SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

v4.3.120 update

Browse Source
This commit is contained in:
lockbitchat
2025-10-15 20:15:41 -04:00
parent b087adfecc
commit 3ed8766fc9
10 changed files with 201 additions and 546 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+187 -532
View File
@@ -1,185 +1,99 @@
# SecureBit.chat v4.3.120 - UX/UI Redesign + Binary QR System # SecureBit.chat v4.4.18
<div align="center"> <div align="center">
![SecureBit.chat Logo](logo/favicon.ico) ![SecureBit.chat Logo](logo/favicon.ico)
**The world's first P2P messenger with ECDH + DTLS + SAS security and military-grade cryptography** **World's first P2P messenger with ECDH + DTLS + SAS security and military-grade cryptography**
[![Latest Release](https://img.shields.io/github/v/release/SecureBitChat/securebit-chat?style=for-the-badge&logo=github&color=orange)](https://github.com/SecureBitChat/securebit-chat/releases/latest) [![Latest Release](https://img.shields.io/github/v/release/SecureBitChat/securebit-chat?style=for-the-badge&logo=github&color=orange)](https://github.com/SecureBitChat/securebit-chat/releases/latest)
[![Live Demo](https://img.shields.io/badge/🌐_Live_Demo-Try_Now-success?style=for-the-badge)](https://securebitchat.github.io/securebit-chat/) [![Live Demo](https://img.shields.io/badge/🌐_Live_Demo-Try_Now-success?style=for-the-badge)](https://securebitchat.github.io/securebit-chat/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](https://opensource.org/licenses/MIT) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](https://opensource.org/licenses/MIT)
[![Security: ECDH+DTLS+SAS](https://img.shields.io/badge/Security-ECDH%2BDTLS%2BSAS-red.svg?style=for-the-badge)]()
[🚀 Try Now](https://securebitchat.github.io/securebit-chat/) • [📖 Documentation](#-quick-start) • [🔒 Security](#-security) • [🤝 Contribute](#-contributing)
</div> </div>
--- ---
## ✨ What's New in v4.3.120 - UX/UI Redesign + Binary QR System ## 🎯 Overview
### 🎨 Complete UX/UI Redesign SecureBit.chat is a revolutionary peer-to-peer messenger that prioritizes your privacy with military-grade encryption. No servers, no registration, no data collection - just pure, secure communication.
- Fully refreshed interface and improved navigation.
- More intuitive design and consistent experience across platforms.
- Enhanced readability and visual clarity.
### 📷 Advanced QR Exchange System ### Key Features
- Rebuilt QR connection system for faster and more secure pairing.
- Optimized scanning and decoding speed.
- Improved compatibility with mobile cameras and desktop screens.
### 🗜️ Compressed Connection Codes - 🔐 **19-Layer Military Security** - ECDH + DTLS + SAS verification
- New **binary compression layer** for all connection data. - 🌐 **Pure P2P Architecture** - No servers, truly decentralized
- Dramatically reduces code length and exchange time. - 📱 **Progressive Web App** - Install like a native app
- Perfect for offline pairing and air-gapped communication. - 📂 **Secure File Transfer** - End-to-end encrypted P2P file sharing
- 🔔 **Smart Notifications** - Browser alerts only when away
### 🔄 Binary Connection Protocol - 🎭 **Complete Anonymity** - Zero data collection, no registration
- Replaced old JSON exchange with a **binary data protocol**.
- Boosts performance and reduces handshake latency.
- Enables seamless cross-platform P2P connection setup.
### 🛡️ Revolutionary ECDH + DTLS + SAS Security System
* **Complete PAKE removal** - Eliminated libsodium dependency and PAKE-based authentication
* **ECDH key exchange** - Elliptic Curve Diffie-Hellman for secure key establishment
* **DTLS fingerprint verification** - Transport layer security validation using WebRTC certificates
* **SAS (Short Authentication String)** - 7-digit verification code for MITM attack prevention
* **Single code generation** - SAS generated once on Offer side and shared with Answer side
* **Mutual verification** - Both users must confirm the same SAS code to establish connection
* **Enhanced MITM protection** - Multi-layer defense against man-in-the-middle attacks
* **Real-time verification** - Immediate feedback on connection security status
### 🔒 ASN.1 Full Structure Validation (BREAKING CHANGE)
* **Complete ASN.1 DER parser** for comprehensive key structure verification
* **OID validation** for algorithms and curves (P-256/P-384 only)
* **EC point format verification** (uncompressed format 0x04)
* **SPKI structure validation** with element count and type checking
* **Key size limits** (50-2000 bytes) to prevent DoS attacks
* **BIT STRING validation** ensuring unused bits are 0
* **Fallback support** from P-384 to P-256 for compatibility
* **High-risk vulnerability fix** where keys with valid headers but modified data could be accepted
### 🔐 Enhanced Key Security
* **Full structural validation** according to PKCS standards
* **Complete rewrite** of `validateKeyStructure()` method
* **Enhanced validation** for all key import/export operations
* **Military-grade key verification** exceeding previous standards
### 🔒 Comprehensive Connection Security Overhaul
* **Advanced mutex framework** with 15-second timeout protection
