thanks! will delete.

All nice ideas! I'll take a note. I'd like to make time to make it so on each initial connection it generates new keys too. This should be what I think is forward-secrecy. (Let me know if I'm wrong.)

I don't know the specifics of VPN and it's implication with webrtc, I tried testing and sharing my observations here. I'm open to advice here.

You asked about native builds... Tbh I don't know much about it. I did a short search-engine search and these seem to be well regarded. (Currently?) As a pwa I have a lot of flexibility in the apps form-factor. I was thinking about how easy it would be to make it into a browser extension. (It's not about it being useful, but just providing that extra option.)

I think for my app to be regarded well in security I think it's important for people to use their own instances. The "live app" as I call it is an experimental proof of concept. I wondering about the idea that the app is run on your own forks, but occasionally sync from upstream. As it stands my app is too garbage for anyone to want a copy, but that should eliminate those concerns.

It's also an offline first pwa. Right now it fetches the latest version, but I don't see why I can't create a toggle on the UI to not fetch if there is cache... Again the app is unstable and experimental. I'm working on fixes and improvements as I see it to make a better app. It's a while away from being able to advocate selfhosting to users. But in theory it could address your concerns?

Many attack vectors still indeed exist. With P2P web tech it seems that this allows for an interesting approach and could help reduce the attack-surface. The app is available for iOS, android and desktop. Let me know if you have more concerns.

My bad. I noticed the ego sometimes inflates which seems to stem for naive confidence.

I have observed pitfalls of other apps like mine. In particular one called crypto cat. I'm sure I can't ever be exhaustive enough in learning from other examples.

Reducing metadata is indeed the goal of security and I think I have it reduced to a level where I can exchange webrtc connection data over QR codes or plain text. The IP is exposed at this point but I think this can be further scrubbed with a VPN. Perhaps this is interesting for you. It the minimum example of establishing a webrtc connection with plain text. Not user friendly, but it work without a peer-broker service. In the app I'd like to frame this around exchanging data over QR code.

As for the bitcoin wallet thing, I would think so if it's well tested and ironed out well. As long as I can facilitate the downloading of the data (for backup) and the data syncing between devices then it would be doing that without registering to any backend. There are countless examples of bitcoin exchanges collapsing and taking people's assets. The same could be said with the quality of security provided by chat app providers.

alas, we circle back around to "javascript is inherently insecure".

especially the ones that run inside web browsers like this one does

i dont think this is a valid assersion. it seems wrapped in vagueness about the attack vector. as a webapp it has to be sandboxed in a browser. any vulnerabilities will be related to that. i often hear about browsers having backdoors (which is possible), but theyd be saying that in a world where their operating system is more likely the attack surface. id like to discuss that as a webapp, (and a suitable security stack), this app is secure. take for example any existing secure app (signal/simplex/whatsapp?). they can have all the required bells and whistles for secure/private functionality. but all that encryption can be undermined if a typical low-end phone+os is more than capable of snooping your screen. the same as would apply for my app running in a browser. my arguament is if you dont trust google, you shouldnt use chrome. with a lot of those native offering, your choice is limited to something like apple or android.

this app is also contains builds for iOS, Android and desktop. i dont promote them because im simply not convinced that these native builds are better than what web-technology can provide. a recurring concern is the reliablity of the statics served... it seems thats easy to eliminate if i make it open source and selfhostable. it puts me at a competative disadvantage, but consequently it is unparalelled in the devices it can run on.

APT are a valid concern as any. if this is something youre worried about, i think using this app with a trusted VPN in combination to using disposable profiles, it should be easy to achieve. the mitigation for APT seems simple if that is a concern, but let me know if im overlooking something. webrtc can leak ip addresses and after investigating this, i think you can achieve a reasonable degree of "hiding your personal IP address" based on the information here.

compared with dedicated solutions

the purpose of this project is to create a secure chat app. i want this app to be one of those 'dedicated solutions'. as it stands, its created by a baboon sat in front of chatgpt. but the goal is indeed to create something with unparalelled security. people always seems to avert the idea of this app being secure on the grounds that its JS, but i havent come across any credible way to undermine its security without having compromised the stack above the app (browser/os/peer/network) if any of those are a concern, the app is presented in various distributions from website to native builds.

i hope im not coming across as stubborn here. i really think this app represents a different paradigm in security that nobody is exploring. i dont think ive noticed any lack of interest in decentralized or p2p technology, but nobody seems to be working on this kind of app as a webapp. i find that its not only possible, but i think its relatively trivial to get basic functionality together. i understand that the user-experience isnt great at the moment and will limit the people who want to use it, but on the security grounds alone, i think i could be a real-contender for secure chat.

You conern is well placed. This is why the project has to be open source and I encourage selfhosters.

If this is your concern, I think the offering from other apps is much more shady. While many projects are open source, when provided from an app store you have much less ability to verify the binaries involved match the available source code. It's at this point backdoors can be introduced. (It may be noteworthy that my app serves code unminified for transparency)

As it stands for me app. It's unstable and so I suggest always using the latest version because I will be adding fixes. It is an offline-first pwa. It's possible to make it so it doesn't fetch statics if it already has a cached vopy. At this early stage it doesn't make sense to use this feature because the project is unstable and recieving various fixes and improvements throughout. (There is no audited version of the app.)

