[-] positive_intentions@lemmy.ml 4 points 4 weeks ago

I don't think this kind of app could be an alternative to instagram because of it only being P2P with only people you know.

The app is using webRTC which exposes IP addresses, so you wouldn't want something like a global feed on this.

Immich sounds interesting. I'd like to make time to check it out.

[-] positive_intentions@lemmy.ml 5 points 4 weeks ago

P2P allows for a fairly unexplored infrastructure for content moderation. In this app, the feed of images would only be from people you connect to. For people to connect to you, you have to share a crypto random id.

As a webapp you can clear the site data by logging out. Basically, people cannot randomly connect to you and share things you don't like.

I won't be adding anything like a global feed. Only content that you shared or received.

This doesn't remove the risk of people sending you things you don't like so I'm all ears for an approach to that. I didn't make much progress on the following. If there are any hard features you think would help, let me know. I'd like to make some time to create a "block contact" but it'll take time and consideration to do it properly (so I don't expect it soon). Things like logging out and being able to backup your profile might be enough, but not as user-friendly as it could be.

https://www.reddit.com/r/darknetplan/comments/16qw24o/on_my_decentralized_chat_app_i_want_some_kind_of/

40
P2P Social Media (positive-intentions.com)
submitted 1 month ago* (last edited 1 month ago) by positive_intentions@lemmy.ml to c/opensource@lemmy.ml
[-] positive_intentions@lemmy.ml 3 points 2 months ago

Thanks. I've com across it before. You can find the corresponding security audit online.

Ive tried to address those concerns and I try to give details about it here: https://lemmy.ml/post/18497337

6

im aiming to make a chat app secure as theorhetically possible as a webapp. for transparency its open source. id like the user experience to be as close to possible to a regular chat app. its important to note; there are limitation with p2p and webapps such that messages cant be sent if the peer isnt connected.

to keep this post brief, please take a look at the readme. it has all the information and links.

i dont think its ready to replace any app or service, but id love to get feedback on what you think would make it so you would use it more than once.

18

https://github.com/positive-intentions/chat

im working on a decentralized chat app similar to Simplex with the additional detail that it's mainly presented as a webapp. Simplex recently posted on their subreddit about "somone else" having registered and hosted a copy of thier website/app.

this could be for something like phishing and they correctly notified people and reccommend to not download from there.

https://www.reddit.com/r/SimpleXChat/comments/1epuf5w/please_note_we_do_not_own_the_domain/

im now thinking i should point people to my github repository. (the links to the webapp and builds for ios/andoid/ desktop can be found directly there from the readme)... similar to a "domain", im sure its easy enough to create a new github organization and repo that looks similar to the one i already have.

i added a section in the readme about improving the security of the app by using a selfhosted version for those that want/need hightened security/privacy.

Simplex also mention they submitted a complaint to the domain registrar. id like help to learn about what other things i could do if somthing similar happens to my app. this is something that id like to know more about because its seems inevitable to happen (if it becomes popular) given my app is open source and easy to selfhost.

26
submitted 3 months ago* (last edited 3 months ago) by positive_intentions@lemmy.ml to c/opensource@lemmy.ml

https://youtu.be/2gTTu4OqoiM

https://github.com/positive-intentions/chat

the code related to the video is a faily basic implementation using BabylonJS. it can be found here.

id like to see if i can get handpose-estimation to work well enough to be able to add to the BabylonJS render engine.

im working on something i hope will work like the 8thwall demo here. i couldnt find an open-source alternative to this. my progress so far is as described here. i dont have much experience in creating games or graphics, so any guidance/help/advice is appriciated.

disclaimer: its a proof-of-concept app. for testing and demo purposes only. maybe this article helps clarify some details.

[-] positive_intentions@lemmy.ml 3 points 3 months ago

Simplex is good. Mine isn't ready to replace any app or service.

[-] positive_intentions@lemmy.ml 4 points 3 months ago

thanks for your thoughts. im sure others would have similar concerns.

The attacker takes over the server and replaces the JS with a backdoored version

this is a core concern why the app is open source and selfhostable. details are provided in the readme to create a selfhosted fork that runs on github pages. there are several ways around this concern described here.

You are going in the wrong direction

thats unfortunate if you still think so, but id like to hear any other concerns if you have any.

