xoron :verified:<p>id like to share some details about how my app works so you can discover/give me feedback on my app. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify.</p><p><a href="https://github.com/positive-intentions/chat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/positive-intentions</span><span class="invisible">/chat</span></a></p><p><a href="https://positive-intentions.com/blog/introducing-decentralized-chat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">positive-intentions.com/blog/i</span><span class="invisible">ntroducing-decentralized-chat</span></a></p><p>im not an expert on <a href="https://infosec.exchange/tags/cyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cyberSecurity</span></a>. im sure there are many gaps in my knowlege in this domain.</p><p>using <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>javascript</span></a>, i initially created a fairly basic <a href="https://infosec.exchange/tags/chatApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>chatApp</span></a> using using <a href="https://infosec.exchange/tags/peerjs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>peerjs</span></a> to create <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encrypted</span></a> <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a> <a href="https://infosec.exchange/tags/connections" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>connections</span></a>. this was then easily enhanced by exchanging additional <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encryption</span></a> <a href="https://infosec.exchange/tags/keys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>keys</span></a> from <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> functions built into browsers (<a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webcrypto</span></a> api) to add a redundent layer of encryption. a <a href="https://infosec.exchange/tags/diffieHelman" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>diffieHelman</span></a> key <a href="https://infosec.exchange/tags/exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>exchange</span></a> is done over <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a> (which can be considered <a href="https://infosec.exchange/tags/secure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>secure</span></a> when exchanged over public channels) to create <a href="https://infosec.exchange/tags/serverless" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>serverless</span></a> <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a>.</p><p>- i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have <a href="https://infosec.exchange/tags/openedSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>openedSource</span></a> my <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> module. its basically a thin wrapper around vanilla cryptography functions of a <a href="https://infosec.exchange/tags/browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>browser</span></a> (webcrypto api).</p><p>- another concern for my kind of app (<a href="https://infosec.exchange/tags/PWA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PWA</span></a>) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a>. selhosting this app has some unique features. unlike many other <a href="https://infosec.exchange/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosted</span></a> <a href="https://infosec.exchange/tags/projects" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>projects</span></a>, this app can be hosted on <a href="https://infosec.exchange/tags/githubPages" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>githubPages</span></a> (instructions are provided in the readme). im also working towards having better support for running the index.html directly without a static server.</p><p>- to prevent things like browser extensions, the app uses strict <a href="https://infosec.exchange/tags/CSP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSP</span></a> headers to prevent <a href="https://infosec.exchange/tags/unauthorised" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unauthorised</span></a> code from running. <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a> users should take note of this when setting up their own instance.</p><p>- i received feedback the <a href="https://infosec.exchange/tags/Signal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Signal</span></a>/#Simplex protocol is great. completely undertsandable and agree, but wonder if im reducing the <a href="https://infosec.exchange/tags/complexity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>complexity</span></a> by working with <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a>. while it has its many flaws, i think risks can be reasonable mitigated if the <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> functions are implemented correctly. (all data out is <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encrypted</span></a> and all data in is <a href="https://infosec.exchange/tags/decrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>decrypted</span></a> on-the-fly)</p><p>- the key detail that makes this approach unique, is because as a <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webapp</span></a>, unlike other solutions, users have a choice of using any <a href="https://infosec.exchange/tags/device" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>device</span></a>/#os/#browser. while a webapp can have nuanced <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerabilities</span></a>, i think by <a href="https://infosec.exchange/tags/openSourcing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>openSourcing</span></a> and providing instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a> and instructions to <a href="https://infosec.exchange/tags/build" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>build</span></a> for various <a href="https://infosec.exchange/tags/platforms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>platforms</span></a>, it can provide a reasonable level of <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a>.</p><p>i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the <a href="https://infosec.exchange/tags/frontend" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>frontend</span></a> and the peerjs-server to be <a href="https://infosec.exchange/tags/hosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hosted</span></a> <a href="https://infosec.exchange/tags/independently" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>independently</span></a>, im on track for creating a <a href="https://infosec.exchange/tags/chatSystem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>chatSystem</span></a> with the "fewest moving parts". i hope you will agree this is true <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> and i hope i can use this as a step towards true <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privacy</span></a> and <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a>. <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> might be further improved by using a trusted <a href="https://infosec.exchange/tags/VPN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VPN</span></a>.</p><p>while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find <a href="https://infosec.exchange/tags/bestPractices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bestPractices</span></a> for the functionalities i want to achieve. in particular <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> practices to use when using <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> technology.</p><p>(note: this app is an <a href="https://infosec.exchange/tags/unstable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unstable</span></a>, <a href="https://infosec.exchange/tags/experiment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>experiment</span></a>, <a href="https://infosec.exchange/tags/proofOfConcept" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>proofOfConcept</span></a> and not ready to replace any other app or service. It's far from finished and provided for <a href="https://infosec.exchange/tags/testing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>testing</span></a> and <a href="https://infosec.exchange/tags/demo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>demo</span></a> purposes only. This post is to get <a href="https://infosec.exchange/tags/feedback" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>feedback</span></a> on the progress to determine if i'm going in the right direction for a secure chat app)</p>
Recent searches
No recent searches
Search options
Not available on handmade.social.
