• 25 Posts
  • 19 Comments
Joined 5 months ago
cake
Cake day: June 14th, 2024

help-circle








  • thanks!

    when i started, the attempt was to try to create this functionality without using any dependencies (including Lit). the Lit html function is well done and makes things very convenient for handling things like the lifecycle methods and caching states.

    i would like to revisit that attempt, but i found that Lit does it very well and for me to create something from scratch would take much more consideration and i expect i would overlook some nuanced detail. i’ll see what i can make of it in future changes.

    while im sure Lit users could benefit from this, as for contributing to the Lit ecosystem, im not really sure what steps to take for this. similarly, React 19 also introduces “support” for web components.





















  • “connect to expressvpn and run the test”… is that actually what you were doing?

    i tried with a different VPN provider but yeah. understandable for people to not go to an unknown websites like the demo i posted, so a link to the code on github is provided.

    IMO you simply can’t do anything reasonably useful here

    i agree… im stretching the definition of what is “reasonable”. id settle some something clunky likes a popup for the user to remind them to be on VPN. its important to understand im putting efforts in determining what the safest and securest way is to use my app. i think it has the potential to be a private and secure chat app. the app works with webrtc, the key attack-surface is individuals and their peers not applying good security practices.

    in traditional centralized chat system the central server will typically take responsibility for proxying request and consequently, the personal IP addresses are not needed to be shared. so having something like a toggle for “enforce VPN” might do nothing more than remind the user to turn on their VPN. but sometimes a reminder is what someone needs to use good security practices.








  • id like to make it clear that the app is using webrtc which requires IP addresses to be exchanged which could result in IP address being exposed when using the public peerjs-server (hosting your own is an option). this app is explicitly NOT for anonymous communication. it explicitly shares IP addresses and data sent/recieved from peers cannot be moderated. the app is using cryptographically random ID’s for profiles to make sure they are unguessable. the connection details have to explicitly be shared.

    the app is pretty experimental in how it works so there isnt any useful documentation on it apart from what is mentioned in the post. if you have questions, feel free to ask and i can try to explain the best i can.


  • https://www.reddit.com/r/Rad_Decentralization/comments/1de5ajk/a_decentralized_microfrontend_architecture/

    there may be details you are interested in, but the post is quite large. you can search in that that post about how i plan to deal with syncing between devices. the functionality is not working in the app at the moment.

    the data is persisted to browser storage, and unsent messages will be queued up when peers are not connected. similarly, the functionlity is not working at the moment.

    peer discovery can be a whole separate discussion. the app provides ways to exchange connection data with links and QR codes. it is important that the user shares this with peers they trust, the ID is otherwise cryptographically random. upon first connection asymetric encryption keys are created and used for every future connection (to prevent impersonation).

    Why are only parts opensource?

    the part that isnt open source is the aws-cdk repo im using for deploying to S3. the app is otherwise open source and i give the instructions to deploy on your own github-pages if you want.

    can you explain more about that licence?


  • your concerns are well placed. i am not a security expert and the project is not a mature enough for it to have a security professional take a look, so it shouldnt be considered secure or encrypted until someone reputable can verify it.

    i open sourced it so i could investigate getting security advice without a budget… but of course its pretty complex to do without a budget. so i’ll settle with what feedback i can get.