* **Race condition prevention** through atomic key generation
* **Multi-stage validation pipeline** with automatic rollback
* **Enhanced MITM protection** with unique encryption key fingerprints
* **Session ID anti-hijacking** with mutual authentication challenges
* **Package integrity validation** for all connection operations
### 🔐 Secure Key Storage System
* **WeakMap-based isolation** for all cryptographic keys
* **Private key storage** replacing public key properties
* **Secure access methods** with validation and rotation
* **Emergency key wipe** capabilities for threat response
* **Key security monitoring** with lifetime limits enforcement
* **Backward compatibility** maintained through getters/setters
### 🛡️ Production-Ready Security Logging
* **Environment-aware logging** (production vs development)
* **Data sanitization** preventing sensitive information leaks
* **Rate limiting** and automatic memory cleanup
* **Secure debugging** without exposing encryption keys
* **Privacy protection** while maintaining useful diagnostics
### 📱 Progressive Web App (PWA)
* **Install directly** on mobile and desktop devices
* **Offline mode support** with session persistence
* **Improved performance** through smart caching and service workers
* **Native app experience** without app store requirements
### 📂 Secure File Transfer
* **End-to-end encrypted** file transfers over pure P2P WebRTC channels
* **File chunking** with individual encryption per block
* **Hash validation** for every chunk to prevent tampering or MITM attacks
* **Automatic recovery** for lost packets and interrupted transfers
* **AES-GCM 256-bit + ECDH P-384** encryption for files
* **SHA-384 checksums** for integrity enforcement
### 🔍 Enhanced Security Testing
* **Comprehensive data leakage testing** of chat sessions
* **Verified MITM and replay attack resistance**
* **Enhanced memory cleanup algorithms** for session termination
* **Isolated file streams** separated from chat channels
--- ---
## 🚀 Try It Now ## ✨ What's New in v4.4.18
### 🌐 [Live Demo — SecureBit.chat](https://securebitchat.github.io/securebit-chat/) ### 🔔 Secure Browser Notifications
- Smart delivery when user is away from chat tab
- Cross-browser compatibility (Chrome, Firefox, Safari, Edge)
- Page Visibility API integration with proper tab focus detection
- XSS protection with text sanitization and URL validation
- Rate limiting and spam protection
- Automatic cleanup and memory management
*No installation required — works directly in your browser with military-grade encryption.* ### 🧹 Code Cleanup & Architecture
- Removed session management logic for simplified architecture
- Eliminated experimental Bluetooth module
- Cleaned debug logging from production code
- Removed test functions from production build
- Enhanced error handling for production stability
**New:** Install as PWA for native app experience on mobile and desktop! ### 🛡️ Security Enhancements
- **ECDH + DTLS + SAS System** - Triple-layer security verification
- **ASN.1 Full Structure Validation** - Complete key structure verification
- **Enhanced MITM Protection** - Multi-layer defense system
- **Secure Key Storage** - WeakMap-based isolation
- **Production-Ready Logging** - Data sanitization and privacy protection
--- ---
## What Makes SecureBit.chat Unique ## 🏆 Why SecureBit.chat?
### 🏆 Industry Leader ### Security Comparison
* **Dominates in 11/15 security categories** vs Signal, Threema, Session | Feature | **SecureBit.chat** | Signal | Threema | Session |
* **First messenger** with enhanced ECDH + DTLS + SAS security |---------|-------------------|--------|---------|---------|
* **Military-grade cryptography** exceeding government standards | Architecture | 🏆 Pure P2P WebRTC | ❌ Centralized | ❌ Centralized | ⚠️ Onion network |
* **Zero servers** — truly decentralized P2P architecture | File Transfer | 🏆 P2P encrypted | ✅ Via servers | ✅ Via servers | ✅ Via servers |
* **PWA technology** — install like native apps without app stores | PWA Support | 🏆 Full PWA | ❌ None | ❌ None | ❌ None |
| Registration | 🏆 Anonymous | ❌ Phone required | ✅ ID generated | ✅ Random ID |
| Traffic Obfuscation | 🏆 Advanced | ❌ None | ❌ None | ✅ Onion routing |
| Data Storage | 🏆 Zero storage | ⚠️ Local database | ⚠️ Local + backup | ⚠️ Local database |
| ASN.1 Validation | 🏆 Complete | ⚠️ Basic | ⚠️ Basic | ⚠️ Basic |
**Legend:** 🏆 Category Leader • ✅ Excellent • ⚠️ Partial/Limited • ❌ Not Available
### 🔐 15-Layer Military Security ### 19-Layer Military Security
1. **WebRTC DTLS** — Transport encryption 1. WebRTC DTLS transport encryption
2. **ECDH P-384** — Perfect forward secrecy 2. ECDH P-384 perfect forward secrecy
3. **AES-GCM 256** — Authenticated encryption 3. AES-GCM 256 authenticated encryption
4. **ECDSA P-384** — Message integrity 4. ECDSA P-384 message integrity
5. **Replay protection** — Timestamp validation 5. Replay protection with timestamp validation
6. **Key rotation** — Every 5 minutes/100 messages 6. Automatic key rotation (every 5 min/100 messages)
7. **MITM verification** — Out-of-band codes 7. MITM verification with out-of-band codes
8. **Traffic obfuscation** — Pattern masking 8. Traffic obfuscation and pattern masking
9. **Metadata protection** — Zero leakage 9. Complete metadata protection
10. **Memory protection** — No persistent storage 10. Memory protection with no persistent storage
11. **Hardware security** — Non-extractable keys 11. Hardware security with non-extractable keys
12. **Session isolation** — Complete cleanup 12. Session isolation and complete cleanup
13. **Mutex framework** — Race condition protection 13. Mutex framework for race condition protection
14. **Secure key storage** WeakMap isolation 14. Secure key storage with WeakMap isolation
15. **Production logging** — Data sanitization 15. Production logging with data sanitization
16. **ASN.1 validation** — Complete key structure verification 16. ASN.1 complete key structure verification
17. **OID validation** — Algorithm and curve verification 17. OID validation for algorithms and curves
18. **EC point validation** — Format and structure verification 18. EC point format and structure verification
19. Smart notifications with XSS protection
### 🎭 Advanced Privacy
* **Complete anonymity** — no registration required
* **Zero data collection** — messages only in browser memory
* **Traffic analysis resistance** — fake traffic generation
* **Censorship resistance** — no servers to block
* **Instant anonymous channels** — connect in seconds
* **Secure file transfers** — encrypted P2P file sharing
---
## 🛡️ Security Comparison
| Feature | **SecureBit.chat** | Signal | Threema | Session |
| --------------------------- | ----------------------------- | ---------------------------- | --------------------- | ---------------------- |
| **Architecture** | 🏆 Pure P2P WebRTC | ❌ Centralized servers | ❌ Centralized servers | ⚠️ Onion network |
| **File Transfer** | 🏆 P2P encrypted + chunked | ✅ Encrypted via servers | ✅ Encrypted via servers | ✅ Encrypted via servers |
| **PWA Support** | 🏆 Full PWA installation | ❌ None | ❌ None | ❌ None |
| **Registration** | 🏆 Anonymous | ❌ Phone required | ✅ ID generated | ✅ Random ID |
| **Traffic Obfuscation** | 🏆 Advanced fake traffic | ❌ None | ❌ None | ✅ Onion routing |
| **Censorship Resistance** | 🏆 Hard to block | ⚠️ Blocked in some countries | ⚠️ May be blocked | ✅ Onion routing |
| **Data Storage** | 🏆 Zero storage | ⚠️ Local database | ⚠️ Local + backup | ⚠️ Local database |
| **Metadata Protection** | 🏆 Full encryption | ⚠️ Sealed Sender (partial) | ⚠️ Minimal metadata | ✅ Onion routing |
| **Key Security** | 🏆 Nonextractable + hardware | ✅ Secure storage | ✅ Local storage | ✅ Secure storage |
| **Perfect Forward Secrecy** | 🏆 Auto rotation (5 min) | ✅ Double Ratchet | ⚠️ Partial (groups) | ✅ Session Ratchet |
| **Open Source** | 🏆 100% + auditable | ✅ Fully open | ⚠️ Only clients | ✅ Fully open |
| **ASN.1 Validation** | 🏆 Complete structure verification | ⚠️ Basic validation | ⚠️ Basic validation | ⚠️ Basic validation |
**Legend:** 🏆 Category Leader | ✅ Excellent | ⚠️ Partial/Limited | ❌ Not Available
--- ---
@@ -187,21 +101,21 @@
### Option 1: Use Online (Recommended) ### Option 1: Use Online (Recommended)
1. **Visit:** [https://securebitchat.github.io/securebit-chat/](https://securebitchat.github.io/securebit-chat/) 1. Visit [securebitchat.github.io/securebit-chat](https://securebitchat.github.io/securebit-chat/)
2. **Install PWA:** Click "Install" button for native app experience 2. Install PWA by clicking "Install" button for native app experience
3. **Choose:** *Create Channel* or *Join Channel* 3. Choose "Create Channel" or "Join Channel"
4. **Complete:** Secure key exchange with verification 4. Complete secure key exchange with verification
5. **Verify:** Security codes and start a secure chat 5. Verify security codes and start chatting
6. **Communicate:** With militarygrade encryption + secure file transfers 6. Communicate with military-grade encryption
### Option 2: SelfHost ### Option 2: Self-Host
```bash ```bash
# Clone repository # Clone repository
git clone https://github.com/SecureBitChat/securebit-chat.git git clone https://github.com/SecureBitChat/securebit-chat.git
cd securebit-chat cd securebit-chat
# Serve locally (choose one method) # Serve locally
python -m http.server 8000 # Python python -m http.server 8000 # Python
npx serve . # Node.js npx serve . # Node.js
php -S localhost:8000 # PHP php -S localhost:8000 # PHP
@@ -215,32 +129,15 @@ open http://localhost:8000
## 📂 Secure File Transfer ## 📂 Secure File Transfer
### Features ### Features
- **P2P Direct Transfer** - No servers, direct WebRTC channels
- **Military-Grade Encryption** - AES-GCM 256-bit + ECDH P-384
- **Chunk-Level Security** - Individual encryption per file chunk
- **Hash Validation** - SHA-384 checksums prevent tampering
- **Automatic Recovery** - Retry mechanisms for interruptions
- **Stream Isolation** - Separate channels from chat messages
* **P2P Direct Transfer** — No servers involved, direct WebRTC channels ### Supported Files
* **Military-Grade Encryption** — AES-GCM 256-bit + ECDH P-384 Documents (PDF, DOC, TXT), Images (JPG, PNG, GIF), Archives (ZIP, RAR), Media (MP3, MP4), and any file type up to size limits.
* **Chunk-Level Security** — Each file chunk individually encrypted
* **Hash Validation** — SHA-384 checksums prevent tampering
* **Automatic Recovery** — Retry mechanisms for interrupted transfers
* **Stream Isolation** — Separate channels from chat messages
### Supported File Types
* **Documents:** PDF, DOC, TXT, MD
* **Images:** JPG, PNG, GIF, WEBP
* **Archives:** ZIP, RAR, 7Z
* **Media:** MP3, MP4, AVI (size limits apply)
* **General:** Any file type up to size limits
### Security Guarantees
* End-to-end encryption with perfect forward secrecy
* MITM attack prevention through hash validation
* Zero server storage — files transfer directly P2P
* Complete cleanup after transfer completion
---
--- ---
@@ -249,426 +146,182 @@ open http://localhost:8000
### Cryptographic Stack ### Cryptographic Stack
``` ```
📂 File Transfer Layer: AES-GCM 256-bit + SHA-384 + Chunking 📂 File Transfer: AES-GCM 256-bit + SHA-384 + Chunking
🔐 Application Layer: AES-GCM 256-bit + ECDSA P-384 🔐 Application: AES-GCM 256-bit + ECDSA P-384
🔑 Key Exchange: ECDH P-384 (Perfect Forward Secrecy) 🔑 Key Exchange: ECDH P-384 (Perfect Forward Secrecy)
🛡️ Transport Layer: WebRTC DTLS 1.2 🛡️ Transport: WebRTC DTLS 1.2
🌐 Network Layer: P2P WebRTC Data Channels 🌐 Network: P2P WebRTC Data Channels
📱 PWA: Service Workers + Cache API
📱 PWA Layer: Service Workers + Cache API 🔒 Validation: Complete ASN.1 DER parsing
🔒 ASN.1 Layer: Complete DER parsing and validation
``` ```
### Security Standards ### Standards Compliance
- NIST SP 800-56A (ECDH Key Agreement)
* NIST SP 80056A — ECDH Key Agreement - NIST SP 800-186 (Elliptic Curve Cryptography)
* NIST SP 800186 — Elliptic Curve Cryptography - RFC 8446 (TLS 1.3 for WebRTC)
* RFC 6090 — Fundamental ECC Algorithms - RFC 5280 (X.509 Certificate Structure)
* RFC 8446 — TLS 1.3 for WebRTC - RFC 5480 (EC Subject Public Key Information)
* RFC 3874 — SHA-384 Hash Algorithm
* RFC 5280 — X.509 Certificate Structure
* RFC 5480 — Elliptic Curve Subject Public Key Information
### Browser Requirements ### Browser Requirements
Modern browser with WebRTC support (Chrome 60+, Firefox 60+, Safari 12+), HTTPS connection, JavaScript enabled, Service Worker support for PWA.
* Modern browser with WebRTC support (Chrome 60+, Firefox 60+, Safari 12+)
* HTTPS connection (required for WebRTC and PWA)
* JavaScript enabled
* Service Worker support for PWA features
--- ---
## 🗺️ Development Roadmap ## 🗺️ Roadmap
**Current:** v4.02.442 — ASN.1 Validation & Enhanced Security Edition **Current: v4.4.18** - Browser Notifications & Code Cleanup
* Complete ASN.1 DER parser for key structure validation **Next Releases:**
* Enhanced key security with OID and EC point verification
* Breaking changes for improved security standards
* Full PKCS compliance for all cryptographic operations
**Previous:** v4.01.441 — PWA & File Transfer Edition ✅ - **v4.5 (Q2 2025)** - Mobile & Desktop Apps
- Native mobile applications (iOS/Android)
- Electron desktop application
- Push notifications and cross-device sync
* Progressive Web App installation - **v5.0 (Q4 2025)** - Quantum-Resistant Edition
* Secure P2P file transfer system - CRYSTALS-Kyber post-quantum key exchange
* Enhanced security testing and MITM protection - SPHINCS+ post-quantum signatures
* Improved memory cleanup algorithms - Hybrid classical + post-quantum schemes
**Next Releases** - **v5.5 (Q2 2026)** - Group Communications
- P2P group chats (up to 8 participants)
- Mesh networking topology
- Anonymous group administration
### v4.5 (Q2 2025) — Mobile & Desktop Apps - **v6.0 (2027)** - Decentralized Network
- DHT-based peer discovery
* Native mobile applications (iOS/Android) - Built-in onion routing
* Electron desktop application - Decentralized identity system
* Push notifications
* Crossdevice synchronization
* Enhanced PWA features
### v5.0 (Q4 2025) — QuantumResistant Edition
* CRYSTALSKyber postquantum key exchange
* SPHINCS+ postquantum signatures
* Hybrid classical + postquantum schemes
* Quantumsafe migration path
### v5.5 (Q2 2026) — Group Communications
* P2P group chats (up to 8 participants)
* Mesh networking topology
* Anonymous group administration
* Group file sharing
### v6.0 (2027) — Decentralized Network
* DHTbased peer discovery
* Builtin onion routing
* Decentralized identity system
* Node incentive mechanisms
--- ---
## 🧪 Development ## 💻 Development
### Project Structure ### Project Structure
``` ```
securebit-chat/ securebit-chat/
├── index.html # Main application ├── index.html # Main application
├── manifest.json # PWA manifest ├── manifest.json # PWA manifest
├── sw.js # Service worker ├── sw.js # Service worker
├── browserconfig.xml # Browser configuration for PWA
├── src/ ├── src/
│ ├── components/ui/ # React UI components │ ├── components/ui/ # React UI components
│ ├── DownloadApps.js # PWA download/install component │ ├── crypto/ # Cryptographic utilities
│ │ ── FileTransfer.js # File transfer UI component │ │ ── ASN1Validator.js # ASN.1 DER parser
│ └── ... # Other UI components ├── network/ # WebRTC P2P manager
│ ├── crypto/ # Cryptographic utilities │ ├── notifications/ # Browser notifications
│ └── ASN1Validator.js # Complete ASN.1 DER parser ├── transfer/ # File transfer system
│ ├── network/ # WebRTC P2P manager │ ├── pwa/ # PWA management
── session/ # Payment session manager ── styles/ # CSS styling
│ ├── transfer/ # File transfer system ├── logo/ # Icons and logos
│ │ └── EnhancedSecureFileTransfer.js # Secure P2P file transfer └── docs/ # Documentation
│ ├── pwa/ # PWA management
│ │ ├── install-prompt.js # PWA installation prompts
│ │ ├── offline-manager.js # Offline mode management
│ │ └── pwa-manager.js # PWA lifecycle management
│ └── styles/ # CSS styling
│ ├── pwa.css # PWA-specific styles
│ └── ... # Other stylesheets
├── logo/ # Wallet logos and icons
├── docs/ # Documentation
└── README.md # This file
``` ```
### Technology Stack ### Build Workflow
* **Frontend:** Pure JavaScript + React (via CDN)
* **PWA:** Service Workers + Cache API + Web App Manifest + Install Prompts
* **Cryptography:** Web Crypto API + custom ECDH/ECDSA + ASN.1 DER parser
* **Network:** WebRTC P2P Data Channels
* **File Transfer:** Enhanced secure P2P streaming with chunked encryption
* **Payments:** Lightning Network via WebLN
* **Offline Support:** Smart caching with offline-manager
* **Styling:** TailwindCSS + custom CSS + PWA-specific styles
### Development Setup
```bash ```bash
# Clone repository # CSS changes (Tailwind)
git clone https://github.com/SecureBitChat/securebit-chat.git npm run build:css
cd securebit-chat
# No build process required — pure clientside # JavaScript/JSX changes
# Just serve the files over HTTPS npm run build:js
# For development # Full rebuild (recommended)
python -m http.server 8000 npm run build
# For production # Development with live server
# Deploy to any static hosting (GitHub Pages, Netlify, etc.) npm run dev
``` ```
**Important:** Always rebuild after changes. Source files are in `src/`, generated files in `assets/` and `dist/`. Never edit generated files directly.
### Technology Stack
- **Frontend:** Pure JavaScript + React (via CDN)
- **PWA:** Service Workers + Cache API + Web App Manifest
- **Cryptography:** Web Crypto API + custom ECDH/ECDSA + ASN.1 parser
- **Network:** WebRTC P2P Data Channels
- **Notifications:** Browser Notifications API + Page Visibility API
- **File Transfer:** Enhanced secure P2P streaming with chunked encryption
- **Styling:** TailwindCSS + custom CSS
--- ---
## 🛡️ Security ## 🛡️ Security
### Security Audit Status ### Audit Status
- ✅ Internal cryptographic review completed
* ✅ Internal cryptographic review completed - ✅ P2P protocol security analysis completed
* ✅ P2P protocol security analysis completed - ✅ File transfer security validation completed
* ✅ File transfer security validation completed - ✅ ASN.1 validation and key verification completed
* ✅ MITM and replay attack resistance verified - 🔄 Professional security audit planned Q3 2025
* ✅ ASN.1 validation and key structure verification completed
* 🔄 Professional security audit planned Q3 2025
* 🔄 Postquantum cryptography review for v5.0
### Vulnerability Reporting ### Vulnerability Reporting
Contact: **SecureBitChat@proton.me**
See **SECURITY.md** for detailed security policy and reporting instructions. See **SECURITY.md** for detailed security policy.
Contact: **[SecureBitChat@proton.me](mailto:SecureBitChat@proton.me)**
### Security Features ### Security Features
- Perfect Forward Secrecy for messages and files
* Perfect Forward Secrecy — Past messages and files secure even if keys compromised - Out-of-band verification prevents MITM attacks
* Outofband verification — Prevents maninthemiddle attacks - Traffic obfuscation defeats network analysis
* Traffic obfuscation — Defeats network analysis - Memory protection with no persistent storage
* Memory protection — No persistent storage of sensitive data - Complete ASN.1 key structure validation
* Session isolation — Complete cleanup between sessions - File integrity with SHA-384 hash validation
* File integrity — SHA-384 hash validation prevents tampering
* Chunked encryption — Individual encryption per file block
* **ASN.1 validation** — Complete key structure verification according to PKCS standards
* **OID validation** — Algorithm and curve verification for cryptographic operations
* **EC point validation** — Format and structure verification for elliptic curve keys
--- ---
## 📊 Performance ## 📊 Performance
### Benchmarks - **Connection setup:** < 3 seconds
- **Message latency:** < 100 ms (P2P direct)
* Connection setup: < 3 seconds - **File transfer speed:** Up to 5 MB/s
* Message latency: < 100 ms (P2P direct) - **Memory usage:** < 50 MB active session
* File transfer speed: Up to 5 MB/s per connection - **PWA install size:** < 2 MB
* Throughput: Up to 1 MB/s per connection - **Key validation:** < 10 ms (ASN.1 parsing)
* Memory usage: < 50 MB for active session
* Battery impact: Minimal (optimized WebRTC)
* PWA install size: < 2 MB
* **Key validation time:** < 10 ms (ASN.1 parsing)
### Scalability
* Concurrent connections: Limited by device capabilities
* Message size: Up to 2000 characters
* File size: Up to 100 MB per file
* File types: All formats supported
* Group size: Up to 8 participants (v5.5)
---
## 📄 License
MIT License — see **LICENSE** file for details.
### Open Source Commitment
* 100% open source — full transparency
* MIT license — maximum freedom
* No telemetry — zero data collection
* Communitydriven — contributions welcome
--- ---
## 🤝 Contributing ## 🤝 Contributing
We welcome contributions from the community! We welcome contributions! Here's how:
### How to Contribute
1. Fork the repository 1. Fork the repository
2. Create a feature branch: `git checkout -b feature/amazing-feature` 2. Create feature branch: `git checkout -b feature/amazing-feature`
3. Commit your changes: `git commit -m "Add amazing feature"` 3. Commit changes: `git commit -m "Add amazing feature"`
4. Push to the branch: `git push origin feature/amazing-feature` 4. Push to branch: `git push origin feature/amazing-feature`
5. Open a Pull Request 5. Open Pull Request
### Contribution Areas ### Contribution Areas
🔐 Cryptography • 🌐 Network • 🔔 Notifications • 📂 File Transfer • 📱 PWA • 🎨 UI/UX • 📚 Documentation • 🔒 ASN.1 Validation
* 🔐 Cryptography — Security improvements and audits
* 🌐 Network — P2P optimization and reliability
* 📂 File Transfer — EnhancedSecureFileTransfer improvements
* 📱 PWA — Install prompts, offline management, and PWA lifecycle
* 🎨 UI/UX — Interface improvements, FileTransfer and DownloadApps components
* 📚 Documentation — Guides, tutorials, translations
* **🔒 ASN.1 Validation** — Enhanced key structure verification and parsing
### Development Guidelines
* Follow existing code style
* Add tests for new features
* Update documentation
* Respect securityfirst principles
* Test PWA functionality across devices
* **Validate all cryptographic operations** with enhanced ASN.1 parsing
--- ---
## 📞 Contact & Support ## 📞 Contact & Support
### Official Channels - **Email:** SecureBitChat@proton.me
- **GitHub:** Issues & Discussions
* Email: **[SecureBitChat@proton.me](mailto:SecureBitChat@proton.me)** - **Security:** SecureBitChat@proton.me
* GitHub: **Issues & Discussions**
* Security: **[SecureBitChat@proton.me](mailto:SecureBitChat@proton.me)**
### Community
* Discussions: GitHub Discussions for feature requests
* Issues: Bug reports and technical support
* Wiki: Documentation and guides
--- ---
## ⚠️ Important Disclaimers ## ⚠️ Important Disclaimers
### Security Notice ### Security Notice
While SecureBit.chat implements military-grade cryptography and follows security best practices, no communication system is 100% secure. Users should: While SecureBit.chat implements military-grade cryptography, no system is 100% secure. Always verify security codes out-of-band and keep devices updated.
* Always verify security codes out-of-band
* Keep devices and browsers updated
* Be aware of endpoint security risks
* **File transfers are protected with the same military-grade cryptography as chat messages**
* **All cryptographic keys now undergo complete ASN.1 structure validation**
### Legal Notice ### Legal Notice
This software is provided "as is" for educational and research purposes. Users are responsible for compliance with local laws and regulations regarding: This software is provided "as is" for educational and research purposes. Users are responsible for compliance with local laws regarding cryptographic software and private communications.
* Cryptographic software usage
* Private communications
* File sharing and transfer
### Privacy Statement ### Privacy Statement
SecureBit.chat: SecureBit.chat collects zero data, stores nothing, requires no registration, and uses no servers. All data exists only in browser memory with direct P2P connections.
* Collects zero data - no analytics, tracking, or telemetry
* Stores nothing - all data exists only in browser memory
* Requires no registration - completely anonymous usage
* Uses no servers - direct P2P connections only
* **Files are transferred directly P2P with zero server storage**
--- ---
## 🎯 Why Choose SecureBit.chat? ## 📄 License
### For Privacy Advocates MIT License - see **LICENSE** file for details.
* True zero-knowledge architecture 100% open source with full transparency, no telemetry, and zero data collection.
* Military-grade encryption standards
* Complete anonymity and untraceability
* Resistance to censorship and surveillance
* **Secure P2P file sharing without servers**
* **Complete ASN.1 validation for cryptographic keys**
### For Mobile Users
* **Progressive Web App installation**
* **Offline mode support**
* **Native app experience without app stores**
* **Works on all modern mobile devices**
### For Developers
* 100% open source transparency
* Modern cryptographic standards
* Clean, auditable codebase
* Extensible modular architecture
* **PWA best practices implementation**
* **Complete ASN.1 DER parser for key validation**
### For Everyone
* **Install like native apps**
* **Works offline with session persistence**
* Works on all modern devices
* Intuitive user interface
* Professional security standards
* **Secure file transfers included**
* **Enhanced key security with ASN.1 validation**
---
## 🔧 Development Workflow
### Making Changes and Recompiling
When you make changes to the source code, you need to recompile the assets. Here's the proper workflow:
#### 1. **CSS Changes** (Tailwind classes, styles)
```bash
# Rebuild only CSS
npm run build:css
# Or watch for changes during development
npm run watch
```
#### 2. **JavaScript/JSX Changes** (React components, logic)
```bash
# Rebuild only JavaScript
npm run build:js
# Or rebuild everything
npm run build
```
#### 3. **Full Rebuild** (recommended after major changes)
```bash
# Complete rebuild of all assets
npm run build
```
#### 4. **Development with Live Server**
```bash
# Build and start development server
npm run dev
# Or use custom server
npm run serve
```
### File Structure After Build
```
├── assets/
│ ├── tailwind.css # ← Generated from src/styles/tw-input.css
│ ├── fontawesome/ # ← Local Font Awesome assets
│ └── fonts/ # ← Local Google Fonts
├── dist/
│ ├── app.js # ← Generated from src/app.jsx
│ ├── app-boot.js # ← Generated from src/scripts/app-boot.js
│ └── qr-local.js # ← Generated from src/scripts/qr-local.js
└── src/ # ← Source files (edit these)
├── app.jsx
├── scripts/
├── styles/
└── components/
```
### Important Notes
- **Always rebuild after changes** to see them in the browser
- **CSS changes** require `npm run build:css`
- **JS/JSX changes** require `npm run build:js`
- **Source files** are in `src/` directory
- **Generated files** are in `assets/` and `dist/` directories
- **Never edit** files in `assets/` or `dist/` directly
### Troubleshooting Build Issues
#### CSS not updating?
```bash
# Clear cache and rebuild
rm assets/tailwind.css
npm run build:css
```
#### JavaScript errors?
```bash
# Check for syntax errors in source files
npm run build:js
```
#### All changes not showing?
```bash
# Hard refresh browser (Ctrl+F5) or clear browser cache
# Then rebuild everything
npm run build
```
--- ---
@@ -682,6 +335,8 @@ npm run build
--- ---
**Latest Release: v4.02.442** — ASN.1 Validation & Enhanced Security **Latest Release: v4.4.18** - Browser Notifications & Code Cleanup
</div> [🚀 Try Now](https://securebitchat.github.io/securebit-chat/) • [⭐ Star on GitHub](https://github.com/SecureBitChat/securebit-chat)
</div>
dist/app-boot.js
Vendored
+2 -2
View File
@@ -15294,7 +15294,7 @@ Right-click or Ctrl+click to disconnect`,
React.createElement("p", { React.createElement("p", {
key: "subtitle", key: "subtitle",
className: "text-xs sm:text-sm text-muted hidden sm:block" className: "text-xs sm:text-sm text-muted hidden sm:block"
}, "End-to-end freedom v4.3.120") }, "End-to-end freedom v4.4.18")
]) ])
]), ]),
// Status and Controls - Responsive // Status and Controls - Responsive
@@ -16049,7 +16049,7 @@ function Roadmap() {
}, },
// current and future phases // current and future phases
{ {
version: "v4.3.120", version: "v4.4.18",
title: "Enhanced Security Edition", title: "Enhanced Security Edition",
status: "current", status: "current",
date: "Now", date: "Now",
dist/app-boot.js.map
Vendored
+2 -2
View File
File diff suppressed because one or more lines are too long
index.html
+1 -1
View File
@@ -116,7 +116,7 @@
<!-- GitHub Pages SEO --> <!-- GitHub Pages SEO -->
<meta name="description" content="SecureBit.chat v4.3.120 — P2P messenger with ECDH + DTLS + SAS security and 18-layer military-grade cryptography"> <meta name="description" content="SecureBit.chat v4.4.18 — P2P messenger with ECDH + DTLS + SAS security and 18-layer military-grade cryptography">
<meta name="keywords" content="P2P messenger, ECDH, DTLS, SAS, encryption, WebRTC, privacy, ASN.1 validation, military-grade security, 18-layer defense, MITM protection, PFS"> <meta name="keywords" content="P2P messenger, ECDH, DTLS, SAS, encryption, WebRTC, privacy, ASN.1 validation, military-grade security, 18-layer defense, MITM protection, PFS">
<meta name="author" content="Volodymyr"> <meta name="author" content="Volodymyr">
<link rel="canonical" href="https://github.com/SecureBitChat/securebit-chat/"> <link rel="canonical" href="https://github.com/SecureBitChat/securebit-chat/">
manifest.json
+1 -1
View File
@@ -1,5 +1,5 @@
{ {
"name": "SecureBit.chat v4.3.120 - ECDH + DTLS + SAS", "name": "SecureBit.chat v4.4.18 - ECDH + DTLS + SAS",
"short_name": "SecureBit", "short_name": "SecureBit",
"description": "P2P messenger with ECDH + DTLS + SAS security, military-grade cryptography and Lightning Network payments", "description": "P2P messenger with ECDH + DTLS + SAS security, military-grade cryptography and Lightning Network payments",
"start_url": "./", "start_url": "./",
src/app.jsx
+1 -1
View File
@@ -1913,7 +1913,7 @@
} }
} }
handleMessage(' SecureBit.chat Enhanced Security Edition v4.3.120 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.', 'system'); handleMessage(' SecureBit.chat Enhanced Security Edition v4.4.18 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.', 'system');
const handleBeforeUnload = (event) => { const handleBeforeUnload = (event) => {
if (event.type === 'beforeunload' && !isTabSwitching) { if (event.type === 'beforeunload' && !isTabSwitching) {
src/components/ui/Header.jsx
+1 -1
View File
@@ -557,7 +557,7 @@ const EnhancedMinimalHeader = ({
React.createElement('p', { React.createElement('p', {
key: 'subtitle', key: 'subtitle',
className: 'text-xs sm:text-sm text-muted hidden sm:block' className: 'text-xs sm:text-sm text-muted hidden sm:block'
}, 'End-to-end freedom v4.3.120') }, 'End-to-end freedom v4.4.18')
]) ])
]), ]),
src/components/ui/Roadmap.jsx
+1 -1
View File
@@ -75,7 +75,7 @@ function Roadmap() {
// current and future phases // current and future phases
{ {
version: "v4.3.120", version: "v4.4.18",
title: "Enhanced Security Edition", title: "Enhanced Security Edition",
status: "current", status: "current",
date: "Now", date: "Now",
src/scripts/pwa-globals.js
+1 -1
View File
@@ -48,7 +48,7 @@ window.showUpdateNotification = function showUpdateNotification() {
<i class="fas fa-download text-lg"></i> <i class="fas fa-download text-lg"></i>
<div class="flex-1"> <div class="flex-1">
<div class="font-medium">Update Available</div> <div class="font-medium">Update Available</div>
<div class="text-sm opacity-90">SecureBit.chat v4.3.120 - ECDH + DTLS + SAS is ready</div> <div class="text-sm opacity-90">SecureBit.chat v4.4.18 - ECDH + DTLS + SAS is ready</div>
</div> </div>
<button data-action="reload" class="bg-white/20 hover:bg-white/30 px-3 py-1 rounded text-sm font-medium transition-colors"> <button data-action="reload" class="bg-white/20 hover:bg-white/30 px-3 py-1 rounded text-sm font-medium transition-colors">
Update Update
sw.js
+4 -4
View File
@@ -1,9 +1,9 @@
// SecureBit.chat Service Worker // SecureBit.chat Service Worker
// Conservative PWA Edition v4.3.120 - Minimal Caching Strategy // Conservative PWA Edition v4.4.18 - Minimal Caching Strategy
const CACHE_NAME = 'securebit-pwa-v4.3.120'; const CACHE_NAME = 'securebit-pwa-v4.4.18';
const STATIC_CACHE = 'securebit-pwa-static-v4.3.120'; const STATIC_CACHE = 'securebit-pwa-static-v4.4.18';
const DYNAMIC_CACHE = 'securebit-pwa-dynamic-v4.3.120'; const DYNAMIC_CACHE = 'securebit-pwa-dynamic-v4.4.18';
// Essential files for PWA offline functionality // Essential files for PWA offline functionality
const STATIC_ASSETS = [ const STATIC_ASSETS = [