2026-05-17 14:48:52 -04:00
# SecureBit.chat v4.8.5
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
SecureBit.chat is a browser-based peer-to-peer chat application built on WebRTC and Web Crypto APIs. It is designed for direct encrypted communication, explicit peer verification, and a small operational footprint without account registration or server-side message storage.
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
## Security model
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
SecureBit.chat uses:
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
- ECDH key agreement with derived session keys
- DTLS-protected WebRTC transport
- deterministic Short Authentication String (SAS) verification
- end-to-end encrypted chat payloads
- replay protection and session-state cleanup
- encrypted local key metadata in IndexedDB
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
A session is not treated as verified until both peers complete the interactive SAS flow. Each user must compare the displayed code with the peer through an out-of-band channel and enter the matching code manually. Three failed SAS attempts terminate the session.
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
## Highlights in v4.8.5
2025-08-20 19:17:27 -04:00
2026-05-17 14:48:52 -04:00
This release consolidates several months of security hardening work by the project team:
2025-12-23 13:59:24 -04:00
2026-05-17 14:48:52 -04:00
- mandatory interactive SAS verification instead of passive click-through confirmation
- deterministic SAS computation from shared session material
- protocol version `4.1` negotiation with mismatch rejection
- optional TURN relay-only privacy mode with clear warnings when TURN is unavailable
- encrypted IndexedDB metadata with lazy migration from legacy plaintext records
- explicit file-transfer consent before any receive buffers are allocated
- strict file-type allowlist using both MIME type and extension checks
- incoming decrypted message sanitization before UI delivery
- improved disconnect, timer, file-transfer, and React UI cleanup behavior
- pinned dependency versions and a clean `npm audit` baseline
2025-12-23 13:59:24 -04:00
2026-05-17 14:48:52 -04:00
## Quick start
2025-12-23 13:59:24 -04:00
2026-05-17 14:48:52 -04:00
### Run locally
2025-08-20 19:17:27 -04:00
2026-05-17 14:48:52 -04:00
``` bash
npm install
npm run build
npm run serve
2025-12-28 20:28:22 -04:00
```
2026-05-17 14:48:52 -04:00
Then open the local server URL in two browser windows or profiles.
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
### Establish a session
2025-11-04 14:14:30 -04:00
2026-05-17 14:48:52 -04:00
1. Create an offer in the first browser.
2. Transfer the offer to the peer and create an answer.
3. Return the answer to the first browser.
4. Compare the SAS code out of band.
5. Enter the matching SAS code on both sides.
6. Begin chatting only after both peers are verified.
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
## Configuration
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
### TURN / privacy mode
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
Direct WebRTC connections may expose IP addresses to peers. SecureBit.chat supports a relay-only privacy mode:
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
- default mode keeps normal WebRTC behavior and existing STUN support
- relay-only mode sets `iceTransportPolicy: "relay"`
- relay-only mode requires a configured TURN server
- STUN alone does not hide IP addresses
- public TURN credentials are not bundled or hardcoded
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
Configure ICE servers at deployment time and enable relay-only mode only when a TURN service is available. See [`doc/CONFIGURATION.md` ](doc/CONFIGURATION.md ).
2025-08-20 19:17:27 -04:00
2026-05-17 14:48:52 -04:00
### File transfer policy
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
Incoming file transfers require explicit user consent. Before the consent prompt appears, metadata is validated and dangerous names are rejected. Safe accepted categories are:
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
- common raster images
- PDF
- plain text
- ZIP archives
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
Executable, scriptable, and high-risk formats are rejected, including `.exe` , `.bat` , `.cmd` , `.sh` , `.js` , `.msi` , `.dmg` , `.app` , `.jar` , `.scr` , `.ps1` , `.vbs` , `.html` , and `.svg` . MIME type and filename extension must agree.
2025-12-28 20:28:22 -04:00
## Development
2026-05-17 14:48:52 -04:00
### Requirements
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
- Node.js 18+
- npm
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
### Commands
2025-12-28 20:28:22 -04:00
``` bash
npm install
2026-05-17 14:48:52 -04:00
npm test
npm audit
2025-12-28 20:28:22 -04:00
npm run build
npm run dev
```
2026-05-17 14:48:52 -04:00
### Project layout
2025-08-27 13:25:26 -04:00
2026-05-17 14:48:52 -04:00
``` text
src/network/ WebRTC connection and session lifecycle
src/transfer/ secure file-transfer implementation
src/crypto/ cryptographic utilities
src/components React UI components
doc/ technical documentation
2025-12-28 20:28:22 -04:00
```
2026-05-17 14:48:52 -04:00
## Documentation
2025-12-28 20:28:22 -04:00
2026-05-17 14:48:52 -04:00
- [`SECURITY.md` ](SECURITY.md )
- [`doc/CONFIGURATION.md` ](doc/CONFIGURATION.md )
- [`doc/CRYPTOGRAPHY.md` ](doc/CRYPTOGRAPHY.md )
- [`doc/SECURITY-ARCHITECTURE.md` ](doc/SECURITY-ARCHITECTURE.md )
- [`doc/API.md` ](doc/API.md )
- [`CHANGELOG.md` ](CHANGELOG.md )
2025-08-16 22:38:46 -04:00
2026-05-17 14:48:52 -04:00
## Responsible use
2025-08-20 19:17:27 -04:00
2026-05-17 14:48:52 -04:00
SecureBit.chat is intended for lawful, ethical use. See [`RESPONSIBLE_USE.md` ](RESPONSIBLE_USE.md ) and [`SECURITY_DISCLAIMER.md` ](SECURITY_DISCLAIMER.md ).
2025-08-20 19:17:27 -04:00
2026-05-17 14:48:52 -04:00
## License
2025-10-15 20:15:41 -04:00
2026-05-17 14:48:52 -04:00
MIT License. See [`LICENSE` ](LICENSE ).
