- 12 Posts
- 11 Comments
group chat is still a work-in-progress, but it’ll work in a way where asymmetric and symmetric encryption keys are generated in javascript using cryptography tools provided by the browser of your choice.
when a connection is established over webrtc (which mandates encryption anyway), the asymmetric keys are exchanged using the diffie-helman technique.
the keys are persisted into browser storage (indexedDB) so in a future reconnection, new keys dont need to be rgenerated. if you connect to a “known-peer”, the keys can be used for a kind-of p2p authentication.
all the security here depends on the security of the connected devices involved. this approach is in contast to connecting to an api to authenticate and proxy encrypted messages.
for more info there may be related information/links here: https://positive-intentions.com/blog/security-privacy-authentication
That’s right. It’s using peerjs-server as the connection broker.
1·1 month agoThanks! That’s great to hear.
There’s sometimes a bug where you have to have to exchange that ID both ways.
There a lot of docs to read through so just in case you overlooked it, I hope the video on this page helps: https://positive-intentions.com/docs/basics/peers
If that doesn’t help, then it’s something I need to fix. I am aware of a few issues with connecting to people when not on the same network. Webrtc should still work, so I chalk it up to some bug I should prioritize.
Id be interested to hear about the experience of trying to connect with the file app. I added some changes to make things work better, if that works I may have an idea of how to fix it for the chat app.
the google stuff is only for the website. the apps have their own subdomains and CSP headers that block foreign scripts.
(the direct links are found on the website footer under “links”)
the chat app is flexible in the ways it can be run as further described here: https://positive-intentions.com/blog/docker-ios-android-desktop. im trying things out with tauri and maybe some version hits the f-droid store at some point?
31·1 month agothanks for your reply.
can i do both? the chat app is completely open source. thats the thing i wanted to get traction on, but it doesnt seem to be working. which is understandable with things like bugs and audits missing.
so for a new approach with “file” i’m creating an app that is simplified to being purely for file transfer. i hope this simplication can also lead to more stable functionality to hopefully get to a level where it can send 300gb over webrtc. id like to this approach to remain close source so that i can create something competative in the market for file-transfer.
if youre asking for an audit, i expect you have an idea that they arent cheap. its simply beyond my means. the project is too complicated for pro-bono work.
the chat app (which contains file-transfer capabilities) is open source. id like to develop the p2p capabilities into a SaaS and so its logical to lean towards close-source for the “file” app.
thanks! im playing around with the website to make the landing page experience more appealing. the apps themselves, are running inside an iframe.
the google stuff is only for the website. the apps have their own subdomains and CSP headers that block foreign scripts.
(the direct links are found on the website footer under “links”)
1·8 months agoThanks. I’ve com across it before. You can find the corresponding security audit online.
Ive tried to address those concerns and I try to give details about it here: https://lemmy.ml/post/18497337
Thanks for the tip. WebRTC is using aes-128, I see in my code I’m using RSA. It sounds like a good idea like to create a cascading cypher with aes-256 which seems to be regarded as “military grade” (but it seems there is no official spec definition for this).
since the original post, i tried “military grade” in the wording and while i hope it triggered alerts for attention, i generally recieved feedback like yours where it isnt standardized and basically marketing words.
following the feedback ive now rephrased it some something like “industry grade”.