Skip Navigation

xoron

@ xoron @programming.dev

Posts
101
Comments
128
Joined
2 yr. ago

  • Removed

    WhatsApp Clone... But Decentralized and P2P Encrypted

    Jump

  • Yes. Im investigating introducing clerk. I hope to use that to create a subscription model. I would like to charge $1 per-month as per the minimum allowed by clerk.

    i started off thinking i could avoid charging users entirely given it seems a norm for secure messaging apps to be free. but given the grant rejects and the lack of donations on github sponsors (completely understandable), but its clear that it wont be able to sustain the project.

    i also tried google adsense on the website/blog but it was making practically nothing. so i disabled it because it wasnt a good look when it goes against the whole "degoogling" angle.

  • Removed

    WhatsApp Clone... But Decentralized and P2P Encrypted

    Jump

  • thats right. the key distinction between this project and other like it like simpleX is that its presented as a PWA. A key cybersecurity feature of this form-factor is that it can avoid installation and registration.

  • Removed

    WhatsApp Clone... But Decentralized and P2P Encrypted

    Jump
  • Removed

    WhatsApp Clone... But Decentralized and P2P Encrypted

    Jump

  • Its important for things like the cryptography module to remain open source for transparency and clarity (kerkhofs principles). Open sourcing things like the p2p framework would only put me at a competative disadvantage.

    The open-spource version of the project is fully functional and has always been open source. I keep it open because the project demonstrate a unique concept, which is useful to demonstrate with transparency. After seeking support for that version of the project, it is clear that there is no support for a one-man-band and so i deprecated it (and now call it an MVP). i am proceeding in a close source direction as i improve various details like UX and features.

    There are several modules involved in the project. Some key parts are listed below

    Open source:

    • Cryptography module
    • Signal protocol
    • MVP version
    • Various experiements / blog / website

    Close source:

    • P2P framework
    • PWA boilerplate
    • UI Components
    • Storage manager
  • Progressive Web Apps @programming.dev
    xoron @programming.dev

    P2P WhatsApp Clone

  • WebRTC and Onion Routing Question

    Jump

  • Thanks for the tip.

    It would be ideal if I could find a way to interface with the tor network with Client-Side JavaScript. I’ve come across something interesting here which id like to investigate further. https://github.com/Ayms/node-Tor

  • WebRTC and Onion Routing Question

    Jump

  • threat model

    It's client side JavaScript. I think a webrtc connections is reasonably audited and encrypted. When using webrtc, ip addresses have to be shared. If the IP address could be hidden, it would improve "privacy" on my app.

    It would be ideal if I could find a way to interface with the tor network with Client-Side JavaScript. I've come across something interesting here which id like to investigate further. https://github.com/Ayms/node-Tor

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    WebRTC and Onion Routing Question

  • cybersecurity @infosec.pub
    xoron @programming.dev

    WebRTC and Onion Routing Question

  • /c/cybersecurity - Cybersecurity News & Discussion @lemmy.ml
    xoron @programming.dev

    WebRTC and Onion Routing Question

  • P2P WhatsApp Clone

    Jump

  • P2P WhatsApp Clone

    Jump

  • do you perhaps have something running on localhost at those ports? i was trying something out, but i will disable it so it doesnt have this issue when users try to selfhost themselves.

    it isnt well explained or demonstrated, but i was trying to do something as described in the link below, where i could connect a selfhosted federated module and have it work as a drop-in replacement.

    https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure

    the purpose was to see if there is any benefit to allowing users to host their own federated modules. i think there isnt a distinct advantage so it looks like i will remove that feature entirely.

  • P2P WhatsApp Clone

    Jump

  • im still think of a better name for the project before i promote it properly as stable and secure. "positive-intentions" is understandably not well recieved.

    i call it a "whatsapp clone" to better describe what it can be used for. this is in contrast to calling it a "p2p instant messaging app"... that just sounds too verbose.

  • P2P WhatsApp Clone

    Jump

  • thanks for letting me know, i'll take a look.

    edit: perhaps this could be your issue... consider that your user-ID is the same one used when you reload the page or open it on another tab. if you open a new browser tab, it will try to connect to the peerjs server with an ID thats already in use... instead try with one incognito browser window (or a separate device).

  • Privacy @programming.dev
    xoron @programming.dev

    P2P WhatsApp Clone

  • P2P Whatsapp Clone

    Jump

  • Hi. Yeah I'm the creator.

    I think I need to do a bit a of rebranding so that it's easier to find. "positive-intentions" isn't the easiest to type/remember.

  • Secure Coms @programming.dev
    xoron @programming.dev

    P2P Whatsapp Clone

  • I wanted the Signal protocol implementation in javascript, but couldnt find one suitable... so i tried to create it myself.

    Jump

  • thanks. this implementation is intended for a p2p messaging app. it works as a webapp and only stores data locally.

    the signal architecture requires prekeys to be store on a server, in a p2p approach you dont need presigned keys and the double rachet starts immidiately (the tradoff is there is no offline messaging).

    im investigating making it so that the service worker caches the initial static files... so page-refreshes dont update the loaded statics. there would be an explicit button to update the statics for the service worker. i have a basic concept working but it isnt finished enough for me to roll-out.

    when open-source, there are additional capabilities that can be unlocked like being able to run the app from index.html without a static server. this would be stronger against anyone making changes on the network-level.

    i understand why signal doesnt do a webapp like many other sevices like whatsapp... the p2p messaging architecture is fundamentally different.

  • cybersecurity @infosec.pub
    xoron @programming.dev

    I wanted the Signal protocol implementation in javascript, but couldnt find one suitable... so i tried to create it myself.

  • Signal Protocol in Javascript

    Jump

  • Not ideal, but a professional audit is not an option.

    To be clear, my prompt was not "create me a security audit". it took time and effort with several stages of refinement. I suspect more effort than writing that article.

    It's open source for you to critique in a more involved way. The AI audit is intended to get to there faster. If you see any details that are wrong, I'll be happy to take a look and update appropriately.

  • Web Development @programming.dev
    xoron @programming.dev

    I wanted the Signal protocol implementation in javascript, but couldnt find one suitable... so i tried to create it myself.

  • Opensource @programming.dev
    xoron @programming.dev

    Signal Protocol in Javascript

  • Signal Protocol in Javascript

    Jump

  • that sounds like a good idea to explore. i didnt consider nostr, but i think i can fit it in. my implementation is fairly unique because im trying out an application-level cascading cipher. the following article isnt finished, but might show some insights.

    https://positive-intentions.com/blog/cascading-cipher-encryption

    like with the signal-protocol, it should be possible to adapt the nostr-protocol to be able to daisy chain to the cascade. im already using the MLS protocol in the cascade to help manage group messages. after taking a quick look at the nostr-protocol. i think its a good idea how it handles relaying messages. it could be useful for group messaging.

  • JavaScript @programming.dev
    xoron @programming.dev

    Signal Protocol in Javascript

  • Multi-Protocol Cascading Round-Robin Cipher

    Jump

  • thanks for the vibe-check.

    its a bit over the top for encryption. i see that webrtc alone should already be providing sufficient encryption. its audited and it works really well... i hope the redundency could be reassuring to users. if one layer fails it all fails... this is the expected behaviour. having too much encryption is better than not having enough.

    it is a bit security thatre... in a messaging app, security is paramount so i want to have an answer when users (inevitably) compare my approach to signal.

    in cybersec, there are countless nuances. so id like to try this approach with a cascading cipher. a protocol for all protocols.

    i'll keep an eye out for any sideeffects.

  • /c/cybersecurity - Cybersecurity News & Discussion @lemmy.ml
    xoron @programming.dev

    Multi-Protocol Cascading Round-Robin Cipher

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    Multi-Protocol Cascading Round-Robin Cipher

  • cybersecurity @infosec.pub
    xoron @programming.dev

    Multi-Protocol Cascading Round-Robin Cipher

  • Opensource @programming.dev
    xoron @programming.dev

    P2P E2EE WhatsApp Clone

  • Removed

    P2P WhatsApp Clone

    Jump

  • Just to be clear, my app is not better than jami (or any other app)... because its unreviewed close-source code.

    The key distinction in my approach is that it's a webapp-first approach. You can avoid registration and installation, which is a feature other apps don't provide.

  • Removed

    P2P WhatsApp Clone

    Jump

  • There are ways around using a central server to establish a p2p connection. It isn't well explained or demonstrated, but the concept seems to work here: https://github.com/positive-intentions/chat/issues/6 .... I'd like to explore this more with exchanging the required data over QR codes or NFC.

    Simplex is a great approach for p2p communication. I can easily recommend it over what I have done so far. At the very least, it's gone through things like a professional security audits and seem to keep a high standard in their practices.

  • Removed

    P2P WhatsApp Clone

    Jump

  • It's a webapp hosted on AWS S3. That can be shut down along with the domain. I'd like to improve the functionality I have for the cacheing, so that it doesn't need to fetch the statics from online if it already previously fetched them.

    The open source version has a mirror hosted on GitHub pages. You can fork it and run it yourself there for free: https://positive-intentions.com/blog/docker-ios-android-desktop#github-pages

  • No-setup P2P Calls in an Browser

    Jump

  • youre right that embarrassment is no reason to not open source it. i simply am investigating a close source direction to create a competative product.

    if you interested in how this mechanics work, a very complicated version of it can be seen in: https://github.com/positive-intentions/chat (maybe you can get some AI on it.) ... the p2p call demo is a module im creating to be refinement of the old p2p functionality.

    im aware that security and privacy doesnt easily fit with close-source, so id like to eventually open source it when i can figure out funding. open source from the onset didnt work out how i naively thought it would in the old version.

  • Privacy @programming.dev
    xoron @programming.dev

    No-setup P2P Calls in an Browser

  • Web Development @programming.dev
    xoron @programming.dev

    React-Based Messaging App UI Component Library

  • Privacy @programming.dev
    xoron @programming.dev

    Help me understand if ChatControl could affect my P2P messaging app.

  • Privacy @programming.dev
    xoron @programming.dev

    Send Messages Privately. No Cloud. No Trace.

    chat.positive-intentions.com