SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 25 Packages Projects Releases Wiki Activity
226 Commits 2 Branches 6 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
lockbitchat 9244250835
CodeQL Analysis / Analyze CodeQL (push) Waiting to run
Details
Deploy Application / deploy (push) Waiting to run
Details
Mirror to Codeberg / mirror (push) Waiting to run
Details
Mirror to PrivacyGuides / mirror (push) Waiting to run
Details
ux(ice-test): clarify result when browser hides reflexive/relay candidates (Safari)
2026-06-16 01:50:40 -04:00
.github/workflows
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
assets
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
config
fix(deploy): 404 missing assets instead of HTML fallback; ship public STUN config
2026-06-15 16:30:39 -04:00
deploy
fix(deploy): 404 missing assets instead of HTML fallback; ship public STUN config
2026-06-15 16:30:39 -04:00
dist
ux(ice-test): clarify result when browser hides reflexive/relay candidates (Safari)
2026-06-16 01:50:40 -04:00
doc
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00
libs
chore: remove debug logging and disable debug mode for production
2025-10-02 01:43:32 -04:00
logo
New component with partner logos
2025-12-30 04:16:41 -04:00
public
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
scripts
feat: implement comprehensive PWA force update system
2025-12-29 10:51:07 -04:00
src
ux(ice-test): clarify result when browser hides reflexive/relay candidates (Safari)
2026-06-16 01:50:40 -04:00
tests
feat: user-configurable STUN/TURN servers (advanced network settings)
2026-06-15 15:39:13 -04:00
tools
feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state
2025-09-08 16:04:58 -04:00
.dockerignore
build: add Fly.io deployment (nginx static serving)
2026-06-15 16:23:14 -04:00
.gitignore
release: v4.8.9 security hardening patch
2026-06-15 15:08:03 -04:00
.htaccess
Fix CSP errors, MIME types, and Service Worker issues
2026-01-06 23:01:32 -04:00
browserconfig.xml
feat: Add comprehensive PWA support with offline functionality
2025-08-17 16:04:45 -04:00
build.ps1
feat: implement build system and development workflow
2025-09-08 19:22:50 -04:00
CHANGELOG.md
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
Dockerfile
fix(deploy): 404 missing assets instead of HTML fallback; ship public STUN config
2026-06-15 16:30:39 -04:00
favicon.ico
add icon
2025-08-13 22:57:38 -04:00
fly.toml
build: add Fly.io deployment (nginx static serving)
2026-06-15 16:23:14 -04:00
ico.svg
First commit - all files added
2025-08-11 20:52:14 -04:00
index.html
ux(ice-test): clarify result when browser hides reflexive/relay candidates (Safari)
2026-06-16 01:50:40 -04:00
LICENSE
update name
2025-08-16 19:17:32 -04:00
manifest.json
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
meta.json
ux(ice-test): clarify result when browser hides reflexive/relay candidates (Safari)
2026-06-16 01:50:40 -04:00
package-lock.json
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
package.json
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
README.md
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
RESPONSIBLE_USE.md
- SECURITY_DISCLAIMER.md: Developer liability protection
2025-08-17 16:31:22 -04:00
SECURITY_DISCLAIMER.md
release: v4.8.10 user-configurable STUN/TURN servers
2026-06-15 16:05:31 -04:00
SECURITY.md
release: v4.8.9 security hardening patch
2026-06-15 15:08:03 -04:00
sw.js
fix: enforce service worker cache allowlist
2026-05-17 23:22:46 -04:00
tailwind.config.json
feat(security,ui): self-host React deps, Tailwind, fonts; strict CSP; local QR; better selection state
2025-09-08 16:04:58 -04:00

README.md

SecureBit.chat v4.8.10

SecureBit.chat is a browser-based peer-to-peer chat application built on WebRTC and Web Crypto APIs. It is designed for direct encrypted communication, explicit peer verification, and a small operational footprint without account registration or server-side message storage.

Security model

SecureBit.chat uses:

  • ECDH key agreement with derived session keys
  • DTLS-protected WebRTC transport
  • deterministic Short Authentication String (SAS) verification
  • end-to-end encrypted chat payloads
  • replay protection and session-state cleanup
  • encrypted local key metadata in IndexedDB

A session is not treated as verified until both peers complete the interactive SAS flow. Each user must compare the displayed code with the peer through an out-of-band channel and enter the matching code manually. Three failed SAS attempts terminate the session.

