Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)N

NovaFuture

@ NovaFuture @lemmy.world

Posts
8
Comments
16
Joined
4 mo. ago

  • PeerBox, the first fully P2P secure email system

    Jump

  • I needed an open beta over the weekend to finalize a solid version. I've been working on this project since November, and at some point you can't look at your own code with fresh eyes anymore. Anyone who codes will know exactly what I mean. A new version is now online. Everything you mentioned isn't relevant anymore. On the "is this vibecoded?" question, honestly, I find it disrespectful. I've put in hundreds of hours since November, plus another 15+ hours this past weekend, and the implicit suggestion that GPT wrote the thing isn't a fair take. Disagree with design choices, sure, that's a real conversation. But that framing isn't it. Also, on an open source project, opening an issue on Codeberg is way more constructive than chatting on a forum. That's where actual fixes happen.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Why not just run Postfix+Dovecot? If everyone runs a single-user server, it becomes a P2P network. Also, it’dn’t depend on Tor, which is an external dependency.

    Also, what role is Tor playing in privacy? If the chatting parties are cryptographically verifed, only message content remains private…

    Postfix+Dovecot: technically doable, but "everyone self-hosts email" has been the theoretical answer for 25 years and never happened. You need a static IP, domain, reverse DNS, SPF, DKIM, DMARC, and even then Gmail drops half your mails in spam because small senders have no reputation. Full sysadmin job just to message your aunt. PeerBox is built for non-technical users to install in 5 minutes and have it just work. No domain, no DNS, no reputation game. Role of Tor: it's not there to encrypt content (HMAC and the encrypted vault handle that). Tor hides the metadata. Without it, your ISP sees machine A talking to machine B, when, how often, how much data. Content is the easy part to encrypt. Who-talks-to-whom is the hard part, and hidden services solve it cleanly. No IPs exposed, no direct connection, no social graph for a passive observer to build. And Tor being an "external dependency" is a feature. Better to lean on a mature, audited network than roll our own obfuscation layer :)

  • PeerBox, the first fully P2P secure email system

    Jump

  • Thanks for the detailed review, really appreciate it — this is exactly the kind of feedback the project needed before a public release.

    You were right on two of the three points, and I've just pushed fixes to Codeberg (commit 93b8985):

    GPG: you nailed it. config.py was silently reusing the user's personal ~/.gnupg keyring if a key was present, which is obviously wrong for an identity-isolated app. Fixed: PeerBox now uses a dedicated keyring at system/gpg/ with --homedir enforced on every gpg call. Existing users get their key auto-migrated on next config.py run so contacts don't break.

    Dependencies: install_pysocks() was calling pip install --break-system-packages at runtime, which is indefensible. Removed entirely — it was actually dead code (never called) but still a trap. Documented PySocks in the README as a required pip dep alongside cryptography and pywebview. The broader venv/lockfile refactor is a bigger chantier, planned for phase 6.

    SSH keys: here I have to push back a bit — ssh_setup.py does generate a dedicated id_rsa_peerbox key, never reuses id_rsa or id_ed25519. BUT you indirectly uncovered a real bug: request_creator.py had a silent fallback reading id_rsa.pub / id_ed25519.pub if id_rsa_peerbox.pub was missing. That's gone now too.

    Quill 1.3.7 → 2.0.3: fair point, on the roadmap for this weekend. Non-minified too for auditability.

    Seriously, thanks for taking the time to read the code and call out what needed calling out. This is what keeps small projects honest.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Ha, fair point! You're not wrong. PeerBox uses the email paradigm because that's how most people think about asynchronous messaging, but under the hood it's fully P2P with no email protocol involved. And yes, deferred messages wait locally until your contact comes online, then get delivered automatically. Your Delta Chat comparison is pretty spot on actually, it's the mirror image.

  • PeerBox, the first fully P2P secure email system

    Jump

  • PeerBox doesn't send emails to the clearnet and that's by design. The whole point is to stay fully P2P with no server involved at any point. Sending to clearnet email would mean going through external infrastructure, which defeats the purpose. As for I2P, Tor was chosen because it has a much larger network of relays, which means stronger anonymity and better reliability.

  • PeerBox, the first fully P2P secure email system

    Jump

  • You're right, it's a trade-off. PeerBox was designed with maximum privacy as the priority, and that does mean giving up some of the convenience of traditional email. But that convenience is exactly what makes email so vulnerable to spam, phishing and surveillance in the first place. PeerBox isn't trying to replace email for everything, it's built for people who need communications that no one else can access or intercept.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Thanks for sharing that! ZeroNet was a really interesting project, it's a shame it attracted the wrong crowd because the concept was solid. We share the same vision, P2P is the way forward. Thanks for the kind words and the support!

