Show HN: Chitchatter – P2P chat app that is serverless, decentralized, ephemeral (chitchatter.im)
For anyone who is interested to learn more about Chitchatter, please check out the project README: https://github.com/jeremyckahn/chitchatter#readme
Chitchatter is very much an early MVP, so I'd like to get your feedback. Thanks for looking!
89 comments
[ 4.8 ms ] story [ 170 ms ] threadThe Tox website doesn't say anything about the architecture, neither does Wikipedia. Apparently it's a library implemented in C and everyone's expected to use that. The Wikipedia reference links are dead, the only 3rd party implementation says "On hold until Tox gets proper docs."
Briar is distributed but runs over Tor so your IP is hidden. You can't use Briar over Tor because it already uses Tor so it doesn't work in Whonix.
When I sent a message from the second browser, it didn’t get delivered to anyone, and the first room showed a message saying “someone has left the room”.
Looks like your message identity is driven off ip or something unique to the device rather than browser.
Anyone with knowledge of the room UUID can listen to the conversation, even though the presence of the eavesdropper may (or may not) show up in the connected peers' counter. It is of essence to share such UUIDs over a secure channel, or the communication security will be compromised trivially.
It is mentioned in the README the relevance of government level threat actors and email, SMS, Discord, among the possible mediums over which the UUIDs can be shared. Of course this leaves Chitchatter open to be attacked by governments and network operators, who do have access to the phone network(s), email servers, and other platforms involved. It would be best to prefer other out-of-bound channels, or come up with one-time UUIDs generators able to resynchronise and shared among the peers.
In addition, the README says one can audit the full code and the assets used. For example, it suggests to audit the gh-pages branch for the static assets. But when hosting with github, that branch could change at any time and deliver non-audited content. Powerful attackers like government could do it easily, and less powerful ones too.
Or find it inconvenient at some point and think "it doesn't matter that much, does it?"...
As is often the case, the human is the weakest link in the security chain.
That's a great point. There's nothing stopping folks from producing their own builds and self-hosting Chitchatter though, so that seems like a reasonably easy problem to solve.
I started building this out last year to explore web crypto and webrtc but got sidetracked.
Have you looked into webcrypto? Create a new ecdh keypair for each session for each party, keep the private inextricable in memory, trade public keys over webrtc. This (I think) ensures no-one can evesdrop.
Peer auth could occur normally with ecdsa signatures done OUTSIDE of the browser or whatever.
Hopefully this will address the need for secure room access!
> Anyone with knowledge of the room UUID can listen to the conversation, even though the presence of the eavesdropper may (or may not) show up in the connected peers' counter.
Though much of Chitchatter's security model is based on security by obscurity, I don't know that peers would be able to connect without room participants being notified. Is there a scenario you have in mind where a peer would be able to connect and intercept messages without the peer counter incrementing?
> Further, in order to build assurance about the counter integrity, we would need to employ formal verification and code authentication techniques
Can you point me to resources that might help be understand what that might look like? I'm assuming it requires a third party to audit the project in-depth. I would further assume that such a service costs quite a bit of money. Chitchatter is not a revenue-generating project, so that would have to be to be figured out.
FWIW, I don't consider myself a security expert. I'm learning security best practices by developing Chitchatter. More than anything, I'm hoping to form a community of interested subject matter experts around this project to help build towards the vision of simple and secure communication! :)
https://github.com/gfodor/p2pcf
You always need some kind of centralization for discovery with WebRTC.
I'm not sure what the point might be in that case.
Or is it a cloudflare service based websocket service?
I'll check it out when I have a chance at Which point I'll probably have some more dumb questions!
The Cloudflare worker approach offers some unique tradeoffs that make it compelling relative to other options:
- Outage risk is reduced down to Cloudflare workers platform. (vs volunteer-run services like WebTorrent trackers)
- The costs are zero for a moderate level of traffic. (I intentionally designed the protocol for this project to take advantage of the cheapest available approach on Cloudflare, which is free in the best case.)
There are significant downsides to this plan depending on your threat model.
Unfortunately it doesn't include statistics on how successful the strategies are in practice.
[1] https://hal.inria.fr/hal-01597969/document
I'll try to surface this information to the user!
Why does it have the feeling of something being designed by Google?
Make it clear you can use markdown
Have a max size of message (noting that MD can make short messages take a lot of space)
Allow rooms to have names
QR Code to link to room
The short of it is, sending secure messages without anonymity is pretty well solved, and while DHTs/webtorrent will buy you some obscurity, it can't solve any anonymity problems at scale.
Additionally, a core feature of Chitchatter is that all communication is ephemeral and not persisted to disk, ever. Even if peers are identified, there would be no record of what communication took place. Do you think that should sufficiently protect users?
I'll agree those ideas are better.
My concerns are really only around "how to you meet in the middle". If you are running your own relay, what benefits does your software now have over a more general self-hosted chat? Design with "ease of deployment and use" in mind. I actually think this is a good start on that.
"Never stored" is moot. "We don't store it" is better.
You can at best promise the client the user is currently using isn't logging. Nothing stops the relay or the other clients. Any relay that can know the password owns all data going over it, and any other relay knows at least who is saying how much and when.
"I can't afford to spy on you and I don't even want the liability of being able to do so" is the real argument. WebRTC using 3rd party MITM servers provides that in theory. In practice WebRTC degrades into servers acting as proxies a decent chunk of the time. You are basically at the cutting edge of message ephemeralness and security you can get out of a browser app right now.
FWIW, Chitchatter is intended to be a community-driven project that takes no funding and makes no money. I'd like for it to exist as a sort of public good. So, there are no "customers" for this project. I've updated the README to clarify that. :)
> My concerns are really only around "how to you meet in the middle". If you are running your own relay, what benefits does your software now have over a more general self-hosted chat?
That makes sense. Having pairing and relay servers directly associated with Chitchatter is counterproductive because it effectively centralizes the overall solution. However, I'm imagining a variety of public pairing and relay servers that users could individually choose. It's not a great UX, but it seems like that would provide an effective anonymity solution.
> You can at best promise the client the user is currently using isn't logging. Nothing stops the relay or the other clients. Any relay that can know the password owns all data going over it, and any other relay knows at least who is saying how much and when.
Excellent point. There's only so much Chitchatter can do to solve this. I think the best solution is to inform the user of security concerns like this and encourage safer settings (like using non-default servers once the option to do so is implemented).
> You are basically at the cutting edge of message ephemeralness and security you can get out of a browser app right now.
That's what it seems like. It'll be interesting to see if a purely client-side solution for P2P browser networking develops, but as far as I know that is currently an unsolved problem.
And if you trust github/Microsoft to not play games on what is delivered to you (say, because someone backed by the patriot act asked them to).
For an alternative (but sadly barely-used) chat protocol that does use Tor, see Ricochet: https://en.wikipedia.org/wiki/Ricochet_(software)
Anyone can self-host it on free replit instance.