Highlights in v4.8.10

  • New: users can configure their own STUN/TURN servers under "Advanced network settings" (header gear or the connection-creation screen). Input is allowlist-validated, optionally saved encrypted on-device, and a built-in "Test servers" check reports STUN/TURN reachability.
  • Relay-only privacy mode moved into the advanced settings panel; the standalone start-screen toggle was removed.

Earlier in the v4.8 hardening line:

  • Patched a high-severity XSS advisory in the DOMPurify dependency (the message sanitizer) by upgrading to a fixed release.

  • Operator TURN credentials are no longer committed to the repository; use config/ice-servers.example.js as a template.

  • The production logger no longer prints error context or info/debug output, only opaque error codes.

  • Manual WebRTC setup preserves pending offer/answer state during slow out-of-band exchange.

  • TURN relay fallback can be configured through config/ice-servers.js for restrictive networks.

  • ICE diagnostics identify mDNS-only candidate failures without exposing full peer IPs.

  • SAS verification is bound to the actual DTLS fingerprint strings of both peers

  • chat sanitization uses DOMPurify-backed text-only output

  • WebRTC privacy mode is explicit and relay-only state stays synchronized at runtime

  • production debug window hooks are gated behind an explicit debug flag

  • receiver-side throttling covers inbound messages and file chunks

  • service-worker caching is restricted to an explicit safe-asset allowlist

  • disconnect cleanup leaves no orphaned delayed timer behind

  • node_modules is no longer tracked in Git

Quick start

Run locally

npm install
npm run build
npm run serve

Then open the local server URL in two browser windows or profiles.

Establish a session

  1. Create an offer in the first browser.
  2. Transfer the offer to the peer and create an answer.
  3. Return the answer to the first browser.
  4. Compare the SAS code out of band.
  5. Enter the matching SAS code on both sides.
  6. Begin chatting only after both peers are verified.

Configuration

TURN / privacy mode

Direct WebRTC connections may expose IP addresses to peers. SecureBit.chat supports a relay-only privacy mode:

  • default mode keeps normal WebRTC behavior and existing STUN support
  • relay-only mode sets iceTransportPolicy: "relay"
  • relay-only mode requires a configured TURN server
  • STUN alone does not hide IP addresses
  • public TURN credentials are not bundled or hardcoded

Configure ICE servers at deployment time and enable relay-only mode only when a TURN service is available. See doc/CONFIGURATION.md.

File transfer policy

Incoming file transfers require explicit user consent. Before the consent prompt appears, metadata is validated and dangerous names are rejected. Safe accepted categories are:

  • common raster images
  • PDF
  • plain text
  • ZIP archives

Executable, scriptable, and high-risk formats are rejected, including .exe, .bat, .cmd, .sh, .js, .msi, .dmg, .app, .jar, .scr, .ps1, .vbs, .html, and .svg. MIME type and filename extension must agree.

Development

Requirements

  • Node.js 18+
  • npm

Commands

npm install
npm test
npm audit
npm run build
npm run dev

Project layout

src/network/   WebRTC connection and session lifecycle
src/transfer/  secure file-transfer implementation
src/crypto/    cryptographic utilities
src/components React UI components
doc/           technical documentation

Documentation

Responsible use

SecureBit.chat is intended for lawful, ethical use. See RESPONSIBLE_USE.md and SECURITY_DISCLAIMER.md.

License

MIT License. See LICENSE.

Reference in New Issue View Git Blame Copy Permalink
S
Description
🔒 World's most secure P2P messenger. End-to-end encrypted, zero-server architecture, quantum-resistant roadmap. WebRTC direct connections, advanced ECDH + DTLS + SAS verification, full ASN.1 validation. Privacy-first communication for the post-surveillance age
anonymous-chatanti-abusebitcoindecentralizedend-to-end-encryptionp2p-chatreal-time-chatwebrtc
Readme MIT 227 MiB
Languages
JavaScript 96%
CSS 2.5%
HTML 1.2%
PowerShell 0.2%