sorry for the delay in responding. personal matters required more focus and to reply to you i wanted to set aside some time to write well for clarity.
... Might as well get real-life practice at writing.
im not entirely bad at writing (technical or otherwise) to get to where i am now in the project, i usually write with my own words like now. the blog articles you see on the website are from old reddit posts. questions like your are understandably frequent and so it made sense to create the website and blog to address FAQ's. i think its important to note how im using AI here. while i can say to AI "here are some bullet points, now turn it into an article...", i have written the content and details myself and then have AI reword it for clarity. i think the resulting content is better for clarity.
What is the lifetime of each user’s public/private keypair? What is the lifetime of the symmetric key shared between two communicating users?
the implementation sits ontop of a webrtc connections which mandates its own encryption keys. my app adds an additional set of public/private keypair and symmetric keys. these are persisted to browser storage (indexedDB). the keys are cleared if the user performs a logout (its all client-side, so there is no actual "logout", it clears the local data).
key rotation is a work-in-progress and not testable in the app. while i can have a button that says "rotate keys", im planning to frame it as something like "block contact". this is because it makese to keep user ID's static, so that in future sessions, the app can automatically connect to "known peers". in the case you want to block someone, it makes sense to abandon that ID so they cannot ping you with it. when you connect to a "know peer" that doesnt know your new ID, it can use the previsously establish keys to verify each other and update the contact details accordingly.
its also possible to export the data to a file to then load from that profile. its currently static and unencrypted. there will be an option to have it all password encrypted. https://www.reddit.com/r/cryptography/comments/1lhjpxk/veracryptlike_functionality_from_a_browser/
I take substantial notice whenever a promise of “true privacy” is made
completely understandable. as mentioned in the post cybersecurity is full of caveats. here is a previsous attempt to outline some details: https://www.reddit.com/r/cryptography/comments/1evdby4/is_this_a_secure_messaging_app/
im also investigate various approaches to exchanging data offline with QR codes.
(written by me): https://www.reddit.com/r/positive_intentions/comments/1b5j424/file_sharing_by_qr_code/ (written by having AI transcribe my wording): https://positive-intentions.com/blog/qr-codes-as-a%20data-channel
id also like to investigate other things a browsers can do like exchange encryption data over NFC.
it isnt use-friendly yet, but i also have some basic functionality around p2p broker connections to avoid needing the peerjs-server (which acts as the broker.). some unclear details which could do with AI clarification can be seen here: https://github.com/positive-intentions/chat/issues/6
If a secure medium existed, then secure key exchange would already be solved
the existing key exchange should be already secure enough... but users would understandably want to be sure my code doesnt have a critical-bug and validating hashes provides that bit extra.
many others have also tried their hand at secure messaging, with more fails than successes.
i have seem some other myself, and i still believe my approach is unique. there are of course limitations in the webapp form-factor, but it also provides a lot of flexibility in just being able to run on a browser. while many try/succeed/fail, this is my attemp. i have been refining my approach with feedback and there is still much to do. at this point i dont consider it insecure, but the UI is pretty ugly and combined with various UI bugs, is deterring users. with the code being course source, i often try to present some concepts in a more digestable way with code examples as seen:
- https://cryptography.positive-intentions.com/?path=%2Fstory%2Fcryptography-introduction--welcome
- https://github.com/positive-intentions/cryptography
there is a lot to learn but by breaking things into small parts, i can better learn how it can all fit together.
“cryptography engineer” and not a cryptographer
i like that term. its new to me. i normally just call myself a webdeveloper to clarify my expertise. its more so the case than a cryptography engineer. i open sourcemy work for transparency, but also great for my own learning.
thanks for the good wishes. hopefully i get to a stage where its better presented as a product and not just a proof-of-concept.
its a work in progress and hope to get to a point its comparable to Signal and OnionShare.
for now, the purpose is to present open-source code to demonstrate a concept. like mentioned in the post it isnt ready to replace any existing tools.