23
submitted 3 months ago* (last edited 3 months ago) by positive_intentions@lemmy.ml to c/privacy@lemmy.ml

https://github.com/positive-intentions/chat

probably not... Because I'm comparing it to everything... but id like to share some details about how my app works so you can tell me what im missing. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify... but i want to understand why?

im not an expert on cyber security. im sure there are many gaps in my knowlege in this domain.

using javascript, i created a chat app. it is using peerjs-server to create an encrypted webrtc connection. this is then used to exchange additional encryption keys from cryptography functions built into browsers to add a redundent layer of encryption. the key exchange is done like diffie-helman over webrtc (which can be considered secure when exchanged over public channels)

  • i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have opened sourced my cryptography module. its basically a thin wrapper around vanilla crypto functions of a browser. a prev post on the matter.

  • another concern for my kind of app (PWA) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for selfhosting. selhosting this app has some unique features. unlike many other selfhosted projects, this app can be hosted on github-pages for free (instructions are provided in the readme). im also working on introducing a way that users can selfhost federated modules. a prev post on the matter.

  • to prevent things like browser extensions, the app uses strict CSP headers to prevent unauthorised code from running. selfhosting users should take note of this when setting up their own instance.

  • i received feedback the Signal/Simplex protocol is great, etc. id like to compare that opinion to the observation in how my todo app demo works. (the work is all experimental work-in-progress and far from finished). the demo shows a simple functionality for a basic decentralized todo list. this should already be reasonably secure. i could add a few extra endpoints for exchanging keys diffie-helman style. which at this point is relatively trivial to implement. I think it's simplicity could be a security feature.

  • the key detail that makes this approach unique, is because as a webapp, unlike other solutions, users have a choice of using any device/os/browser.

i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the frontend and the peerjs-server to be hosted independently, im on track for creating a chat system with the "fewest moving parts". im hope you will agree this is true p2p and i hope i can use this as a step towards true privacy and security. security might be further improved by using a trusted VPN.

i created a threat-model for the app in hopes that i could get a pro-bono security assessment, but understandable the project is too complicated for pro-bono work.

while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find best practices for the functionalities i want to achieve. in particular security practices to use when using p2p technology.

(note: this app is an unstable, experiment, proof of concept and not ready to replace any other app or service. It's far from finished and provided for testing and demo purposes only. This post is to get feedback on the app to determine if i'm going in the right direction for a secure chat app)

7

https://github.com/positive-intentions/chat

probably not... but id like to share some details about how my app works so you can tell me what im missing. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify... but i want to understand why?

im not a cyber security expert. im sure there are many gaps in my knowlege of this domain.

using javascript, i created a chat app. it is using peerjs-server to create an encrypted webrtc connection. this is then used to exchange additional encryption keys from cryptography functions built into browsers to add a redundent layer of encryption. the key exchange is done like diffie-helman (which can be considered secure when exchanged over public channels)

  • i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have opened sourced my cryptography module. its basically a thin wrapper around vanilla crypto functions of a browser. a prev post on the matter.

  • another concern for my kind of app (PWA) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for selfhosting. selhosting this app has some unique features. unlike many other selfhosted projects, this app can be hosted on github-pages and instructions are provided. im also working on introducing a way that users can selfhost federated modules. a prev post on the matter.

  • to prevent things like browser extensions, the app uses strict CSP headers to prevent unauthorised code from running. selfhosting users should take note of this when setting up their own instance.

i think if stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the frontend and the peerjs-server to be hosted independently, im on track for creating a chat system with the "fewest moving parts". im hoping this will lead to true p2p and i hope i can use this as a step towards true privacy and security.

i created a threat-model for the app in hopes that i could get a pro-bono security assessment, but understandable the project is too complicated for pro-bono work.

i created a decentralized todo list demo using the p2p framework used in the chat app. this is to demonstrate the bare-minimum functionality of decentralised messaging and state management.

while there are several similar apps out there like mine. i think mine is distinctly a different approach so its hard to find best practices for the functionalities i want to achieve. in particular security practices to use when using p2p technology.

[-] positive_intentions@lemmy.ml 4 points 4 months ago

Thanks! As a webapp I generally have no choice but advise that users select a device/os/browser combo they trust.

It's important to note "disabling webRTC" is not a goal here. My app critically relies on it.

