I don't think this kind of app could be an alternative to instagram because of it only being P2P with only people you know.
The app is using webRTC which exposes IP addresses, so you wouldn't want something like a global feed on this.
Immich sounds interesting. I'd like to make time to check it out.
Thanks!
P2P allows for a fairly unexplored infrastructure for content moderation. In this app, the feed of images would only be from people you connect to. For people to connect to you, you have to share a crypto random id.
As a webapp you can clear the site data by logging out. Basically, people cannot randomly connect to you and share things you don't like.
I won't be adding anything like a global feed. Only content that you shared or received.
This doesn't remove the risk of people sending you things you don't like so I'm all ears for an approach to that. I didn't make much progress on the following. If there are any hard features you think would help, let me know. I'd like to make some time to create a "block contact" but it'll take time and consideration to do it properly (so I don't expect it soon). Things like logging out and being able to backup your profile might be enough, but not as user-friendly as it could be.
Yes.
Thanks. I've com across it before. You can find the corresponding security audit online.
Ive tried to address those concerns and I try to give details about it here: https://lemmy.ml/post/18497337
Thanks for the tip. WebRTC is using aes-128, I see in my code I'm using RSA. It sounds like a good idea like to create a cascading cypher with aes-256 which seems to be regarded as "military grade" (but it seems there is no official spec definition for this).
thanks! i'll make a note of that to add. it looks reletively simple to implement in JS, i'll need to check more about browser compatability. tls 1.3 is already in use. i otherwise have wording throughout that users must trust who they connect to.
as for browser extensions, there are CSP headers set to prevent them from accessing personal details.
impossible to update the software
considering the app amounts to a bunch of statics. they wint update themselves if you dont want it to. the app works in many different forms because all form factors can have nuanced security details. its better for security that if people have the ability to selfhost, then they also have the option to choose the form-factor they use based on their preferences.
All nice ideas! I'll take a note. I'd like to make time to make it so on each initial connection it generates new keys too. This should be what I think is forward-secrecy. (Let me know if I'm wrong.)
I don't know the specifics of VPN and it's implication with webrtc, I tried testing and sharing my observations here. I'm open to advice here.
You asked about native builds... Tbh I don't know much about it. I did a short search-engine search and these seem to be well regarded. (Currently?) As a pwa I have a lot of flexibility in the apps form-factor. I was thinking about how easy it would be to make it into a browser extension. (It's not about it being useful, but just providing that extra option.)
I think for my app to be regarded well in security I think it's important for people to use their own instances. The "live app" as I call it is an experimental proof of concept. I wondering about the idea that the app is run on your own forks, but occasionally sync from upstream. As it stands my app is too garbage for anyone to want a copy, but that should eliminate those concerns.
It's also an offline first pwa. Right now it fetches the latest version, but I don't see why I can't create a toggle on the UI to not fetch if there is cache... Again the app is unstable and experimental. I'm working on fixes and improvements as I see it to make a better app. It's a while away from being able to advocate selfhosting to users. But in theory it could address your concerns?
Many attack vectors still indeed exist. With P2P web tech it seems that this allows for an interesting approach and could help reduce the attack-surface. The app is available for iOS, android and desktop. Let me know if you have more concerns.
My bad. I noticed the ego sometimes inflates which seems to stem for naive confidence.
I have observed pitfalls of other apps like mine. In particular one called crypto cat. I'm sure I can't ever be exhaustive enough in learning from other examples.
Reducing metadata is indeed the goal of security and I think I have it reduced to a level where I can exchange webrtc connection data over QR codes or plain text. The IP is exposed at this point but I think this can be further scrubbed with a VPN. Perhaps this is interesting for you. It the minimum example of establishing a webrtc connection with plain text. Not user friendly, but it work without a peer-broker service. In the app I'd like to frame this around exchanging data over QR code.
As for the bitcoin wallet thing, I would think so if it's well tested and ironed out well. As long as I can facilitate the downloading of the data (for backup) and the data syncing between devices then it would be doing that without registering to any backend. There are countless examples of bitcoin exchanges collapsing and taking people's assets. The same could be said with the quality of security provided by chat app providers.
My app is different because the auth is handled between peers. So it could only every be people you shared your ID with. Security is important for me on this project. Its more important than the app being popular. https://www.reddit.com/r/CyberSecurityAdvice/comments/1ev5kqn/is_this_a_secure_messaging_app/
People should not connect to strangers on this app because of the potential risks of IP exposure... But between people you trust or between your own devices, it should work as expected for testing.
As for allowing links with expiration, you basically have that already with what looks like the login/logout functionality. There is no actual registration, it's just a UI for creating and deleting crypto random ID profiles.
Lemmy and the fediverse is a good idea. The federation makes it so I can see Lemmy posts on mastodon. Etc... id like to draw a parallel in my app with the chat-view and the inteagram-view