- Replaced original JSON with minimized binary format (gzip + base64).
- Adjusted rendering and QR code generation for compatibility.
- Reduced payload size for improved efficiency.
- implemented glowing border effect on cards when cursor is near
- multiple cards can glow simultaneously within proximity
- smooth fade-out without flicker on mouse leave
- improved hover animation for better user experience
- removed all logging of raw IV, JWK, session tokens, verification codes
→ logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes)
- replaced global master key storage with PBKDF2-derived non-extractable AES key
→ master key lives only in session memory and is cleared on timeout/focus-out
- added password-based derivation (PBKDF2) for master key initialization
- migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB
→ JWK export → encrypt with session master key → store ciphertext + IV + metadata
→ unwrap + import as non-extractable on restore
- removed busy-wait loops and direct `window.gc()` calls
→ replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker
- Removed temporary console logs used for debugging
- Disabled DEBUG_MODE flag
- Updated configuration to run in production mode
- Cleaned up leftover debug utilities to reduce noise in console
- Updated connection flow between users via QR codes
- Added manual switching option in QR code generator
- Increased number of QR codes for better readability
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
- Removed reliance on window.DEBUG_MODE and window.DISABLE_* flags.
- Configuration is now passed via constructor instead of global variables.
- Exposed API remains on `window.secureBitChat`, but without backup globals or hidden toggles.
- Consolidated multiple setInterval tasks into a single scheduler to reduce attack surface.
- Added strict limits for IV history and log storage to prevent memory exhaustion.
- Improved XSS hardening: no more global switches to disable security features.
- Removed unsafe exposure of internal objects:
• deleted all references to `window.fileTransferSystem`
• unified global API setup to a single immutable `safeGlobalAPI` via Object.freeze
• removed legacy branch with `delete window[name]`
- Logging improvements:
• eliminated all direct `console.*` calls (use `_secureLog` exclusively)
• fixed string templates with proper interpolation (``${var}``)
• prevented accidental fallback to raw console in production
- Cryptography enforcement:
• updated `_validateCryptographicSecurity()` to require ECDSA and PFS
• added emergency shutdown if critical crypto features are missing
• ensured consistent feature enabling for production
- Metadata of extracted keys is now marked encrypted: true
- Removed decryption bypass via _keyReferences, all keys are returned via decrypt
- Nested encryption uses random 96-bit IV instead of single byte increment
- Fixed _secureLogShim: correct argument destructuring (...args)
- Removed busy-wait in forceInitializeFileTransfer, replaced with async wait
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
BREAKING CHANGE: Enhanced key validation now performs complete ASN.1 parsing
Security improvements:
- Added complete ASN.1 DER parser for full structure validation
- Implemented OID validation for algorithms and curves (P-256/P-384 only)
- Added EC point format verification (uncompressed format 0x04)
- Validate SPKI structure elements count and types
- Check key size limits to prevent DoS attacks (50-2000 bytes)
- Verify unused bits in BIT STRING (must be 0)
- Added fallback support from P-384 to P-256
This fixes high-risk vulnerability where keys with valid headers but
modified data could be accepted. Now all structural elements are validated
according to PKCS standards.
Affected methods:
- validateKeyStructure() - complete rewrite with ASN.1 parsing
- All key import/export methods now use enhanced validation
Security Enhancements:
- Add salt entropy validation (minimum 16 unique bytes for 64-byte salts)
- Expand secure logging patterns to catch more sensitive data types
(fingerprint, mac, hash patterns)
- Implement random timing delays in verifyAuthProof() to mask execution timing
- Revert sanitizeMessage() to working regex-based approach
Validation Improvements:
- validateSalt() now checks both size and entropy quality
- secureLog.sanitizeContext() enhanced with additional sensitive patterns
- Added timing attack protection with 5-25ms random delays
- Improve installation status detection logic
- Add proper DOM cleanup when PWA is installed
- Enhance monitoring for installation state changes
- Fix shouldShowPrompt() logic to always check current status
- Add forceInstallationCheck() method for manual status updates
- Improve installation status detection logic
- Add proper DOM cleanup when PWA is installed
- Enhance monitoring for installation state changes
- Fix shouldShowPrompt() logic to always check current status
- Add forceInstallationCheck() method for manual status updates
- Eliminated unsafe global state (window.*)
- Added DoS protection with MessageSizeValidator
- Added race condition prevention with AtomicOperations
- Added rate limiting (10 files/minute)
- Added secure memory management with SecureMemoryManager
- Wrapped handleFileChunk in atomic operations
- Updated all methods with security enhancements
- New users now see install prompt automatically after 10 seconds
- Smart cancellation prevents duplicate prompts
- Added PWAUtils methods for delayed prompt management
- Enhanced user onboarding experience
- Respects installation status and user preferences
