first of all, apologies for the repost, a user commented on my original post that I should use "Show HN" so first and last time (or next time in 6 months, according to the guidelines).
preface :
After my cellphone started having camera focus issues & fell in the river(with me), I got very annoyed with the QR code required by signal (I ended up resizing the QR code it in gimp, printing it out on paper, and scanning it with my half-dead phone to be able to re-link my computer to signal). I am still waiting for my Librem5 (yes I drank the cool aid).
going in the deep:
I like to develop my own solutions in general instead of using existing technology (a.k.a i'm re-inventing the wheel)
My solution is not as good as signal and I know it. The two things that annoy me about signal is that [1]it requires a phone number and [2]it relies heavily on the domain whispersystems.org.
The good part about my app/server (I think) is that:
1 - you can host it at home and it does not even require a domain name. (you can deploy with bare ip)
2 - it is user friendly enough (GUI, pictures upload)
3 - encryption in transit is automatic (let's encrypt or self-sign)
4 - you can destroy conversations in one click
5 - you can choose many different modes of deployment
(single room, multi room, per-room certificates, wildcard certificates etc(more to come))
6 - receiving notifications on PING only (more like slack with the @ or irc with the name... something signal lacks)
The bad parts about my app/server (I think) is that:
1 - notifications via rss are not ideal, but it is the best way I found to make that app/server as standalone as possible (no 3rd party api calls required after installation).
2 - I am a jack of all trades, master of none, so I am pretty sure you can point at everything I wrote in any language and find flaws (I don't consider myself a developper)
3 - everything in there is file based, so... speed, scale and inodes :)
4 - api is not complete nor nice at the moment (work in progress)
5 - real end to end encryption is not yet implemented (I will go with good ol' gpg here(not sure how yet, let's add more tuck tape)
6 - deployment process needs improvements. (I am the only one that deployed it so far but i'm sure it does)
Any feedback is welcome, you can also try to hack it and I will gladly provide assistance if you want to deploy your own instance.
I will probably need help to achieve this, but I would love to see this becoming a great product made by the people, for the people with little nodes all over the place.
Just like a phone number, you will know to reach your friend(s) at friends.domainx.com. with more savvy people hosting it for less savvy friends, so the data remains in the hands of people that know each others in real life instead of big corp$.
P.S : you can use the demo for quick file sharing and destroy the room after.
I mean, it is great to see people get into security stuff and build chat stuff. But I have some points on your "philisophy".
You hate big billion dollar Companies? Well, your domain is hosted on AWS so are the servers. To prrof your point, you should've got the domain somewhere else and host the serveres somewhere else. Additionally, how is the weather in Middlesex, GB?
Now to the software side. Man is that repo a mess. I mean, you put a lot of work into the documents which is great, but until you find the damn source code of the actual important shit it takes years. (if anyone interested it is this billion character long mess: https://github.com/ba9f11ecc3497d9993b933fdc2bd61e5/temporar...).
What am I trying to say here? Great to see people starting coding. But split the project up or at least order it. The source of the server should be on click on `src` and done. Maybe extract the client to another repo. Hide the whole deployment stuff in another folder. We people who click the link to github want to see code. Not configuration stuff. First look matters.
And, if you want to be so "security hacker like nobody knows", create fancy profile picture with no face. Get a decent username no hash gabage. Hide your WhoIs Information from the domain. If you care about security and "not being dependent on multi billion dollar companies that collect all our data", don't use AWS. Go to a decent server hosting n your country (or where privacy matters).
Did this wake my interest? Yes.
Got I disapointed? Yeah.
Did I got disappointed way more than I thought? Definitely.
Would I trust this app even if the source code would be readable in any way? No because security is expert stuff. That's why we have Matrix, Signal, Threema (which is open-source now too).
Is this a little harsh? Yes, but this is the Internet.
Do I want you to re-make the project in a more professional way? Yes, because that is the best pratice to become a better developer.
Sorry for the hard comment. I hope you take it as an motivation. Always fall to learn, always come back stronger.
