This is an end-to-end encrypted chat application with an option
to perform a manual DH key exchange. The DH implementation
is based on RFC 7919 and it is the most basic modular arithmetic
version. Therefore it is NOT quantum resistant. A future quantum
computer might be able to break it in minutes if your exchange is
observed by an attacker. As of 2023, we're very far away from doing
that. You can still perform an in-person exchange of keys, which
if not observed by a third party will be secure (you will then only
input the symmetric key before starting the conversation, skipping
the key exchange part). The encryption is carried out using ChaCha20
implemented in JavaScript as in RFC 7539. The authentication is performed
using Poly1305, according to the very same RFC 7539. Argon2 is used for key
derivation. Along with ChaCha20 and Poly1305, they are mostly unaffected by
quantum computers. Therefore the part below the key exchange should remain
secure for a long time, if ever broken at all.
The ChaCha20-Poly1305 implementation was verified against
https://datatracker.ietf.org/doc/html/rfc7539
test vectors. These tests can be run using the Tester class' static methods
in console. For your own testing and further information,
visit
https://chacha.kotol.cloud
where you can try the encryption and authentication yourself. It also has
much nicer visuals than this one. For the technical users out there, you
can also inspect the WebSocket traffic and plug the messages directly
into the other site. They are compatible with each other. To view the source code,
use your DevTools, it is not minified nor obfuscated.
Logging
What is being logged by the server or the client:
What is NOT being logged by the server or the client:
- Any messages sent or received
- Statistics on message size, type, frequency
- Room names
- Keys (never transmitted over the network)
- Analytics data
- Basically anything the server could log about this
- Additional note: No information is being saved by the page itself beyond closing the browser tab
Understanding the above, go ahead and enjoy the mini project :)