The webapp form factor is important for accesability. While things likes Qubes are secure by design, that isn't something I can suggest to potential users. VPN however is a lot more commonly used in today's digital scene, so I think that's a step that easier to advocate to users.

20

i want to understand more about WebRTC security when using vpn. id like to know if it is more secure with VPN than without… or even if its recommended to use WebRTC with VPN.

i created a webrtc demo: https://chat.positive-intentions.com/#/webrtc (the corresponding code its created with: https://github.com/positive-intentions/chat/blob/staging/src/components/pages/webrtc/WebRTC.jsx)

if i generate a “WebRTC offer” then i see a bunch of information including my IP address.

if i do the same with VPN, i see that my ip address isnt in that payload.

following the information here: https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html?m=1

and using the demo here: https://ipleak.net/

it seems even with vpn, the local ISP ip seems detected.

a recurring concern ive had on reddit about the security of my app is that webrtc exposes ip addresses. im investigating using the app with vpn. it seems to work like normal.

in the example details given above, i see while the local ISP IP is exposed, the personal ip address is still hidden. im sure what is exposed there is not worthless, but it could help users with privacy and security.

on the back of this investigation id like to see if i can add something like a toggle in my app called “enforce VPN” which will first check to see if you are on a vpn, and if you are, open the rest of the app.

my app is using peerjs-server as the connection broker. this is a third party i have no contractual agreement to provide me with a service. it could help to hide your IP from this service.

22
submitted 4 months ago* (last edited 4 months ago) by positive_intentions@lemmy.ml to c/opensource@lemmy.ml

a decentralized P2P todo list app to to demo the P2P framework used in the chat app.

https://github.com/positive-intentions/chat

a wrapper around peerjs. peerjs is good, but it can become complicated to use on complicated projects. This implementation is an attempt to create something like a framework/guideline for decentralized messaging and state management.

https://positive-intentions.github.io/p2p/?path=/story/demo-todo-list--basic

how it works:

  1. crypto-random ids are generated and used to connect to peerjs-server (to broker a webrtc connection)
  2. peer1 shares this ID to another browser/tab/person (use the storybook props)
  3. peers are then automatically connected.
  4. add todo item
  5. edit todo item

There are several things here to improve like:

  • general cleanup throughout (its early stage for this project and missing all the nice things like good-code and unit-tests)
  • adding extra encryption keys for messages comming in and going out (webrtc mandates encryption already)
  • handling message callbacks
  • key rotation
14
P2P Framework (lemmy.ml)

p2p.positive-intentions.com

github.com/positive-intentions/p2p

a thin wrapper around peerjs with some functionalities for "intuitive" p2p communication.

this is a lighweight version of what is being used in our chat app. it will be developed with the aim to replace what is being used.

this is early development on this and it's missing all the bells-and-whistles seen in the chat app. It's an unstable experimental work-in-progress. it may contain bugs and/or incomplete features. provided for demo and educational purposes only.

[-] positive_intentions@lemmy.ml 3 points 5 months ago* (last edited 5 months ago)

your caution is well placed. this app is not ready to replace any existing app or service. it is only provided for demo and testing.

the feedback ive recieved from security professionals is that the project is too complicated to review without a budget (which is understandable). so i think updating the docs is something i will do when i have the protocol and algorithm better defined. (note: i am already planning on breaking changes, but havent found the time to do them.)

[-] positive_intentions@lemmy.ml 3 points 5 months ago

if "trust" in the static files from a url is a concern, (which is very reasonable), you can easily host your own instance.

i think it fits squarely as a "P2P app". over a hotspot, you can practically send messages offline. im not sure what other qualifiers are needed.

i dont think its ready to be compared to other tools yet. but i would be aiming to make it comparable to something like signal... but it'll take a while to get there.

6
Decentralized Encrypted P2P Chat (chat.positive-intentions.com)

Id like to introduce you to a decentralized chat app that works purely in the browser. Breaking away from traditional solutions that require registration and installation.

A decentralized infrastructure has many unique challenges and this is a unique approach. Ive taken previsous feedback and made updates. Its important to note, it is still a work-in-progress and provided for testing/review/feedback purposes. it would be great if you can tell me what you think.

Some of the features of the app include:

  • Free
  • Decentralised
  • No cookies
  • P2P encrypted
  • No registration
  • No installing
  • Group messaging
  • Text messaging
  • Multimedia messaging
  • Offline messaging (LAN/hotspot)
  • File transfer
  • Video calls
  • Data-ownership
  • Selfhosted (optional)
  • Screensharing (on desktop browsers)
  • OS notifications (where supported)

With no registration or installation required, its easy to get started.

