chat.positive-intentions.com

https://github.com/positive-intentions/chat

I’m excited to share with you an instant messaging application I’ve been working on that might interest you. This is a chat app designed to work within your browser, with a focus on browser-based security and decentralization.

What makes this app unique is that it doesn’t rely on messaging servers to function. Instead, it works based on your browser’s javascript capabilities, so even low-end devices should work.

Here are some features of the app:

  • Encrypted messaging: Your messages are encrypted, making them more secure.
  • File sharing: Easily share files using WebRTC technology and QR codes.
  • Voice and video calls: Connect with others through voice and video calls.
  • Shared virtual space: Explore a shared mixed-reality space.
  • Image board: Browse and share images in a scrollable format.

Your security is a top priority. Here’s how the app keeps you safe:

  • Decentralized authentication: No central server is required for login, making it harder for anyone to gain unauthorized access.
  • Unique IDs: Your ID is cryptographically random, adding an extra layer of security.
  • End-to-end encryption: Your messages are encrypted from your device to the recipient’s device, ensuring only you and the recipient can read them.
  • Local data storage: Your data is stored only on your device, not on any external servers.
  • Self-hostable: You have the option to host the app on your own server if you prefer.

The app is still in the early stages and I’m exploring what’s possible with this technology. I’d love to hear your feedback on the idea and the current state of the app. If you have any feature requests or ideas, I’m all ears in the comments below!

Looking forward to hearing your thoughts!

The live app

About the app

Docs

  • wildbus8979@sh.itjust.works
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    5 months ago

    Where is the crypto documented? I’m immediately dubious of messengers that do not provide LENGTHY documentation about the crypto. Did you roll your own? Are you using libraries? Which ones? Etc… It’s not s good start to see that you have the self signed certs hard-coded in the repo…

    • positive_intentions@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      An understandable view. Not sure what you mean by lengthy, but I can confirm my app is not well documented. If the MDN docs count, its a fairly thin wrapper around the functionality provided by the browser of your choice.

      https://github.com/positive-intentions/cryptography/blob/staging/src/stories/components/Cryptography.tsx

      I’m using webpack 5 module federation to import that file at runtime. Perhaps over-engineered, but it’s so I can keep the crypto functionality maintained separately. That repo is in need of more attention for things like unit tests, but the crypto implementation there is pretty basic.

      • wildbus8979@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        ·
        5 months ago

        This doesn’t really explain how the whole protocol works. Are the keys exchanged for example? Are they rotated? If so when and how? From a quick glance at this bit of code this is just RSA? So no forward secrecy?

        • positive_intentions@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          The app is a active work in progress. I try to make this clear in my post. Any “protocol” being used, is subject to change as I make improvements.

          You raise some good points about rotating keys and forward secrecy. These are things I will be including, but the app is far from finished.

          Maybe this helps a bit (I know it’s not what you want, but it’s the best I got at the moment without diving into the code): https://positive-intentions.com/docs/research/authentication/

  • vort3@lemmy.ml
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    5 months ago

    But we already have decentralized encypted chat, it’s XMPP.

    Is yours truly P2P? What about clients behind NAT? Does it use STUN/TURN servers?

  • Murdoc@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    It’s an interesting idea. If it can make it easier to share files with friends then I’d be in. Voice and video have always been challenging as I understand it, so I’m expecting that to come later. Very ambitious, but cool if you can pull it off!

    • positive_intentions@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      There is a lot to be fixed throughout but file transfer and video calls should be working if you try out the live app.

      • Murdoc@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        All right I tried out the live app, to connect my phone to my desktop. Couldn’t get it to work. Tried the link method both ways, once normal and once animals. Tried the QR code too. All it does is bring me to a “contacts” page, which is essentially the same screen, or to a “new peer” one. Tried looking at the docs but didn’t see what I might be doing wrong there. Do certain plug ins mess it up like ublock origin? Anything else?

        • positive_intentions@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          Sorry. It’s quite buggy.

          • Its best to start off by clearing all site data from the browser settings.
          • Do not have multiple tabs of the app on the same device.
          • It doesnt hurt to refresh to page.

          What you’re describing might be related to there being 2 tabs of the app running. This results in both reacting to the new-connection-event, but ultimately resulting in a data conflict.

          Plugins shouldn’t be an issue. For stronger security, i have CSP headers to try to prevent browser plugins reading data.

          If nothing works then the egg is squarely on my face and my buggy app is too buggy.

    • positive_intentions@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      5 months ago

      It’s similar to matrix in many ways. The key difference is with mine it’s is purely browser based. Unlike traditional solutions like matrix where you have a (self)hosted server, mine does not require things like registration or installation.

  • makeasnek@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    5 months ago

    Interesting project, cool to see that you are passionate about this. Nostr does much of this and can do it entirely in-browser without having to trust any particular relay like AP/Lemmy/Mastodon does. It has encrypted DMs. Might want to check out the protocol.

  • pedroapero@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    5 months ago

    Sounds to me that it would have been easier to create a web-based client for an existing messaging system with such features (like Briar).

    • positive_intentions@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      perhaps.

      it started of very vanillajs, but i found that users didnt like the appearance. so i added a faily basic implementation of material ui.

      existing frameworks were not compatible with the look, feel and funtionality i was after. i still havent achieved it, but im happy with the progress.