  • PeerBox, the first fully P2P secure email system

    Jump

  • Your message seems to be cut off, but I think I get the point. To be clear, PeerBox doesn't require you to set up any server. You just install it and use it. Everything configures itself automatically.

  • PeerBox, the first fully P2P secure email system

    Jump

  • How does the connection actually happen? Like for two home users with dynamic IPs, nat, firewall, and/or CGNAT?

    It doesn't use IPs at all, otherwise there would be no privacy. Everything goes through Tor. Each PeerBox instance gets its own .onion address, and all connections are made through that. Your contacts never see your IP, you never see theirs. SSH handles the authentication and encryption on top of that. So NAT, dynamic IPs, firewalls, CGNAT, none of that matters. You don't even need a VPN, Tor already maxes out the security.

  • PeerBox, the first fully P2P secure email system

    Jump

  • I have often though why many server things are just not server like client software. like why the third party. especially given many folks don’t turn their machines off all the time.

    Exactly! That's the whole point behind PeerBox. Most people already have a machine running most of the time, so why trust a third party to handle your messages? The only reason centralized servers became the norm is to monetize your data or charge you a subscription, all at the expense of your privacy. PeerBox just flips that logic back to where it should be.

  • PeerBox, the first fully P2P secure email system

    Jump

  • PeerBox was designed to offer the highest level of privacy possible by cutting out every middleman. That does come with a little less flexibility than regular email, but you have several options. You can install it on a Raspberry Pi or any small machine that stays on, which gives you near-permanent availability. You can also simply agree on a time window with your contacts for message exchange. And actually, we're considering releasing a VPS-compatible version soon, which would do exactly what you're describing. Stay tuned!

  • PeerBox, the first fully P2P secure email system

    Jump

  • Not exactly! With SMS your message goes through your carrier's servers, so it gets stored there until your contact receives it. With PeerBox there's no server at all, your own machine handles everything. So it does need both sides to be online at the same time for the message to go through, but in deferred mode that happens automatically whenever the overlap occurs.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Great question! Think of it this way: your own machine acts as the server. So yes, in your scenario, the message waits on your machine until both sides are online at the same time. Once that happens, it gets delivered automatically. It works exactly like regular email, except your PC does the job instead of an external server. No middleman needed. In practice, if you leave PeerBox running, the overlap happens naturally, even for a few seconds. And if you really need guaranteed async delivery across very different time zones, you could just keep PeerBox running on a machine that stays on, like a small home server or a Raspberry Pi.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Thank you, this looks very interesting and useful! I’m going to set this up and test it out with a couple friends.

    Awesome, thanks! Let us know how it goes, we'd love to get your feedback.

  • PeerBox, the first fully P2P secure email system

    Jump

  • Good question! The core difference is that Delta Chat still relies on email infrastructure (SMTP/IMAP), so your messages go through centralized servers you don't control. PeerBox is fully P2P. Your messages go straight from your machine to your contact's machine. No server in between, no account to create, no middleman. It combines SSH for encrypted transport and Tor for anonymity, so not even your ISP can see who you're talking to. It also works in deferred mode (like regular email, your contact gets the message when they come back online), strict P2P mode, or local network only. Contact management uses a dual-channel encrypted invitation system, so spam is simply impossible. And all local data is encrypted on disk with a self-destruct mechanism after 5 failed password attempts. It's a lightweight Python app for Linux, fully open source (AGPL).

  • Privacy @lemmy.world
    NovaFuture @lemmy.world

    PeerBox, the first fully P2P secure email system

    novafuture.org /peerbox/
  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    Shocking images on alcohol bottles: it's about time!

    novafuture.org /opinion-piece/graphic-warning-labels-on-alcohol-bottles-what-if-this-idea-became-reality/
  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    Zorin OS: complete review and honest opinion

    novafuture.org /open-source/no-nonsense-full-review-of-zorin-os-the-linux-distribution-targeting-beginners/
  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    Convergence of Struggles: Marcos's Lesson for Progressives

    novafuture.org /opinion-piece/when-subcomandante-marcos-reminds-us-of-the-urgent-need-for-convergence-of-struggles/
  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    Philogynism: Definition and Hijacking by Masculinists

    novafuture.org /opinion-piece/philogyny-definition-origin-and-how-fake-masculinists-are-hijacking-this-word/
  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    What is NovaFuture? An Open Collective for Progressive Alternatives

  • NovaFuture @lemmy.world
    NovaFuture @lemmy.world

    Hello from NovaFuture – Ecology, FOSS & Alternative Living