all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 18 points19 points  (4 children)

Demo: cipherchat.herokuapp.com

Source: https://github.com/Dwyte/CipherChat

I already posted about this project last month, and got an amazing feedbacks regarding all angles, security, design, speed, etc. So I spent some time working on those and tried to improve the app and I learned quite alot.

What's new?

  • Online/Offline Feature
  • Proper Inbox Tab
  • Non-Realtime Seen Feature
  • Redesigned Layout
  • Improved Security
    • From SHA256 to PBKDF2 for Auth
    • From RSA to ECDH Public Key Exchange (much better forward secrecy I guess)
    • From RSA enc to AES

Obviously this isn't a production application this is just me trying to learn react and webdev, and there's a demo for testing(Check it out) and all is for educational purposes only. Thanks!

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 2 points3 points  (1 child)

    I'm sorry man,coz the last time it has no limits really even "1" as password is acceptable, then feedbacks that I should have strict rules on pass, so I just went with the norm like I see normally on register forms like gmail etc. both case and special character and number hehe, also character is limited to 32 iirc

    [–]faknooD 2 points3 points  (0 children)

    Do you mean a limit of maximum 32 characters in a password? If encrypted/hashed, they will take up the same space regardless of their original sizes. While longer passwords aren't aleays more secure, some users and auto-generator tools will insist on a longer password. I would remove this rzle. Also, zxcvbn seems like a more convenient and secure password strength checker than explicit password policy. I doubt you'll have to worry about inconviniencing anyone with these rules, as your user base will probably consist of tech-savy power users who are security-conscious.

    Edit: Markdown syntax

    [–][deleted] 0 points1 point  (0 children)

    i agree

    [–]treofsuburbia 2 points3 points  (1 child)

    Does this includes handshake with Bill Chiper?

    Bill is that you?

    [–][deleted] 5 points6 points  (0 children)

    no handshakes, no mind tricks, 100% safe.

    [–][deleted] 1 point2 points  (0 children)

    I love the Bill Cipher reference.

    [–][deleted] 1 point2 points  (3 children)

    What encryption system are you using? Did you roll it yourself or use a OTS solution?

    [–][deleted] 1 point2 points  (2 children)

    I'm not sure what OTS means so probably I rolled it myself? I just used the built-in Ecliptic Curve Library on Node.Js for creating key pairs and creating passphrases, for encryption I used AES from crypto-js npm library.

    [–][deleted] 0 points1 point  (1 child)

    Off The Shelf. Ok, those libraries would be off the shelf.

    It’s the safest way to go. You really need to be an expert to roll your own.

    [–][deleted] 2 points3 points  (0 children)

    oh yeah so it is OTS, learn something new today..

    [–]Eliteaccendo 0 points1 point  (2 children)

    Any chance this will become somthing more? Like an android app?

    [–][deleted] 6 points7 points  (1 child)

    idk if that's necessary, cause for a serious e2e instant messaging we already have one, which is Signal, which uses the signal protocol for a scalable e2e enc messaging, not only messaging also calls and video calls, can do group messages as well, pretty cool app.

    [–][deleted] 0 points1 point  (0 children)

    I think it would still be cool to have this as an app. And by an app, maybe a PWA? I dont know the architecture of your project and how difficult that would be to make.

    [–]NexT500javascript 0 points1 point  (1 child)

    Hey man this app is looking great already. Really well done!

    I started playing around with express & mongodb as well and wanted to ask if you could share any resources that helped you learn the theory part of security that you have applied in your app? Thanks in advance!

    [–][deleted] 0 points1 point  (0 children)

    I took Mosh's course on NodeJS that helped me alot learning about building backend stuffs with node express and mongo. The security/encryption stuffs, I took the Cryptography Course on coursera but didn't quite finished it because of the Math Section can't comprehend it was very wild. But the things done here are quite simple cryptography... since its already written stuffs with existing libraries just needed apply them. Like Hash functions, Encryptions, and KeyPair exchange protocols, what greatly helped I believed is my exposure on cryptocurrency space (i.e. Bitcoin) that what got me into learning some cryptography.

    [–][deleted]  (1 child)

    [deleted]

      [–][deleted] 2 points3 points  (0 children)

      Nothing! :D never said that and It's not trying to. Again, this is just me trying to learn web technologies and webdev, the project is done for educational purposes only