"I dont like your dns, registrar etc : took amazon for the ease of use and because I am familiar with it, but it is not my final choice, my goal is to make this as portable as possible so it can be deployed in virtual machines, on personal computers etc. I will not start using amazon services even if they are dirt cheap and I know how to leverage them. I do not want this project to be locked on a specific cloud platform. "
Middlesex, GB??? - > i'm in montreal canada
about the source code: ansible playbooks have a structure, src folder is not gonna fly here. "split the client" -> there is no client
but I can probably improve the repository structure, yes.
And, if you want to be so "security hacker like nobody knows" > I have no such ambitions.
create fancy profile picture with no face > I don't see how if I choose to put my face online or not is relevant here.
Get a decent username no hash gabage > the hash garbage is a md5sum for the word "git", I don't have imagination.
Got I disapointed? Yeah > It is okay, I know the project is not quite secure it it's actual form (even if a put a bit of effort on the security side) it is a work in progress.
Would I trust this app even if the source code would be readable in any way > if you cannot read my source code, I highly doubt you'll be able to read the signal source code (which I looked at)
"I dont like your dns, registrar etc : took amazon for the ease of use and because I am familiar with it, but it is not my final choice, my goal is to make this as portable as possible so it can be deployed in virtual machines, on personal computers etc. I will not start using amazon services even if they are dirt cheap and I know how to leverage them. I do not want this project to be locked on a specific cloud platform. "
Middlesex, GB??? - > i'm in montreal canada
about the source code:
ansible playbooks have a structure, src folder is not gonna fly here.
"split the client" -> there is no client
but I can probably improve the repository structure, yes.
And, if you want to be so "security hacker like nobody knows" > I have no such ambitions.
Got I disapointed? Yeah > It is okay, I know the project is not quite secure it it's actual form (even if a put a bit of effort on the security side) it is a work in progress.
9 comments
[ 2.8 ms ] story [ 33.6 ms ] threadpreface : After my cellphone started having camera focus issues & fell in the river(with me), I got very annoyed with the QR code required by signal (I ended up resizing the QR code it in gimp, printing it out on paper, and scanning it with my half-dead phone to be able to re-link my computer to signal). I am still waiting for my Librem5 (yes I drank the cool aid).
going in the deep: I like to develop my own solutions in general instead of using existing technology (a.k.a i'm re-inventing the wheel)
My solution is not as good as signal and I know it. The two things that annoy me about signal is that [1]it requires a phone number and [2]it relies heavily on the domain whispersystems.org.
The good part about my app/server (I think) is that:
1 - you can host it at home and it does not even require a domain name. (you can deploy with bare ip)
2 - it is user friendly enough (GUI, pictures upload)
3 - encryption in transit is automatic (let's encrypt or self-sign)
4 - you can destroy conversations in one click
5 - you can choose many different modes of deployment (single room, multi room, per-room certificates, wildcard certificates etc(more to come))
6 - receiving notifications on PING only (more like slack with the @ or irc with the name... something signal lacks)
The bad parts about my app/server (I think) is that:
1 - notifications via rss are not ideal, but it is the best way I found to make that app/server as standalone as possible (no 3rd party api calls required after installation).
2 - I am a jack of all trades, master of none, so I am pretty sure you can point at everything I wrote in any language and find flaws (I don't consider myself a developper)
3 - everything in there is file based, so... speed, scale and inodes :)
4 - api is not complete nor nice at the moment (work in progress)
5 - real end to end encryption is not yet implemented (I will go with good ol' gpg here(not sure how yet, let's add more tuck tape)
6 - deployment process needs improvements. (I am the only one that deployed it so far but i'm sure it does)
Any feedback is welcome, you can also try to hack it and I will gladly provide assistance if you want to deploy your own instance.
I will probably need help to achieve this, but I would love to see this becoming a great product made by the people, for the people with little nodes all over the place.
Just like a phone number, you will know to reach your friend(s) at friends.domainx.com. with more savvy people hosting it for less savvy friends, so the data remains in the hands of people that know each others in real life instead of big corp$.
