207e51361c
Updated PBKDF2 key derivation parameters to align with OWASP 2025 recommendations. PBKDF2-HMAC-SHA256 now uses 310,000 iterations instead of 100,000 to improve resistance against modern GPU and ASIC brute-force attacks. - Updated both encryptData() and decryptData() derivation routines. - Ensures ~100ms derivation time on modern CPUs (meets OWASP 2025 standard). - No changes required for backward compatibility of existing ciphertexts.
SecureBit.chat v4.4.99
World's first P2P messenger with ECDH + DTLS + SAS security and military-grade cryptography
🎯 Overview
SecureBit.chat is a revolutionary peer-to-peer messenger that prioritizes your privacy with military-grade encryption. No servers, no registration, no data collection - just pure, secure communication.
Key Features
- 🔐 19-Layer Military Security - ECDH + DTLS + SAS verification
- 🌐 Pure P2P Architecture - No servers, truly decentralized
- 📱 Progressive Web App - Install like a native app
- 📂 Secure File Transfer - End-to-end encrypted P2P file sharing
- 🔔 Smart Notifications - Browser alerts only when away
- 🎭 Complete Anonymity - Zero data collection, no registration
✨ What's New in v4.4.99
🔔 Secure Browser Notifications
- Smart delivery when user is away from chat tab
- Cross-browser compatibility (Chrome, Firefox, Safari, Edge)
- Page Visibility API integration with proper tab focus detection
- XSS protection with text sanitization and URL validation
- Rate limiting and spam protection
- Automatic cleanup and memory management
🧹 Code Cleanup & Architecture
- Removed session management logic for simplified architecture
- Eliminated experimental Bluetooth module
- Cleaned debug logging from production code
- Removed test functions from production build
- Enhanced error handling for production stability
🛡️ Security Enhancements
- ECDH + DTLS + SAS System - Triple-layer security verification
- ASN.1 Full Structure Validation - Complete key structure verification
- Enhanced MITM Protection - Multi-layer defense system
- Secure Key Storage - WeakMap-based isolation
- Production-Ready Logging - Data sanitization and privacy protection
- HKDF Key Derivation - RFC 5869 compliant key separation and derivation
🏆 Why SecureBit.chat?
Security Comparison
| Feature | SecureBit.chat | Signal | Threema | Session |
|---|---|---|---|---|
| Architecture | 🏆 Pure P2P WebRTC | ❌ Centralized | ❌ Centralized | ⚠️ Onion network |
| File Transfer | 🏆 P2P encrypted | ✅ Via servers | ✅ Via servers | ✅ Via servers |
| PWA Support | 🏆 Full PWA | ❌ None | ❌ None | ❌ None |
| Registration | 🏆 Anonymous | ❌ Phone required | ✅ ID generated | ✅ Random ID |
| Traffic Obfuscation | 🏆 Advanced | ❌ None | ❌ None | ✅ Onion routing |
| Data Storage | 🏆 Zero storage | ⚠️ Local database | ⚠️ Local + backup | ⚠️ Local database |
| ASN.1 Validation | 🏆 Complete | ⚠️ Basic | ⚠️ Basic | ⚠️ Basic |
Legend: 🏆 Category Leader • ✅ Excellent • ⚠️ Partial/Limited • ❌ Not Available
19-Layer Military Security
- WebRTC DTLS transport encryption
- ECDH P-384 perfect forward secrecy
- AES-GCM 256 authenticated encryption
- ECDSA P-384 message integrity
- Replay protection with timestamp validation
- Automatic key rotation (every 5 min/100 messages)
- MITM verification with out-of-band codes
- Traffic obfuscation and pattern masking
- Complete metadata protection
- Memory protection with no persistent storage
- Hardware security with non-extractable keys
- Session isolation and complete cleanup
- Mutex framework for race condition protection
- Secure key storage with WeakMap isolation
- Production logging with data sanitization
- ASN.1 complete key structure verification
- OID validation for algorithms and curves
- EC point format and structure verification
- HKDF key derivation with proper key separation
🚀 Quick Start
Option 1: Use Online (Recommended)
- Visit securebitchat.github.io/securebit-chat
- Install PWA by clicking "Install" button for native app experience
- Choose "Create Channel" or "Join Channel"
- Complete secure key exchange with verification
- Verify security codes and start chatting
- Communicate with military-grade encryption
Option 2: Self-Host
# Clone repository
git clone https://github.com/SecureBitChat/securebit-chat.git
cd securebit-chat
# Serve locally
python -m http.server 8000 # Python
npx serve . # Node.js
php -S localhost:8000 # PHP
# Open browser
open http://localhost:8000
📂 Secure File Transfer
Features
- P2P Direct Transfer - No servers, direct WebRTC channels
- Military-Grade Encryption - AES-GCM 256-bit + ECDH P-384
- Chunk-Level Security - Individual encryption per file chunk
- Hash Validation - SHA-384 checksums prevent tampering
- Automatic Recovery - Retry mechanisms for interruptions
- Stream Isolation - Separate channels from chat messages
Supported Files
Documents (PDF, DOC, TXT), Images (JPG, PNG, GIF), Archives (ZIP, RAR), Media (MP3, MP4), and any file type up to size limits.