20
Decentralized Encrypted P2P Chat (chat.positive-intentions.com)
submitted 5 months ago* (last edited 5 months ago) by positive_intentions@lemmy.ml to c/privacy@lemmy.ml

Id like to introduce you to a decentralized chat app that works purely in the browser. Breaking away from traditional solutions that require registration and installation.

A decentralized infrastructure has many unique challenges and this is a unique approach. Ive taken previsous feedback and made updates. Its important to note, it is still a work-in-progress and provided for testing/review/feedback purposes. it would be great if you can tell me what you think.

Some of the features of the app include:

  • Free
  • Decentralised
  • No cookies
  • P2P encrypted
  • No registration
  • No installing
  • Group messaging
  • Text messaging
  • Multimedia messaging
  • Offline messaging (LAN/hotspot)
  • File transfer
  • Video calls
  • Data-ownership
  • Selfhosted (optional)
  • Screensharing (on desktop browsers)
  • OS notifications (where supported)

With no registration or installation required, its easy to get started.

[-] positive_intentions@lemmy.ml 2 points 5 months ago

Thanks. It's been mentioned before and I'd like to take a look at it when I can make the time.

[-] positive_intentions@lemmy.ml 3 points 5 months ago

The app is a active work in progress. I try to make this clear in my post. Any "protocol" being used, is subject to change as I make improvements.

You raise some good points about rotating keys and forward secrecy. These are things I will be including, but the app is far from finished.

Maybe this helps a bit (I know it's not what you want, but it's the best I got at the moment without diving into the code): https://positive-intentions.com/docs/research/authentication/

[-] positive_intentions@lemmy.ml 5 points 5 months ago

It's similar to matrix in many ways. The key difference is with mine it's is purely browser based. Unlike traditional solutions like matrix where you have a (self)hosted server, mine does not require things like registration or installation.

[-] positive_intentions@lemmy.ml 3 points 5 months ago

An understandable view. Not sure what you mean by lengthy, but I can confirm my app is not well documented. If the MDN docs count, its a fairly thin wrapper around the functionality provided by the browser of your choice.

https://github.com/positive-intentions/cryptography/blob/staging/src/stories/components/Cryptography.tsx

I'm using webpack 5 module federation to import that file at runtime. Perhaps over-engineered, but it's so I can keep the crypto functionality maintained separately. That repo is in need of more attention for things like unit tests, but the crypto implementation there is pretty basic.

51
Decentralized Encrypted P2P Chat (chat.positive-intentions.com)
submitted 5 months ago* (last edited 5 months ago) by positive_intentions@lemmy.ml to c/opensource@lemmy.ml

chat.positive-intentions.com

https://github.com/positive-intentions/chat

I'm excited to share with you an instant messaging application I've been working on that might interest you. This is a chat app designed to work within your browser, with a focus on browser-based security and decentralization.

What makes this app unique is that it doesn't rely on messaging servers to function. Instead, it works based on your browser's javascript capabilities, so even low-end devices should work.

Here are some features of the app:

  • Encrypted messaging: Your messages are encrypted, making them more secure.
  • File sharing: Easily share files using WebRTC technology and QR codes.
  • Voice and video calls: Connect with others through voice and video calls.
  • Shared virtual space: Explore a shared mixed-reality space.
  • Image board: Browse and share images in a scrollable format.

Your security is a top priority. Here's how the app keeps you safe:

  • Decentralized authentication: No central server is required for login, making it harder for anyone to gain unauthorized access.
  • Unique IDs: Your ID is cryptographically random, adding an extra layer of security.
  • End-to-end encryption: Your messages are encrypted from your device to the recipient's device, ensuring only you and the recipient can read them.
  • Local data storage: Your data is stored only on your device, not on any external servers.
  • Self-hostable: You have the option to host the app on your own server if you prefer.

The app is still in the early stages and I'm exploring what's possible with this technology. I'd love to hear your feedback on the idea and the current state of the app. If you have any feature requests or ideas, I'm all ears in the comments below!

Looking forward to hearing your thoughts!

The live app

About the app

Docs

view more: next ›

positive_intentions

joined 5 months ago