SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

release: prepare v4.8.5 security hardening release
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Deploy Application / deploy (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details

Browse Source
This commit is contained in:
lockbitchat
2026-05-17 14:48:52 -04:00
parent 4b8c8829f1
commit 0a42aa13c3
35 changed files with 2975 additions and 11976 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY_DISCLAIMER.md
+16 -233
View File
@@ -1,244 +1,27 @@
# Security Disclaimer and Terms of Use
## 🔒 SecureBit.chat Enhanced Security Edition v4.02.442
SecureBit.chat is provided as open-source software for lawful private communication, research, and education. It is supplied **as is**, without warranties of any kind.
### Important Legal Notice
## User responsibilities
**READ THIS DISCLAIMER CAREFULLY BEFORE USING SECUREBIT.CHAT SOFTWARE**
By using SecureBit.chat, you are responsible for:
---
- complying with applicable laws and organizational policies
- securing your devices and browser environment
- verifying SAS codes through an out-of-band channel
- understanding that endpoint compromise can defeat application-layer protections
- configuring TURN correctly when relay-only privacy mode is required
## 📋 Overview
## Security limitations
SecureBit.chat is an open-source, peer-to-peer encrypted messaging application designed to support **freedom of speech** and **privacy rights**. This software implements military-grade cryptography with complete ASN.1 validation and is provided as-is for educational, research, and legitimate communication purposes.
No communication system can guarantee absolute security. SecureBit.chat reduces risk through encrypted transport, mandatory peer verification, explicit file-transfer consent, local metadata protection, and lifecycle cleanup, but it cannot protect against compromised devices, malicious users with physical access, or incorrect operational practices.
---
## Intended use
## ⚖️ Legal Disclaimer
SecureBit.chat is intended for legitimate private communication, journalism, research, education, business confidentiality, and personal privacy. It is not intended to facilitate unlawful activity, abuse, harassment, or harm.
### Developer Liability
## Current release
**THE DEVELOPER(S) OF SECUREBIT.CHAT ASSUME NO RESPONSIBILITY OR LIABILITY FOR:**
- Any misuse, illegal use, or criminal activities conducted using this software
- Compliance with local, national, or international laws and regulations
- Any damages, losses, or consequences resulting from the use of this software
- The security or privacy of communications in jurisdictions where encryption is restricted
- Any vulnerability, security flaw, or compromise that may occur despite our security measures
### User Responsibility
**BY USING SECUREBIT.CHAT, YOU ACKNOWLEDGE AND AGREE THAT:**
1. **Full Legal Responsibility**: You bear complete and sole responsibility for how you use this software
2. **Compliance Obligation**: You must ensure your use complies with all applicable laws in your jurisdiction
3. **Risk Acceptance**: You understand and accept all risks associated with using encrypted communication software
4. **No Warranty**: This software is provided "AS IS" without any warranties, express or implied
---
## 🌍 Jurisdictional Considerations
### Encryption Laws Vary Globally
- **Some countries restrict or prohibit** the use of strong encryption
- **Export controls** may apply in certain jurisdictions
- **Corporate/government networks** may have policies against encrypted communications
- **Users must verify** local laws before using this software
### High-Risk Jurisdictions
**Exercise extreme caution** in countries with:
- Restrictions on encrypted communications
- Surveillance laws requiring backdoors
- Penalties for using VPN/encryption software
- Authoritarian internet controls
---
## 🎯 Intended Use Cases
### ✅ Legitimate Uses (Encouraged)
- **Journalism**: Protecting sources and whistleblowers
- **Human Rights**: Organizing and advocacy in oppressive regimes
- **Business**: Corporate communications requiring confidentiality
- **Personal Privacy**: Private communications between individuals
- **Research**: Academic study of cryptographic protocols
- **Education**: Learning about secure communication systems
### ❌ Prohibited Uses (Illegal/Unethical)
- Any illegal activities under applicable law
- Criminal conspiracies or planning illegal acts
- Harassment, threats, or abuse of others
- Circumventing legitimate law enforcement (where legally required)
- Distribution of illegal content
- Financial crimes or fraud
---
## 🔐 Security Limitations
### No Absolute Security
**UNDERSTAND THAT:**
- No cryptographic system is 100% unbreakable
- Implementation bugs may exist despite best efforts
- Social engineering and endpoint security remain vulnerabilities
- Quantum computing may eventually threaten current encryption
- Traffic analysis may reveal communication patterns
### User Security Responsibilities
**YOU MUST:**
- Keep your devices secure and updated
- Use strong, unique passwords
- Verify security codes through out-of-band channels
- Understand the risks of your communication environment
- Follow operational security (OPSEC) best practices
---
## 🏛️ Freedom of Speech Support
### Our Mission
SecureBit.chat is developed to support:
- **Article 19** of the Universal Declaration of Human Rights
- **Freedom of expression** and **right to privacy**
- **Resistance to censorship** and mass surveillance
- **Protection of journalists, activists, and dissidents**
### Ethical Use Commitment
We believe privacy and free speech are fundamental human rights, but:
- These rights come with responsibilities
- Freedom of speech does not include freedom from consequences
- Users must respect the rights and safety of others
- Illegal activity is never justified, regardless of privacy tools used
---
## 📊 Technical Security Information
### Current Implementation (v4.02.442)
- **ECDH P-384** key exchange with complete ASN.1 validation
- **AES-GCM 256-bit** encryption
- **ECDSA P-384** digital signatures with enhanced key verification
- **RSA-2048** digital signatures for file metadata
- **Perfect Forward Secrecy** with key rotation
- **MITM protection** via out-of-band verification
- **Zero server architecture** (pure P2P)
- **DTLS Race Condition Protection** against October 2024 WebRTC vulnerabilities
- **ICE Endpoint Verification** for secure WebRTC connections
- **Message Size Validation** with 1MB DoS protection
- **Atomic Operations** for race condition prevention
- **Secure Memory Management** with advanced wiping techniques
- **Symbol-Based Context Isolation** for private instance management
- **Rate Limiting System** (10 files/minute) with client identification
### 🔒 ASN.1 Complete Structure Validation (NEW)
- **Complete ASN.1 DER Parser**: Full structural validation of all cryptographic keys
- **OID Validation**: Algorithm and curve verification (P-256/P-384 only)
- **EC Point Format Verification**: Uncompressed format 0x04 validation
- **SPKI Structure Validation**: Element count and type checking
- **Key Size Limits**: 50-2000 bytes to prevent DoS attacks
- **BIT STRING Validation**: Ensuring unused bits are 0
- **Fallback Support**: P-384 to P-256 compatibility
- **High-Risk Vulnerability Fix**: Prevents keys with valid headers but modified data
### Known Limitations
- WebRTC fingerprinting possibilities (mitigated by anti-fingerprinting techniques)
- Browser-based implementation constraints
- Dependency on Web Crypto API security
- No protection against compromised endpoints
- Traffic analysis potential despite encryption (mitigated by packet padding and noise)
- Memory safety depends on JavaScript engine implementation
- DTLS protection effectiveness depends on WebRTC implementation
---
## 🔄 Future Development
### Post-Quantum Roadmap
- **v5.0**: CRYSTALS-Kyber/Dilithium implementation
- **Long-term**: Resistance to quantum cryptanalysis
- **Ongoing**: Security audits and improvements
### Advanced Security Technologies (v4.02.442)
- **ASN.1 Validation Framework**: Complete DER parsing and key structure verification
- **Enhanced Key Security**: OID and EC point validation for all cryptographic operations
- **PKCS Compliance**: Full adherence to cryptographic standards
- **Structural Security**: Complete validation of all key components
- **Vulnerability Prevention**: High-risk key manipulation attack prevention
### Previous Advanced Security Technologies (v4.01.441)
- **DTLS Protection Framework**: Comprehensive WebRTC security enhancement
- **Memory Safety Mechanisms**: Advanced protection against use-after-free vulnerabilities
- **Race Condition Prevention**: Atomic operations for critical security sections
- **Error Sanitization System**: Secure error handling without information leakage
- **Context Isolation**: Symbol-based private instance management
- **File Transfer Security**: Cryptographic signatures and metadata validation
- **Advanced DoS Protection**: Message size validation and rate limiting
---
## 📞 Contact and Reporting
### Security Issues
- **Responsible disclosure**: Email security issues to the development team
- **CVE reporting**: We participate in responsible vulnerability disclosure
- **Bug bounty**: Consider implementing for critical security findings
### Legal Concerns
- **Law enforcement**: Contact appropriate legal authorities in your jurisdiction
- **Abuse reports**: Report illegal use to relevant authorities
- **Compliance questions**: Consult with legal counsel
---
## 📜 License and Terms
### Open Source License
SecureBit.chat is released under the **MIT License**, providing:
- Freedom to use, modify, and distribute
- No warranty or liability guarantees
- Full source code transparency
- Right to audit security implementation
### Terms Acceptance
**By downloading, installing, or using SecureBit.chat, you acknowledge:**
1. You have read and understood this disclaimer
2. You accept full responsibility for your use of the software
3. You agree to comply with all applicable laws
4. You understand the security limitations and risks
5. You will not hold the developers liable for any consequences
---
## ⚠️ Final Warning
**SECUREBIT.CHAT IS A POWERFUL TOOL FOR PRIVACY AND FREE SPEECH**
With great power comes great responsibility. Use this software ethically, legally, and with full understanding of the risks and responsibilities involved.
**Remember**: The strongest encryption cannot protect against poor operational security, compromised endpoints, or illegal activities that attract law enforcement attention.
---
## 🛡️ Declaration of Intent
This software is created to:
- **Protect human rights** and fundamental freedoms
- **Support legitimate privacy** needs in an increasingly surveilled world
- **Advance the field** of secure communications
- **Educate users** about cryptography and privacy
**It is NOT intended to facilitate illegal activities or harm others.**
---
*Last Updated: January 15, 2025*
*Version: Enhanced Security Edition v4.02.442 - ASN.1 Validated*
**USE AT YOUR OWN RISK AND RESPONSIBILITY**
- Product release: `v4.8.5`
- Protocol version: `4.1`
- Last updated: May 17, 2026