23
submitted 3 months ago* (last edited 3 months ago) by positive_intentions@lemmy.ml to c/privacy@lemmy.ml

https://github.com/positive-intentions/chat

probably not... Because I'm comparing it to everything... but id like to share some details about how my app works so you can tell me what im missing. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify... but i want to understand why?

im not an expert on cyber security. im sure there are many gaps in my knowlege in this domain.

using javascript, i created a chat app. it is using peerjs-server to create an encrypted webrtc connection. this is then used to exchange additional encryption keys from cryptography functions built into browsers to add a redundent layer of encryption. the key exchange is done like diffie-helman over webrtc (which can be considered secure when exchanged over public channels)

  • i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have opened sourced my cryptography module. its basically a thin wrapper around vanilla crypto functions of a browser. a prev post on the matter.

  • another concern for my kind of app (PWA) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for selfhosting. selhosting this app has some unique features. unlike many other selfhosted projects, this app can be hosted on github-pages for free (instructions are provided in the readme). im also working on introducing a way that users can selfhost federated modules. a prev post on the matter.

  • to prevent things like browser extensions, the app uses strict CSP headers to prevent unauthorised code from running. selfhosting users should take note of this when setting up their own instance.

  • i received feedback the Signal/Simplex protocol is great, etc. id like to compare that opinion to the observation in how my todo app demo works. (the work is all experimental work-in-progress and far from finished). the demo shows a simple functionality for a basic decentralized todo list. this should already be reasonably secure. i could add a few extra endpoints for exchanging keys diffie-helman style. which at this point is relatively trivial to implement. I think it's simplicity could be a security feature.

  • the key detail that makes this approach unique, is because as a webapp, unlike other solutions, users have a choice of using any device/os/browser.

i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the frontend and the peerjs-server to be hosted independently, im on track for creating a chat system with the "fewest moving parts". im hope you will agree this is true p2p and i hope i can use this as a step towards true privacy and security. security might be further improved by using a trusted VPN.

i created a threat-model for the app in hopes that i could get a pro-bono security assessment, but understandable the project is too complicated for pro-bono work.

while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find best practices for the functionalities i want to achieve. in particular security practices to use when using p2p technology.

(note: this app is an unstable, experiment, proof of concept and not ready to replace any other app or service. It's far from finished and provided for testing and demo purposes only. This post is to get feedback on the app to determine if i'm going in the right direction for a secure chat app)

you are viewing a single comment's thread
view the rest of the comments
[-] breadsmasher@lemmy.world 19 points 3 months ago

I opened your repo, and went to the cryptography component

https://github.com/positive-intentions/chat/blob/staging/src/components/cryptography/Cryptography.jsx

Whats with the huge amount of commented out code? Why does the huge comment at the top read like its a prompt to an LLM?

Before even considering whether the implementation is secure, you really should clean up the huge number of commented out lines. That doesn’t make it insecure by itself but holy shit does it make code impossible to review and audit.

I wouldn’t include random keys, even if noted as not being suitable for production. Installing CLI tools to generate them should be the expectation, not using provided certs/keys. Part of the setup of the development environment should include how to generate the required certificates.

[-] positive_intentions@lemmy.ml 2 points 3 months ago

thanks for taking a look.

there is a tonne of garbage code throughout as i have iterated and improved. its terrible practice for collabboration, but at the moment im just trying things out. in the case of the cryptography module, it was previsously part of the main chat app repo before being refactored into a federated module. its commented it out because i was testing out by toggling the functionality. of course it would be cleaner to remove, but i havent quite finished refactoring the crytography module. it needs things like unit testing. as a sideproject im fairly liberal with my coding practices to achieve what i want to test and things that read like LLM promps, likly are. various LLMs have been used to create the app as you see it. that isnt to say i didnt check and test the code being introduced.

the module federated version of the cryptography module that will replace the crypto functions done in the app can be found here

i started work on a p2p framework similarly to the crypto module (as seen here), i would make it into a federated module. it would make sense to get a review and security audit for that first.

i have asked in the cryptography communities to get feedback about the random generation and i think this implementation works. that isnt to dismiss your concerns, but its important to note the purpose of this is to be unpredictable random when connecting to peerjs-server. such a randomization is possible out of the box with a typical browser. these functions are already audited to be secure (otherwise youre on the wrong browser/os for this app). this is then combined with what can be considered as user-generated entropy (which is arguably redundent). this is my answer to what you elude to about a CLI tool to generate a value... in the app there is something you might see called "crypto signature". this is a htm5 canvas you can draw on. this input gets truned into base64 string and passed through a sha256 hashing function. this value is reasonably unpredictable when combined to the browser-provided random value. (if you try to do your own signature again, its unlikly it would be identical pixel-for-pixel).

i hope that answers some concerns. let me know if something is still unclear or i didnt answer clearly enough.

[-] breadsmasher@lemmy.world 10 points 3 months ago* (last edited 3 months ago)

I understand where you are coming from, but if you want any real useful feedback, your repo main/master branch needs to be clean and tidy. It does look like you have some branches?

If you want to try things out and then remove it again, commit it to a different branch. The moment I see a single file like the cryptography one with so much random commented code, its a massive red flag for me.

Source - 15 years in professional software engineering

[-] positive_intentions@lemmy.ml 2 points 3 months ago

it started of as another branch "staging" and then i just stuck that that as the main branch. the whole app at this point can be considered experiemental. i guess the code isnt good enough to collab at the moment.

as a side project, i dont have much time to work on it and so some things have to fall by the wayside such as code-quality, unit tests, documentation. i think the project isnt mature enough to burden myself with some details as i create this POC. the app as you see it is being used to understand how something like this app can tie together. a proper version will be in the form of the various federated modules which i am creating in a way to address issues seen in the main app.

it might not be an approach other will agree with, but code quality issues are to be resolved in what im aiming for with a microfrontend architecture as described here. i think ive reached a point that i can plan how things can be broken up and it makes sense to have code separated in this way where it can also contain its own documentation.

thanks for your input. its certainly good to understand how others feel about my work and process. and hopefully i can make things more clear as i go along.

[-] bamboo@lemmy.blahaj.zone 4 points 3 months ago

To reiterate the other comment about code maintainability, I'd suggest removing all commented out code as your next commit. With git, that information isn't lost and you can always go back to it on commit d4c981a. The easiest time to create a clean codebase is when you start the project, and the second easiest time is now. Also might be a good idea to use a pre-commit hook to check if commented code is being committed, to stop you from introducing mess in the future.

[-] positive_intentions@lemmy.ml 2 points 3 months ago

Thanks for the advice. I'll try set aside some time for this.

this post was submitted on 28 Jul 2024
23 points (72.5% liked)

Privacy

31995 readers
623 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS