this post was submitted on 25 Dec 2024
101 points (98.1% liked)

Open Source

31899 readers
219 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Bored on holidays or miss Omegle? Come chat with us on MeroChat!

It's a web based random chat where you're presented with a flow of user profiles, whom you can choose to chat with. And of course someone else might find you the same way and send you a message out of the blue (provided your privacy settings allow it).

And here's the code. (Written in PureScript!) A lot remains to be done but it's a joyful thing already.

you are viewing a single comment's thread
view the rest of the comments
[–] Tiuku@sopuli.xyz 3 points 2 weeks ago (1 children)

The sanest option in terms of user practicality to me appears to be storing the private key on the server, maybe encrypted with the user's password, and sending it to the user on successful login where it would be decrypted client side.

That does seem reasonable, but it doesn't solve the trust issue. The server might always send a modified script that just uploads the plaintext private key.

That said it would still be useful in other ways. Like in a breach the data would be secure.

[–] waffle@sh.itjust.works 2 points 2 weeks ago (1 children)

The server might always send a modified script that just uploads the plaintext private key.

Yeah, you'd need a way to validate the client code before it's executed to solve that issue

Section "2. Client application security" of MEGA's Security Whitepaper discusses this exact problem. Their best solution to that issue is to just cram the whole frontend in a signed web extension and not serve any code to the user when the extension is active, which is not very user friendly but works for those who want an extra layer of protection

I just can't find a good user-friendly implementation, sorry for not being of more help. The web just isn't E2EE-friendly ig :/

[–] Tiuku@sopuli.xyz 2 points 1 week ago (1 children)

You've helped enough :)

Hmmm I see.

We have an app in the making, so I guess we will eventually implement proper e2ee there and then just try our best in the browser.

[–] waffle@sh.itjust.works 2 points 1 week ago

Damn already working on an app? That's so cool! Starting E2EE there is definitely a good idea then!

MeroChat is such a nice project, thank you for working on it <3