefit of the blockchain structure here. it isnt something i can advocate as an approach. its more something i was trying out and it seems to work better than i thought.

id like to hear more about your approach to distributed moderation. i was trying to investigate something like this and couldnt settle on an approach that would be useful. it would be great to hear your ideas if you want to share.

I'm sure various factors affect any projects maturity.

I work on the project because I have a curiosity and the ability to try. Compared to other project, a webapp is pretty easy to get started on as a developer.

yeah. i find its difficult to gain traction from security professionals on this project as an individual. because from the onset it is pointed out that im not a cybersecurity professional (which is true).

when looking a security guidelines from things like OWASP i already notice that there are things like having every PR reviewed and other hoops i have to jump through to make the app secure as defined in those guidelines. i also notice there arent any guidelines for p2p apps and if i proceed with my own interpretation, it would undemine the guide. here is a question on reddit on the matter: https://www.reddit.com/r/CyberSecurityAdvice/comments/1cfywjj/security_guidelines_for_p2p_apps/

Thanks. It's been mentioned before and I'd like to take a look at it when I can make the time.