if i do a good job, it would have comparable features.
the key distinction between mine and other apps like syncthing, is that its provided as a zero-installation, zero-registration webapp.
so its basically ready to use at any point on any device that has a browser.
if youre asking for an audit, i expect you have an idea that they arent cheap. its simply beyond my means. the project is too complicated for pro-bono work.
the chat app (which contains file-transfer capabilities) is open source. id like to develop the p2p capabilities into a SaaS and so its logical to lean towards close-source for the "file" app.
thanks! im playing around with the website to make the landing page experience more appealing. the apps themselves, are running inside an iframe.
the google stuff is only for the website. the apps have their own subdomains and CSP headers that block foreign scripts.
(the direct links are found on the website footer under "links")
its browser based. it uses webrtc to create p2p connections between browsers. concepts like authentication takes the form of using cryptography capabilities of a typical browser. the storage of data from messages to encryption keys are stored in indexedDB as provided by the browser of your choice. there is an emphesis on client-side browser-based capabilities in all parts of the app.
matrix is a good peer reviewed and generally reccommended solution. this project isnt intended to replace any existing solution. there are many other similar projects out there, but i notice there arent many presented as webapps. this is my attempt.
I don't think this kind of app could be an alternative to instagram because of it only being P2P with only people you know.
The app is using webRTC which exposes IP addresses, so you wouldn't want something like a global feed on this.
Immich sounds interesting. I'd like to make time to check it out.
P2P allows for a fairly unexplored infrastructure for content moderation. In this app, the feed of images would only be from people you connect to. For people to connect to you, you have to share a crypto random id.
As a webapp you can clear the site data by logging out. Basically, people cannot randomly connect to you and share things you don't like.
I won't be adding anything like a global feed. Only content that you shared or received.
This doesn't remove the risk of people sending you things you don't like so I'm all ears for an approach to that. I didn't make much progress on the following. If there are any hard features you think would help, let me know. I'd like to make some time to create a "block contact" but it'll take time and consideration to do it properly (so I don't expect it soon). Things like logging out and being able to backup your profile might be enough, but not as user-friendly as it could be.
thanks for your thoughts. im sure others would have similar concerns.
The attacker takes over the server and replaces the JS with a backdoored version
this is a core concern why the app is open source and selfhostable. details are provided in the readme to create a selfhosted fork that runs on github pages. there are several ways around this concern described here.
You are going in the wrong direction
thats unfortunate if you still think so, but id like to hear any other concerns if you have any.
Thanks! As a webapp I generally have no choice but advise that users select a device/os/browser combo they trust.
It's important to note "disabling webRTC" is not a goal here. My app critically relies on it.
The webapp form factor is important for accesability. While things likes Qubes are secure by design, that isn't something I can suggest to potential users. VPN however is a lot more commonly used in today's digital scene, so I think that's a step that easier to advocate to users.
The app is a active work in progress. I try to make this clear in my post. Any "protocol" being used, is subject to change as I make improvements.
You raise some good points about rotating keys and forward secrecy. These are things I will be including, but the app is far from finished.
Maybe this helps a bit (I know it's not what you want, but it's the best I got at the moment without diving into the code): https://positive-intentions.com/docs/research/authentication/
It's similar to matrix in many ways. The key difference is with mine it's is purely browser based. Unlike traditional solutions like matrix where you have a (self)hosted server, mine does not require things like registration or installation.
An understandable view. Not sure what you mean by lengthy, but I can confirm my app is not well documented. If the MDN docs count, its a fairly thin wrapper around the functionality provided by the browser of your choice.
I'm using webpack 5 module federation to import that file at runtime. Perhaps over-engineered, but it's so I can keep the crypto functionality maintained separately. That repo is in need of more attention for things like unit tests, but the crypto implementation there is pretty basic.
if i do a good job, it would have comparable features.
the key distinction between mine and other apps like syncthing, is that its provided as a zero-installation, zero-registration webapp.
so its basically ready-to-use at any point on any device that has a browser.