As organizations become bigger, I think they can get a better marketing team. The main heavyweight in chat-apps is whatsapp. I think we can agree that it isn't transparent.

thanks for the info.

threat agents

in a p2p system the key components seem to be things like the network, peer, device, os, browser. all those things can be compromised either on yourside or on the peer's side. its critically important for security that these components are secured to a reasonable degree. threat agents could mean things like device manufacturer, ISP or even someone looking over your shoulder taking notes. not sure how exhaustively to describe threat agents here but these are the components that make up the system and have understandable nuances to thier vulnerabilities.

HTTPS and an honest server

this is true but it critically depends on your definition of these. there are many decentralised chat apps out there like matrix. unlike matrix, a selfhosted solution on my app is something that is easier to setup that others because its basically a website on a url. this might lead to less technical people using my app with ease. these are the users that may not be able to distinguish on these security relevent information.

verify that the JavaScript they’re executing is the correct JavaScript

the app is a offline-first PWA. its practically works offline. im sure its possible to make it so that fetching new statics can be done explicitly. the app otherwise is already able to do things like startup while offline from the cache (sometime it takes a couple refreshes (a bug for another time)). i prefer for it to take the latest javascript because especially at this early stage, it something im actively working on and fixing. i can imagine if the project isnt abandoned, it would make sense to have certain security assessed version to use.

compel you to serve malicious JavaScript to specific users

i think there isnt a way to implement something like this in this app. firstly im taking a hard stance on external javascript. that isnt to say my due-diligence is perfect... thats to be indentified from it being open source. the app doesnt have anything like tra traditional registration system. data is stored locally in browser storage and user ID's are cryptographically random. if there is concern about seving a different script to certain regions by IP, here is a prev post on the matter. ultimately users have to be responsible with how they use the app. "do not connect to people you dont trust" is the general advice.

thanks!

it’s hard for an app like this to surpass the value that popular apps like signal and WhatsApp

i agree. i dont think my app can compete with these mainstream apps because there are limitations in what a webapp can do. at this stage in the project, the apps general instability is not good for user experience. i am conceding that my app is not as nice-to-use like many other apps. however, i dont think these other offering can be as secure as mine.

i often get touted things like the Signal protocol is amazing and great, etc. id like to compare that opinion to the observation in how my todo app demo works. (the work is all experimental work-in-progress and far from finished)

https://github.com/positive-intentions/p2p/blob/staging/src/stories/TodoDemo.stories.js

at around line 147 you have something like an API with endpoints between peers. the demo shows a simple functionality for a decentralized todo. this should already be reasonable secure. then consider in the main app. i simply add a few extra endpoints for exchanging keys diffie-helman style. which at this point is relatively trivial to implement. some of the concerns ive heard about doing this with the javascript and webrtc, is leaked IP addresses. a prev post on the matter and i think its better to use the app with a trusted VPN. (note: this app is not intended for anonymous chat this is just to mask the IP address. strangers cannot connect with ungussable ID's. IDs are also disposable if needed).

your right about it being my big caveat. i noticed as my app got more complicated, i got further away from being able to describe it as secure/private/encrypted and this seems to be related to the complexity to understand. i would like to make the time to create something like the todo list demo, but a bare minimum chat app. it wont compete with things like whatsapp, signal or simplex, but by virtue of its simplicity it surely must qualify to be something like “the most secure chat app in the world”.

i find that while i can create what i think is a secure app, education is an important factor. by that i mean for it to be secure, it is nessesary for it to be open source. perhaps it can only be considered secure if you fork it instead of using my hosted version?

as for the target audience, im currently limiting my communication of the app on things like reddit specifically on relevent subreddits for things like crytpgraphy. im faily new to lemmy. the lemmy community seems to give "better" advice.

it isnt defined well enough to be documented. it is using a combination of the details found in the following links. the project in general, is lacking documentation because it is low prio for me.

• https://positive-intentions.com/docs/research/authentication
• https://positive-intentions.com/docs/research/blockchain
• https://www.reddit.com/r/Rad_Decentralization/comments/1ddk71b/blockchain_as_a_datastructure/

Sorry. It's quite buggy.

• Its best to start off by clearing all site data from the browser settings.
• Do not have multiple tabs of the app on the same device.
• It doesnt hurt to refresh to page.

What you're describing might be related to there being 2 tabs of the app running. This results in both reacting to the new-connection-event, but ultimately resulting in a data conflict.

Plugins shouldn't be an issue. For stronger security, i have CSP headers to try to prevent browser plugins reading data.

If nothing works then the egg is squarely on my face and my buggy app is too buggy.

Users can selfhost the frontend and backend independently. When creating a profile, you can set it to use your own peerjs-server (set preferences)

The frontend is only run as client-side JavaScript. There isn't a step to "set up clients".