- Fixed biased cryptographic random with modulo operations
- Corrected biased cryptographic random with addition operations
- Resolved infinite page loading issue
- Rebuilt all distribution files
- Guarded all Notification API usage to avoid ReferenceError on iOS Safari.
- Set default permission to 'denied' when Notification is undefined.
- Added early return in notification flow when Notifications API is unavailable.
- Wrapped Notification.permission, requestPermission(), and new Notification(...) with typeof checks.
- Updated SecureNotificationManager and app.jsx to degrade gracefully.
- Verified build passes and chat loads correctly on iOS without notifications.
- Removed temporary console logs used for debugging
- Disabled DEBUG_MODE flag
- Updated configuration to run in production mode
- Cleaned up leftover debug utilities to reduce noise in console
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
BREAKING CHANGE: Enhanced key validation now performs complete ASN.1 parsing
Security improvements:
- Added complete ASN.1 DER parser for full structure validation
- Implemented OID validation for algorithms and curves (P-256/P-384 only)
- Added EC point format verification (uncompressed format 0x04)
- Validate SPKI structure elements count and types
- Check key size limits to prevent DoS attacks (50-2000 bytes)
- Verify unused bits in BIT STRING (must be 0)
- Added fallback support from P-384 to P-256
This fixes high-risk vulnerability where keys with valid headers but
modified data could be accepted. Now all structural elements are validated
according to PKCS standards.
Affected methods:
- validateKeyStructure() - complete rewrite with ASN.1 parsing
- All key import/export methods now use enhanced validation
Security Enhancements:
- Add salt entropy validation (minimum 16 unique bytes for 64-byte salts)
- Expand secure logging patterns to catch more sensitive data types
(fingerprint, mac, hash patterns)
- Implement random timing delays in verifyAuthProof() to mask execution timing
- Revert sanitizeMessage() to working regex-based approach
Validation Improvements:
- validateSalt() now checks both size and entropy quality
- secureLog.sanitizeContext() enhanced with additional sensitive patterns
- Added timing attack protection with 5-25ms random delays
- Added a real verification system for active encryption modules, giving users full control over enabled modules.
- During session purchase or activation, the actual enabled modules are now displayed for both free and paid sessions.
- Refactored session timer initialization for proper functionality and accurate countdown.
- Optimized code structure related to session management and module verification.
BREAKING CHANGE: Project renamed from LockBit.chat to SecureBit.chat
- Changed project name to avoid confusion with LockBit ransomware group
- Updated all documentation, branding, and references
- Maintained all existing functionality and security features
- Domain migration planned to securebit.chat
Reason: The LockBit name became associated with a notorious ransomware
group, causing conflicts on platforms and potential confusion for users.
SecureBit better reflects our mission of providing secure P2P messaging
while avoiding negative associations.
This change affects:
- README.md and all documentation
- Package.json name field
- Brand assets and logos
- Website references
- Social media handles
Core functionality remains unchanged:
✅ 12-layer military-grade security
✅ Lightning Network integration
✅ P2P WebRTC architecture
✅ Open source MIT license
