SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
218 Commits 2 Branches 6 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
lockbitchat 2468cb495e
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Deploy Application / deploy (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
.github/workflows
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
assets
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00
config
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
dist
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
doc
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00
libs
chore: remove debug logging and disable debug mode for production
2025-10-02 01:43:32 -04:00
logo
New component with partner logos
2025-12-30 04:16:41 -04:00
public
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
scripts
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
src
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
tests
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
tools
feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state
2025-09-08 16:04:58 -04:00
.gitignore
chore: stop tracking node_modules
2026-05-17 18:03:10 -04:00
.htaccess
Fix CSP errors, MIME types, and Service Worker issues
2026-01-06 23:01:32 -04:00
browserconfig.xml
feat: Add comprehensive PWA support with offline functionality
2025-08-17 16:04:45 -04:00
build.ps1
feat: implement build system and development workflow
2025-09-08 19:22:50 -04:00
CHANGELOG.md
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
favicon.ico
add icon
2025-08-13 22:57:38 -04:00
ico.svg
First commit - all files added
2025-08-11 20:52:14 -04:00
index.html
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
LICENSE
update name
2025-08-16 19:17:32 -04:00
manifest.json
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
meta.json
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
package-lock.json
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
package.json
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
README.md
release: v4.8.7 WebRTC join reliability patch
2026-05-19 09:49:22 -04:00
RESPONSIBLE_USE.md
- SECURITY_DISCLAIMER.md: Developer liability protection
2025-08-17 16:31:22 -04:00
SECURITY_DISCLAIMER.md
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00
SECURITY.md
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00
sw.js
fix: enforce service worker cache allowlist
2026-05-17 23:22:46 -04:00
tailwind.config.json
feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state
2025-09-08 16:04:58 -04:00

README.md

SecureBit.chat v4.8.7

SecureBit.chat is a browser-based peer-to-peer chat application built on WebRTC and Web Crypto APIs. It is designed for direct encrypted communication, explicit peer verification, and a small operational footprint without account registration or server-side message storage.

Security model

SecureBit.chat uses:

  • ECDH key agreement with derived session keys
  • DTLS-protected WebRTC transport
  • deterministic Short Authentication String (SAS) verification
  • end-to-end encrypted chat payloads
  • replay protection and session-state cleanup
  • encrypted local key metadata in IndexedDB

A session is not treated as verified until both peers complete the interactive SAS flow. Each user must compare the displayed code with the peer through an out-of-band channel and enter the matching code manually. Three failed SAS attempts terminate the session.

Highlights in v4.8.7

  • Manual WebRTC setup now preserves pending offer/answer state during slow out-of-band exchange.
  • TURN relay fallback can be configured through config/ice-servers.js for restrictive networks.
  • ICE diagnostics now identify mDNS-only candidate failures without exposing full peer IPs.

This patch release strengthens the existing security model with a focused hardening pass:

  • SAS verification is bound to the actual DTLS fingerprint strings of both peers
  • chat sanitization uses DOMPurify-backed text-only output
  • WebRTC privacy mode is explicit and relay-only state stays synchronized at runtime
  • production debug window hooks are gated behind an explicit debug flag
  • receiver-side throttling covers inbound messages and file chunks
  • service-worker caching is restricted to an explicit safe-asset allowlist
  • disconnect cleanup leaves no orphaned delayed timer behind
  • node_modules is no longer tracked in Git

Quick start

Run locally

npm install
npm run build
npm run serve

Then open the local server URL in two browser windows or profiles.

Establish a session

  1. Create an offer in the first browser.
  2. Transfer the offer to the peer and create an answer.
  3. Return the answer to the first browser.
  4. Compare the SAS code out of band.
  5. Enter the matching SAS code on both sides.
  6. Begin chatting only after both peers are verified.

Configuration

TURN / privacy mode

Direct WebRTC connections may expose IP addresses to peers. SecureBit.chat supports a relay-only privacy mode:

  • default mode keeps normal WebRTC behavior and existing STUN support
  • relay-only mode sets iceTransportPolicy: "relay"
  • relay-only mode requires a configured TURN server
  • STUN alone does not hide IP addresses
  • public TURN credentials are not bundled or hardcoded

Configure ICE servers at deployment time and enable relay-only mode only when a TURN service is available. See doc/CONFIGURATION.md.

File transfer policy

Incoming file transfers require explicit user consent. Before the consent prompt appears, metadata is validated and dangerous names are rejected. Safe accepted categories are:

  • common raster images
  • PDF
  • plain text
  • ZIP archives

Executable, scriptable, and high-risk formats are rejected, including .exe, .bat, .cmd, .sh, .js, .msi, .dmg, .app, .jar, .scr, .ps1, .vbs, .html, and .svg. MIME type and filename extension must agree.

Development

Requirements

  • Node.js 18+
  • npm

Commands

npm install
npm test
npm audit
npm run build
npm run dev

Project layout

src/network/   WebRTC connection and session lifecycle
src/transfer/  secure file-transfer implementation
src/crypto/    cryptographic utilities
src/components React UI components
doc/           technical documentation

Documentation

Responsible use

SecureBit.chat is intended for lawful, ethical use. See RESPONSIBLE_USE.md and SECURITY_DISCLAIMER.md.

License

MIT License. See LICENSE.

Reference in New Issue View Git Blame Copy Permalink
S
Description
🔒 World's most secure P2P messenger. End-to-end encrypted, zero-server architecture, quantum-resistant roadmap. WebRTC direct connections, advanced ECDH + DTLS + SAS verification, full ASN.1 validation. Privacy-first communication for the post-surveillance age
anonymous-chatanti-abusebitcoindecentralizedend-to-end-encryptionp2p-chatreal-time-chatwebrtc
Readme MIT 223 MiB
Languages
JavaScript 96%
CSS 2.6%
HTML 1.2%
PowerShell 0.2%