🔧 Technical Architecture
Cryptographic Stack
📂 File Transfer: AES-GCM 256-bit + SHA-384 + Chunking
🔐 Application: AES-GCM 256-bit + ECDSA P-384
🔑 Key Exchange: ECDH P-384 (Perfect Forward Secrecy)
🛡️ Transport: WebRTC DTLS 1.2
🌐 Network: P2P WebRTC Data Channels
📱 PWA: Service Workers + Cache API
🔒 Validation: Complete ASN.1 DER parsing
Standards Compliance
- NIST SP 800-56A (ECDH Key Agreement)
- NIST SP 800-186 (Elliptic Curve Cryptography)
- RFC 8446 (TLS 1.3 for WebRTC)
- RFC 5280 (X.509 Certificate Structure)
- RFC 5480 (EC Subject Public Key Information)
Browser Requirements
Modern browser with WebRTC support (Chrome 60+, Firefox 60+, Safari 12+), HTTPS connection, JavaScript enabled, Service Worker support for PWA.
🗺️ Roadmap
Current: v4.4.99 - Browser Notifications & Code Cleanup ✅
Next Releases:
-
v4.5 (Q2 2025) - Mobile & Desktop Apps
- Native mobile applications (iOS/Android)
- Electron desktop application
- Push notifications and cross-device sync
-
v5.0 (Q4 2025) - Quantum-Resistant Edition
- CRYSTALS-Kyber post-quantum key exchange
- SPHINCS+ post-quantum signatures
- Hybrid classical + post-quantum schemes
-
v5.5 (Q2 2026) - Group Communications
- P2P group chats (up to 8 participants)
- Mesh networking topology
- Anonymous group administration
-
v6.0 (2027) - Decentralized Network
- DHT-based peer discovery
- Built-in onion routing
- Decentralized identity system
💻 Development
Project Structure
securebit-chat/
├── index.html # Main application
├── manifest.json # PWA manifest
├── sw.js # Service worker
├── src/
│ ├── components/ui/ # React UI components
│ ├── crypto/ # Cryptographic utilities
│ │ └── ASN1Validator.js # ASN.1 DER parser
│ ├── network/ # WebRTC P2P manager
│ ├── notifications/ # Browser notifications
│ ├── transfer/ # File transfer system
│ ├── pwa/ # PWA management
│ └── styles/ # CSS styling
├── logo/ # Icons and logos
└── docs/ # Documentation
Build Workflow
# CSS changes (Tailwind)
npm run build:css
# JavaScript/JSX changes
npm run build:js
# Full rebuild (recommended)
npm run build
# Development with live server
npm run dev
Important: Always rebuild after changes. Source files are in src/, generated files in assets/ and dist/. Never edit generated files directly.
Technology Stack
- Frontend: Pure JavaScript + React (via CDN)
- PWA: Service Workers + Cache API + Web App Manifest
- Cryptography: Web Crypto API + custom ECDH/ECDSA + ASN.1 parser
- Network: WebRTC P2P Data Channels
- Notifications: Browser Notifications API + Page Visibility API
- File Transfer: Enhanced secure P2P streaming with chunked encryption
- Styling: TailwindCSS + custom CSS
🛡️ Security
Audit Status
- ✅ Internal cryptographic review completed
- ✅ P2P protocol security analysis completed
- ✅ File transfer security validation completed
- ✅ ASN.1 validation and key verification completed
- 🔄 Professional security audit planned Q3 2025
Vulnerability Reporting
Contact: SecureBitChat@proton.me
See SECURITY.md for detailed security policy.
Security Features
- Perfect Forward Secrecy for messages and files
- Out-of-band verification prevents MITM attacks
- Traffic obfuscation defeats network analysis
- Memory protection with no persistent storage
- Complete ASN.1 key structure validation
- File integrity with SHA-384 hash validation
📊 Performance
- Connection setup: < 3 seconds
- Message latency: < 100 ms (P2P direct)
- File transfer speed: Up to 5 MB/s
- Memory usage: < 50 MB active session
- PWA install size: < 2 MB
- Key validation: < 10 ms (ASN.1 parsing)
🤝 Contributing
We welcome contributions! Here's how:
- Fork the repository
- Create feature branch:
git checkout -b feature/amazing-feature - Commit changes:
git commit -m "Add amazing feature" - Push to branch:
git push origin feature/amazing-feature - Open Pull Request
Contribution Areas
🔐 Cryptography • 🌐 Network • 🔔 Notifications • 📂 File Transfer • 📱 PWA • 🎨 UI/UX • 📚 Documentation • 🔒 ASN.1 Validation
📞 Contact & Support
- Email: SecureBitChat@proton.me
- GitHub: Issues & Discussions
- Security: SecureBitChat@proton.me
⚠️ Important Disclaimers
Security Notice
While SecureBit.chat implements military-grade cryptography, no system is 100% secure. Always verify security codes out-of-band and keep devices updated.
Legal Notice
This software is provided "as is" for educational and research purposes. Users are responsible for compliance with local laws regarding cryptographic software and private communications.
Privacy Statement
SecureBit.chat collects zero data, stores nothing, requires no registration, and uses no servers. All data exists only in browser memory with direct P2P connections.
📄 License
MIT License - see LICENSE file for details.
100% open source with full transparency, no telemetry, and zero data collection.
SecureBit.chat Security Team
Committed to protecting your privacy with military-grade security
Report vulnerabilities: SecureBitChat@proton.me
Latest Release: v4.4.99 - Browser Notifications & Code Cleanup