Thanks.

It’s possible to have it entirely static and broker webrtc connections client-side, but I haven’t figured out a user experience that would make it “work”.

https://github.com/positive-intentions/chat/issues/6

it certainly gives more control over your own data, but (if you know what youre doing) from a cybersec perspective, it can help to reduce the “attack surface”. the current direction is to allow users the flexibility from a version provided from me hosted on aws s3 or host it yourself from open source code. additionally, you can host your own peerjs-server as used for brokering connections… by default it connects to the public instance of peerjs-server (so its easier for users to get startedt).

im aiming for flexibility in “getting started” from ready-to-go to selfhosting. it all depends on if a user knows what theyre doing.

For testing and demo purposes only. NOT to replace any other app you use.

Session, Signal, Simplex and countless more apps are better for privacy and security. I can only hope to get to that level on my project.

Selhosting and a vpn are optional depending on your use case; the app works with niether to help users try it out and get started. Like all secure messaging apps, its better to selfhost given the option.

I’ve put effort into how the app is working, but ultimately i dont think its appropiate for me to suggest this code is ready for your sensitive data when it hasnt been reviewed or audited.

im pretty sure its zero-installation. its a webapp. you go to a url, then thats it.

with WebRTC, the p2p connections is established between browsers. so i think it has a strong case for being p2p. You would be using your own device to run the javascript in the browser and storage provided by the browser is also from your device.

it will do all the encryption, data storage, etc on your browser using only the resources the browser will provide. I believe the functionality as a result is substancially independent selfhosted and p2p.

Can you compare mine to Destiny?

I tried to make mine straightforward. Id like to know what kind of user flow I could aim for.

thanks for the advice. perhaps you have some tips of where i might have done something incorrectly in a previous attempt at open source and libre software. this could be a whole discussion, but i will try to be brief.

https://github.com/positive-intentions/chat

i optimistically started with the aim to get grant funding for a novel approach to secure and private communication using p2p tech. after countless rejections im dont think i should presue that direction.

so then i thought to create something competative in the space of file-transfer. the app would be is a simplified version of the chat app and with less complexity in exchange increased stability. thats that app mentioned in the parent post. mi might not work as privacy solution, but it could still be competative in the tools for file-transfer if i can get it to nice stable polish that can work with massive file-sizes.

i briefly looked at how to get it on the f-droid store and there were details like moving things to gitlab. i then decided to push back indefinately in favor of focusing on the the file-transfer project.

if anyone want to help me with getting the chat app to the f-droid store, some initial changes can be found here: https://www.reddit.com/r/tauri/comments/1j6g71h/is_there_any_examples_out_there_of_a_tauri_app_in

im not entirely sure i have a service to sell. my efforts are on the PWA. the service i can sell is to provide the native build because people wont want to compile thier own. its a shot in the dark with the Play store, but im curious to see what happens.

Thanks for the links. I’ll need to learn more about this. My high-level thoughts are that I’d like control over my work so it may not be libre software.

https://www.reddit.com/r/cryptography/comments/1evdby4/is_this_a_secure_messaging_app/

This app is based on a similar technology. Maybe you can help me understand the concerns if it does all the things described in that post.

Thanks for the clarity.

To prevent things like the risk of infection, is why the app is primarily a webapp. Sanboxed by the browser of you choice.

I don’t think I’m fully understanding. It’s purely a webapp. No database. Client-side computation only.

Can you help me understand how I could reshape my project so it aligns to what you mean.

Im putting a hard-block on open-sourcing it after my previous project. But I’m generally communicative about how it works and happy to answer questions about it.

In the subject of licences, I don’t really know much there.

Given that I’m trying to sell it on the play store I guess you don’t control it?

What would be the concerns around this? Loads of things are close source. I expect it helps to create something competitive.

An entirely valid and understandable view to have. I’m sure you’re not suggesting different approaches shouldn’t be explored. My approach is fairly unique and im personally interested in what can be done with this.

This project is a PWA running on a S3 bucket. The app is free to use entirely. (Disclaimer: I’m in the process of putting something on the play store where I would like to charge for it.)

While syncthing seems appealing. There should always be options for approaching privacy. Mine stands out as a unique approach and so nessesary at least to demonstrate the concept.

I created an open source version first which demonstrates different concepts like instant messaging and video calls.

https://github.com/positive-intentions/chat

if i do a good job, it would have comparable features.

the key distinction between mine and other apps like syncthing, is that its provided as a zero-installation, zero-registration webapp.

so its basically ready-to-use at any point on any device that has a browser.

there isnt any UI for this yet, but id like to make it so users can input their own TURN/STUN servers as described in the peerjs docs: https://peerjs.com/docs/#peer-options-config

id like to work towards making it so that the frontend and backend are independently selfhostable to suit thier networking config.

hey. im working on something similar with more features and more robust cryptography.

its still a work-in-progress, but its available for testing if youd like to try it out.

https://github.com/positive-intentions/chat

group chat is still a work-in-progress, but it’ll work in a way where asymmetric and symmetric encryption keys are generated in javascript using cryptography tools provided by the browser of your choice.

when a connection is established over webrtc (which mandates encryption anyway), the asymmetric keys are exchanged using the diffie-helman technique.

the keys are persisted into browser storage (indexedDB) so in a future reconnection, new keys dont need to be rgenerated. if you connect to a “known-peer”, the keys can be used for a kind-of p2p authentication.

all the security here depends on the security of the connected devices involved. this approach is in contast to connecting to an api to authenticate and proxy encrypted messages.

for more info there may be related information/links here: https://positive-intentions.com/blog/security-privacy-authentication

That’s right. It’s using peerjs-server as the connection broker.

the web version is intended to work on all platforms without compilation.

a html file-input is simple to add on a webpage. when selecting a file, its loaded into memory. at that point you can encrypt that file and sent it over webrtc… voila; p2p encrypted file transfer.

my approach to a mobile (ios/android) version is using capacitorjs/tauri… its basically a native wrapper with a webview.

P2p encrypted file sharing is sadly still an unsolved problem

thanks for your input, but can you explain what you mean by “unsolved problem”?.. p2p encrypted file transfer is demonstrated in the app.

its browser based. it uses webrtc to create p2p connections between browsers. concepts like authentication takes the form of using cryptography capabilities of a typical browser. the storage of data from messages to encryption keys are stored in indexedDB as provided by the browser of your choice. there is an emphesis on client-side browser-based capabilities in all parts of the app.

matrix is a good peer reviewed and generally reccommended solution. this project isnt intended to replace any existing solution. there are many other similar projects out there, but i notice there arent many presented as webapps. this is my attempt.