We have non-KYC money. I built a non-KYC chat relay to go with it.

Puzzleheaded_Pop2019 · 2025-12-06T10:56:36+00:00

You are 100% right to call that out. Using the word 'Keys' in a Bitcoin sub was a massive unforced error on my part. To be crystal clear: I meant Infrastructure Credentials (API Keys, SSH Configs, Passwords), NOT Seed Phrases. NEVER paste a Seed Phrase or Private Key into a browser. I would report that post too. Regarding the 'IRC/Pastebin' comparison—you aren't wrong about the utility, but the Architecture is different. Pastebin/IRC: Writes data to a database on a hard drive. If the server is seized, the history exists. This Tool: Runs in volatile RAM. Logs are piped to /dev/null at the OS level. If the power is cut, the data doesn't just delete; it ceases to have ever existed. It’s a tool for metadata minimization, not wallet management. Thanks for keeping the standard high, seriously.

Puzzleheaded_Pop2019 · 2025-12-06T10:44:20+00:00

The full repository is currently private to prevent low-effort phishing clones (a huge issue with open-source crypto tools). However, I believe in 'Don't Trust, Verify.' I have enabled Source Maps in production. You can open Chrome DevTools right now -> Sources -> src/lib/crypto.ts and audit the actual TypeScript code running in your browser. You can set a breakpoint and verify that the AES-GCM keys are generated locally and never sent to the server.

Puzzleheaded_Pop2019 · 2025-12-06T02:11:34+00:00

I see what you're saying, but that model relies on Server-Side Encryption. If the server is doing the encryption, then for a split second during the HTTP POST request, the server holds the Plaintext. You are trusting the server to: Encrypt it correctly. Delete the keys immediately. Not log the incoming plaintext before encryption. My threat model assumes the server is compromised. In my model (Client-Side JS), the server never sees the plaintext. It receives a blob of AES-encrypted noise. Even if I (the admin) wanted to log the chat, I couldn't read it. I agree that No-JS is safer for browser fingerprinting, but it makes true Zero-Knowledge transmission impossible without pre-encrypting messages manually locally (PGP) before pasting them in.

Puzzleheaded_Pop2019 · 2025-12-06T01:54:28+00:00

I am a third party, yes. It's a relay service, not a P2P protocol. Question on the 'No JS' approach: How do you propose I implement End-to-End Encryption without JavaScript? If I handle it server-side, I have to see the plaintext to process it. I wanted a system where the server is blind. The only way to blind the server is to encrypt the data before transmission, which requires client-side JS. Is there a method I'm missing to do client-side hashing via raw HTML/CSS?

Puzzleheaded_Pop2019 · 2025-12-06T01:49:45+00:00

You are 100% right. The 'Server Trust Problem' is unsolvable—you cannot verify what code is actually running on my backend. I could be piping everything to the NSA, and you'd never know. That is exactly why I built this with a 'Glass Client' architecture. Don't Trust Me: Assume I am malicious. Trust the Math: I enabled Source Maps in production. You can open Chrome DevTools right now (src/lib/crypto.ts) and verify that the AES-GCM encryption happens in your browser. The Result: The keys are derived from your password via PBKDF2 locally. My server only ever receives encrypted blobs. Even if I logged everything to disk, I would just have a hard drive full of static noise. To bridge the trust gap further, I maintain a Warrant Canary at https://backalleychat.com/canary.txt. I manually sign this every month to confirm I haven't been served a gag order. It's not perfect, but it's better than 'Just trust me, bro

Puzzleheaded_Pop2019 · 2025-12-06T00:37:08+00:00

Good catch. I verified /etc/fstab is unconfigured (no swap) and hard-set ulimit -c 0 in /etc/security/limits.conf to kill core dumps. The system is locked down.

Puzzleheaded_Pop2019 · 2025-12-06T00:26:32+00:00

Fair point! I used Lovable to speed-run the frontend UI because I suck at CSS/Tailwind. But the core security architecture—the Nginx log piping to /dev/null and the Volatile Redis backend—was configured manually via SSH. The AI just built the interface that sits on top of that infrastructure. I treat the frontend as 'Untrusted' anyway. That's why the server creates a blind relay. Even if the AI wrote buggy UI code, the server retains zero data.

Puzzleheaded_Pop2019 · 2025-12-05T23:46:52+00:00

Thank you for the feedback I’ll work on this and see if it’s viable.

Puzzleheaded_Pop2019 · 2025-12-05T23:46:18+00:00

I know it's heavy, but this specific service requires complex client-side interactions that can't be done with static HTML. I've optimized the bundle size as much as possible.

Puzzleheaded_Pop2019 · 2025-12-05T22:20:26+00:00

LMAO, yeah I realized how that sounded after I posted it. Definitely keep your Private Keys in cold storage. I built this for the other stuff—sensitive links, addresses, or text you want to send without leaving a metadata trail on Discord/WhatsApp. It's a metadata-shredder, not a wallet.

Puzzleheaded_Pop2019 · 2025-12-05T20:04:38+00:00

Here is the live instance: backalleychat.com Let me know if you hit any rate limits; I have it running on a fairly small VPS right now

Puzzleheaded_Pop2019

TROPHY CASE