P.S : you can use the demo for quick file sharing and destroy the room after.
thank you for your time and (hopefully) interest!
You hate big billion dollar Companies? Well, your domain is hosted on AWS so are the servers. To prrof your point, you should've got the domain somewhere else and host the serveres somewhere else. Additionally, how is the weather in Middlesex, GB?
Now to the software side. Man is that repo a mess. I mean, you put a lot of work into the documents which is great, but until you find the damn source code of the actual important shit it takes years. (if anyone interested it is this billion character long mess: https://github.com/ba9f11ecc3497d9993b933fdc2bd61e5/temporar...).
What am I trying to say here? Great to see people starting coding. But split the project up or at least order it. The source of the server should be on click on `src` and done. Maybe extract the client to another repo. Hide the whole deployment stuff in another folder. We people who click the link to github want to see code. Not configuration stuff. First look matters.
And, if you want to be so "security hacker like nobody knows", create fancy profile picture with no face. Get a decent username no hash gabage. Hide your WhoIs Information from the domain. If you care about security and "not being dependent on multi billion dollar companies that collect all our data", don't use AWS. Go to a decent server hosting n your country (or where privacy matters).
Did this wake my interest? Yes. Got I disapointed? Yeah. Did I got disappointed way more than I thought? Definitely. Would I trust this app even if the source code would be readable in any way? No because security is expert stuff. That's why we have Matrix, Signal, Threema (which is open-source now too). Is this a little harsh? Yes, but this is the Internet. Do I want you to re-make the project in a more professional way? Yes, because that is the best pratice to become a better developer.
Sorry for the hard comment. I hope you take it as an motivation. Always fall to learn, always come back stronger.
about my temporary choice for aws:
the reason is explained here : https://temporary.chat/qa.html
"I dont like your dns, registrar etc : took amazon for the ease of use and because I am familiar with it, but it is not my final choice, my goal is to make this as portable as possible so it can be deployed in virtual machines, on personal computers etc. I will not start using amazon services even if they are dirt cheap and I know how to leverage them. I do not want this project to be locked on a specific cloud platform. "
Middlesex, GB??? - > i'm in montreal canada
about the source code: ansible playbooks have a structure, src folder is not gonna fly here. "split the client" -> there is no client
but I can probably improve the repository structure, yes.
And, if you want to be so "security hacker like nobody knows" > I have no such ambitions.
create fancy profile picture with no face > I don't see how if I choose to put my face online or not is relevant here.
Get a decent username no hash gabage > the hash garbage is a md5sum for the word "git", I don't have imagination.
Hide your WhoIs Information from the domain > On 17 May 2018 the ICANN Board adopted a Temporary Specification for gTLD Registration Data. https://www.icann.org/resources/board-material/resolutions-2...
Got I disapointed? Yeah > It is okay, I know the project is not quite secure it it's actual form (even if a put a bit of effort on the security side) it is a work in progress.
Would I trust this app even if the source code would be readable in any way > if you cannot read my source code, I highly doubt you'll be able to read the signal source code (which I looked at)
thanks for your comment.
thanks for your comment,
about my temporary choice for aws:
the reason is explained here : https://temporary.chat/qa.html
"I dont like your dns, registrar etc : took amazon for the ease of use and because I am familiar with it, but it is not my final choice, my goal is to make this as portable as possible so it can be deployed in virtual machines, on personal computers etc. I will not start using amazon services even if they are dirt cheap and I know how to leverage them. I do not want this project to be locked on a specific cloud platform. "
Middlesex, GB??? - > i'm in montreal canada
about the source code: ansible playbooks have a structure, src folder is not gonna fly here. "split the client" -> there is no client
but I can probably improve the repository structure, yes.
And, if you want to be so "security hacker like nobody knows" > I have no such ambitions.
Got I disapointed? Yeah > It is okay, I know the project is not quite secure it it's actual form (even if a put a bit of effort on the security side) it is a work in progress.
thanks for your comment.
HN loved it too much, running this on a 5$ machine with 1G ram :)
it's back now