independent secure chat
Recently I installed telegram an instant massager with special focus on security. When starting the app for the first time, I encountered something unexpected. The first thing that happen, was that it asked be for my phone number. That was unexpected. I did not expect that, from an app, that is used by the people of hong kong to organize there demonstrations.
The messages are end to end encrypted, but that does not help much, when they have perfectly identified who I am. Then inside the app, I join groups and add contacts. So at the very least, the provider know, who I am communicating with. And as they also perfectly know, who is on the other side, it would be possible to create a very detailed profile.
This thought did not leave me alone. The Chat app, still perfectly know, who I am talking with, at the moment I was looking for a secure trustworthy alternative. And I can’t loose the thought, that it would be possible, to develop a truly secure chat app. So, let’s take together some ideas, that are required for a save chat app.
open platform
I believe a app, that is supposed to be ready, as a secure and reliable chat platform, it has to stand on a open platform. The software has to be open source and need a free license. That is why, when I build it, it will be build with the MIT license.
Also it need to run on basically every device. The best software platform I truly believe is the web platform with HTML/CSS/Javascript. The APIs need to be documented in a general specification, so that other implementations can be possible. Today using the Web platform and building a progressive web app, can allow most devices today, to use that app.
Everyone should be able not only to download and install a client, but also to setup and run there own server. So that a user on his client can connect to servers that he trust. Servers hosted by independent third parties who have no relation to the user or servers provided by a trusted friend or other person. Also, it should be easy for the user to use an other server as their home server.
secure
I believe security is only possible, when it is easy to use. Only when keeping things as easy as possible, people can understand it and use it without mistakes.
That is why, Long time ago, I implemented an easy to use encryption library. It is on top of a secure popular crypto library, and provides an API, that is easy to understand by every developer. check it out, trsa, is able to generate rsa key pair in the browser. and also encrypt and decrypt data as well as sign and verify signatures. 5 Methods, that is all it takes, to do build cryptographic excellent applications.
You only use Servers, that you trust, where you heard you can trust, or any other server, that are willing to provide the good service. The good, thing is, you can choose a server, without the server even knowing it. They will store and forward messages to your public key, without having to know, who is behind the public key. In fact, you could have multiple key pairs and identities. The user could use multiple servers, and on every server multiple identities.
The same is for contact, for every contact of yours, the app can create a key pair, specific, for the communication with one person or group.
Groups. I believe any communication platform that want to get taken seriously, has to support group communications. This can be achieved, by sharing a key pair within the group. In todays apps, it can be greatly controlled who is allowed into the group and not. Sadly, this is only a feature, that feels secure. because any user in that group can forward messages one to one into an other channel or group or public. So we can directly allow everyone to share the private key of the group to others.
implementation
Fact is, I already stated experimenting building an app. Starting with the vue js cli tool, it was the best experience I ever had on kick starting an app. very short, I was able to have a key management working in the browser. soon I will create contact and start chatting.
The first server implementation will be build using the defacto standard for nodejs: express. The server is going to have no more dependencies then a few modules. But it will not be needed to install any database server or anything. It should be easy to setup a server. in fact, it should be as easy, as setting up the popular REST api mockup server: JSON-server.
features
Did I mention the cool features I plan to provide on the Web app? I want to Groups is only one of them. I want to share pictures. and on top of this, I also want to share audio messages. how do you like this, did you ever have a web-side where you spoke into? that is very rare. The new chat app, is going to have that.
conclusion
What is your conclusion? how do you like this project? Do you think it will be helpful to have such a chat application available? It can be used within just a small group or team. Or to communicate with your grandmother.