handmade.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
handmade.social is for all handmade artisans to create accounts for their Etsy and other handmade business shops.
Administered by:
Server stats:
36active users
handmade.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#webcrypto
0 posts · 0 participants · 0 posts today
xoron :verified:<p><span class="h-card" translate="no"><a href="https://infosec.space/@kkarhan" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>kkarhan</span></a></span> </p><p>thanks for the reply! far from being discouraged, i appriciate your engagement. i will try to be reasonably brief in my reponse to your points and give a general update on progress and objective.</p><p>> scout out existing solutions</p><p>i have seem similar <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webapp</span></a> implementation, i think so far for "that kind" of chat app, the chat app is able to demonstrate similar basic functionality. for a wider adoption, the user interface needs to be more appealing, but i think its important to have a working proof-of-concept first. the project is specifically aiming to be a <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>javascript</span></a> <a href="https://infosec.exchange/tags/localFirst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>localFirst</span></a> <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webapp</span></a>.</p><p>a couple notable similar implementation to mine are:<br>- <a href="https://github.com/cryptocat/cryptocat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/cryptocat/cryptocat</span><span class="invisible"></span></a><br>- <a href="https://github.com/jeremyckahn/chitchatter" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/jeremyckahn/chitcha</span><span class="invisible">tter</span></a><br>(im sure there are many more, but i think my approach is yet different and unique to the ones i've come across.)</p><p>> DO NOT DIY ENCRYPTION!</p><p>this is indeed a reccomended practice i have seen several times. here is a previsous reddit post on the matter: <a href="https://www.reddit.com/r/cryptography/comments/1cint8h/what_are_your_thoughts_on_subtlecrypto_vs_wasm" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">reddit.com/r/cryptography/comm</span><span class="invisible">ents/1cint8h/what_are_your_thoughts_on_subtlecrypto_vs_wasm</span></a> ... tldr; the underlying implementation provided by the browser is the best way to go. i have implemented the <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encryption</span></a> using the <a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webcrypto</span></a> <a href="https://infosec.exchange/tags/api" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>api</span></a>. i aim to not use a library for this. </p><p>i generally try to word things in a way that users can provide feedback on features. the app is still in a very early stage, but has a reasonable amount of features. im generally open to requests and questions.</p><p>> minimum viable product</p><p>what you see as the chat app is also the <a href="https://infosec.exchange/tags/minimum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>minimum</span></a> <a href="https://infosec.exchange/tags/viable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>viable</span></a> <a href="https://infosec.exchange/tags/product" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>product</span></a>. i think its sufficiently demonstrates the basic functionality of a chat app. i think the next step is to make the app more stable and user friendly.</p><p>those other apps youve mentions ive come across before. what sets my approach apart is that mine it's purely a webapp. with what id like to describe as <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> over <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a>, im able to remove reliance on a backend for <a href="https://infosec.exchange/tags/authenticate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authenticate</span></a> <a href="https://infosec.exchange/tags/data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>data</span></a> <a href="https://infosec.exchange/tags/connections" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>connections</span></a>. in some cases, bypass the internet (wifi/hotspot). while there are several ways to <a href="https://infosec.exchange/tags/selfhost" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhost</span></a>, in this approach of a <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>javascript</span></a> implementation, im able to store large amounts of data in the browser so things like images and <a href="https://infosec.exchange/tags/encryptionKeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encryptionKeys</span></a> can be <a href="https://infosec.exchange/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosted</span></a>" in the browser. while this form has nuanced limitations, it also has interesting implications to security and privacy.</p><p>there are many nice features from the different apps you mentioned and i think i have some unique features too. the bottle neck in this project is that i dont put in enough time to the app.</p><p>> feel free to slowly ibtegrate them.</p><p>this is basically already my approach to get the app to where it is now.</p><p>thanks for the luck, take care and i hope you stay tuned for updates.</p>
SearchLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload