Complete the mandatory receiver-consent gate that was wired in the
backend but never connected to the UI callback chain:
- Add the missing onIncomingFileRequest (4th) callback to
setFileTransferCallbacks in app.jsx — its absence caused
handleFileTransferStart to auto-reject every incoming file.
- Remove independent callback registration from FileTransferComponent;
the component was overwriting app-level callbacks on mount and
nulling all four on unmount, silently breaking progress/received/
error handlers whenever the panel was hidden.
- Lift pendingIncomingFiles state to the root component so consent
prompts are shown regardless of panel visibility; auto-open the
panel on incoming request.
- Add getReceivedFileObjectURL / revokeReceivedFileObjectURL on
EnhancedSecureWebRTCManager for download buttons in the panel.
- Update file-transfer-ui-cleanup regression test to match the new
single-owner callback architecture.
- All 14 tests pass; clean production build.
- Update version to v4.7.53
- Add Desktop Edition documentation (Windows, macOS, Linux)
- Update roadmap with all versions and dates
- Add mobile apps information (Q1 2026)
- Expand security and development sections
- Update URLs to securebit.chat domain
- Disable timer-based key rotation for Double Ratchet mode
- Auto-reinitialize encryption keys when missing but ECDH available
- Preserve active keys during periodic cleanup in ratchet sessions
- Fix IndexedDB "database closing" errors with connection checking
- Add individual transactions per queue item to prevent race conditions
Updated PBKDF2 key derivation parameters to align with OWASP 2025 recommendations.
PBKDF2-HMAC-SHA256 now uses 310,000 iterations instead of 100,000 to improve resistance
against modern GPU and ASIC brute-force attacks.
- Updated both encryptData() and decryptData() derivation routines.
- Ensures ~100ms derivation time on modern CPUs (meets OWASP 2025 standard).
- No changes required for backward compatibility of existing ciphertexts.
- Implemented proper RFC 5869 compliant HKDF key derivation process
- Added Perfect Forward Secrecy (PFS) key for enhanced session security
- Improved key separation using unique info parameters for each derived key
- Enhanced salt size from 32 to 64 bytes for increased entropy
- Added comprehensive key validation and error handling
- Implemented proper ECDH + HKDF integration following Web Crypto API best practices
- Added metadata encryption key for enhanced data protection
- Improved compatibility with modern cryptographic standards (RFC 7748, NIST SP 800-56A)
-Enhanced logging and debugging capabilities for cryptographic operations
- Maintained backward compatibility while upgrading security infrastructure
Security improvements:
- Cryptographic isolation between different key purposes
- Enhanced protection against cross-key attacks
- Improved resistance to future key compromise scenarios
- Better compliance with OWASP cryptographic storage guidelines
Technical details:
- Refactored deriveSharedKeys() method for proper HKDF implementation
- Updated WebRTC manager to use new messageKey API
- Added comprehensive error handling and validation
- Improved browser compatibility with standardized cryptographic operations
- This update strengthens the existing security foundation with modern cryptographic practices while maintaining full system compatibility.
Reworked getUnbiasedRandomInRange() to eliminate modulo bias by using
rejection sampling combined with bucket indexing instead of the `%` operator.
Added getUnbiasedRandomFloat() to safely generate unbiased floats for
sizeVariation and sizeMultiplier.
Reimplemented getUnbiasedRandomInRange() using rejection sampling for all range sizes to eliminate modulo bias and ensure uniform cryptographically secure randomness.
- Fixed biased cryptographic random with modulo operations
- Corrected biased cryptographic random with addition operations
- Resolved infinite page loading issue
- Rebuilt all distribution files
- Cache only essential PWA assets (manifest, icons, core scripts)
- Use Network First for all other requests
- Remove aggressive caching of UI components and styles
- Preserve PWA installation while minimizing cache footprint
- removed all logging of raw IV, JWK, session tokens, verification codes
→ logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes)
- replaced global master key storage with PBKDF2-derived non-extractable AES key
→ master key lives only in session memory and is cleared on timeout/focus-out
- added password-based derivation (PBKDF2) for master key initialization
- migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB
→ JWK export → encrypt with session master key → store ciphertext + IV + metadata
→ unwrap + import as non-extractable on restore
- removed busy-wait loops and direct `window.gc()` calls
→ replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker
- Removed temporary console logs used for debugging
- Disabled DEBUG_MODE flag
- Updated configuration to run in production mode
- Cleaned up leftover debug utilities to reduce noise in console
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
- Removed reliance on window.DEBUG_MODE and window.DISABLE_* flags.
- Configuration is now passed via constructor instead of global variables.
- Exposed API remains on `window.secureBitChat`, but without backup globals or hidden toggles.
- Consolidated multiple setInterval tasks into a single scheduler to reduce attack surface.
- Added strict limits for IV history and log storage to prevent memory exhaustion.
- Improved XSS hardening: no more global switches to disable security features.
- Removed unsafe exposure of internal objects:
• deleted all references to `window.fileTransferSystem`
• unified global API setup to a single immutable `safeGlobalAPI` via Object.freeze
• removed legacy branch with `delete window[name]`
- Logging improvements:
• eliminated all direct `console.*` calls (use `_secureLog` exclusively)
• fixed string templates with proper interpolation (``${var}``)
• prevented accidental fallback to raw console in production
- Cryptography enforcement:
• updated `_validateCryptographicSecurity()` to require ECDSA and PFS
• added emergency shutdown if critical crypto features are missing
• ensured consistent feature enabling for production
- Metadata of extracted keys is now marked encrypted: true
- Removed decryption bypass via _keyReferences, all keys are returned via decrypt
- Nested encryption uses random 96-bit IV instead of single byte increment
- Fixed _secureLogShim: correct argument destructuring (...args)
- Removed busy-wait in forceInitializeFileTransfer, replaced with async wait
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
lockbitchat