Privacy

1382 readers

4 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

Ategon

danielintempesta

Selfhosted P2P File Transfer & Messaging PWA (self.privacy)

submitted 1 week ago by xoron to c/privacy

2 comments fedilink hide all child comments

App: https://chat.positive-intentions.com

A p2p encrypted file transfer and messaging app. Here are some features below:

Open Source
Cross platform
- PWA
- iOS, Android, Desktop (self compile)
- App store, Play store (coming soon)
- Desktop
  - Windows, Macos, Linux (self compile)
  - run index.html on any modern browser
- Decentralized
Secure
- No cookies
- P2P encrypted
- No registration
- No installing
Messaging
- Group Messaging (coming soon)
- Text Messaging
- Multimedia Messaging
- Screensharing (on desktop browsers)
- Offline Messaging (in research phase)
- File Transfer
- Video Calls
Data Ownership
- Self Hosting
- GitHub pages Hosting
- Local-Only storage

Check it out!

App: https://chat.positive-intentions.com/
More info: https://positive-intentions.com/blog/introducing-decentralized-chat
GitHub: https://github.com/positive-intentions/chat

you are viewing a single comment's thread
view the rest of the comments

[–] Corbin 1 points 1 week ago (1 children)

Here are some questions that I want to answer when evaluating a new chat app:

How is it hosted? What is the network topology? Which Trent must be trusted?
Has the cryptography been audited? What are the primitives and protocols used? What kinds of guarantees, aside from basic privacy, are actually established?
What happens during a disaster? Am I easy to dox, track, etc.? What bad things happen if somebody takes my phone from me?

This looks like it took a lot of work, and I'm not dismissing it, but it's important to know that most of us are going to look at new chat apps by comparing them to what they already have. "P2P encrypted" doesn't sound like actual security.

[–] xoron 1 points 1 week ago* (last edited 1 week ago)

thanks for your questions. i have a few links to share i hope will help answer your questions. but i will also try to answer them here. i think there is much to say, but i will try to keep it brief.

How is it hosted? What is the network topology? Which Trent must be trusted?
- https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure/
- https://positive-intentions.com/blog/decentralised-architecture/
- the app is hosted from me on AWS S3. the app is predominantly emphesising on browser-based client-side functionality for things like data storage, webrtc and cryptography.
- same app is also hosted on github pages to show how users can take more control over their version of the chat app.
- id like to make more time into investigating resiliancy by having federated modules hosted on multiple cloud providers. (currently its only on s3 and gh-pages)
Has the cryptography been audited? What are the primitives and protocols used? What kinds of guarantees, aside from basic privacy, are actually established?
- https://positive-intentions.com/docs/research/threat-model/
- https://github.com/positive-intentions/cryptography
- the cryptography is a federated modules as seen above. its intended to be a thin wrapper over the cryptography offering from a typical browsers as described here: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto
- im actively looking for feedback on the cryptography and would like to have it audited by a professionals. im currently in the process for asking for support from https://www.opentech.fund/labs/security-lab
- as a sideproject, i dont want to undermine the efforts ive put into it, but i dont know what i can say for what i can guarantee. making the project open source is a big step towards clarity in how it works. at this early stage in development. i expect there will be breaking changes as i make changes and improvements. its important to note this project is a work in progress.
What happens during a disaster? Am I easy to dox, track, etc.? What bad things happen if somebody takes my phone from me?
- https://github.com/positive-intentions/chat?tab=readme-ov-file#security-and-privacy-recommendations
- maybe the threat model i linked previously can help answer that.
- there is not registration database to hack so nothing traditionally centralized to be hacked. on the website im using google analytics. on the app itself is using nlevel-analytics.
- a user profile in the context of the app is entirely browser-based and can be removed as simply as clearing site-data on any modern browser.
- the user profiles can also be exported an imported. this functionality in the app is a bit flaky at the moment but it is intended to be a feature. ive tested it out enough to know its works. i would like to make it more robust.
- im separately investigating having data encrypted at rest in the browser: https://programming.dev/post/21417459 (this investigation is far from finished, but is something i would like to introduce to this app)

“P2P encrypted” doesn’t sound like actual security

here is a previous post i made on the matter: https://www.reddit.com/r/crypto/comments/1fmoykr/secure_and_private_encrypted_p2p_chat_in

i hope this answers your questions. please feel free to ask more questions for clarity. i will do my best to answer them.