I want to make it dead-easy for others to chat with me. I want a browser-based, FLOSSS, E2EE chat solution that doesn't require the other party to log in. Does that exist?
-
I still don't see how
swap to a modified JS that exfiltrates the e2ee key
or
add additional keys
Wouldn't significantly change the recieved hash and break the stream thus ending comms. Also unless you're hosting and building it yourself you have to trust the recipient and the cloud host.
I agree if an attacker owns the server comms can be compromised. I thought that was the benefit of the ephemeral nature. It's for quick relay of information. Best practices would probably include another cypher within the messages themselves like a one time pad or some such.
https://www.itstactical.com/intellicom/tradecraft/uncrackable-diy-pencil-and-paper-encryption/
i'm trying to understand your exact scenario.
but in general, the problem is where do you get your original key, or original hash to verify from? if they are both coming from the server, along with the code which processes them, then if the server is compromised, so are you.
thankfully browsers give alot of crypto API lately (as discussed in your link) so your byo code payload could be alot smaller these days.
but you still need at minimum a secure key & a hash and trusted code to verify the code the server serves you. there are ofc solutions to this problem, but if the server is unstrusted, you absolutely can't get it from them, which means you have to get it from somewhere else (that you trust).
-
i'm trying to understand your exact scenario.
but in general, the problem is where do you get your original key, or original hash to verify from? if they are both coming from the server, along with the code which processes them, then if the server is compromised, so are you.
thankfully browsers give alot of crypto API lately (as discussed in your link) so your byo code payload could be alot smaller these days.
but you still need at minimum a secure key & a hash and trusted code to verify the code the server serves you. there are ofc solutions to this problem, but if the server is unstrusted, you absolutely can't get it from them, which means you have to get it from somewhere else (that you trust).
I don't know yet. It's more a thought experiment than anything else.
https://github.com/muke1908/chat-e2ee
Looks like the URL is part of the seed and salt which is cool.
Proving who you are is done in another stream. Like MFA.
You do a one time pad, generate the URL with that. Communicate what's needed, then the URL dies.
I'm still noodling with it.
-
Here's my problem: every F(L)OSS and E2EE solution that I know of requires other people to download an app or log in.
I want to reduce the friction for others to communicate for me. I want to give a business card with a URL where people can go and immediately send messages to my Matrix or my email or something, and they don't need to log in at all.
They just open their browser, go to snek_boi.io or whatever and a chat appears.
A couple of years ago, I was suggested Cactus Comments. I suppose that works, but I was wondering if there are other solutions. I was wondering if now there was an even easier solution for my purposes.
out of interest, do you actually mean no login, or do you mean no email-verified login?
-
I don't know yet. It's more a thought experiment than anything else.
https://github.com/muke1908/chat-e2ee
Looks like the URL is part of the seed and salt which is cool.
Proving who you are is done in another stream. Like MFA.
You do a one time pad, generate the URL with that. Communicate what's needed, then the URL dies.
I'm still noodling with it.
cool, sounds like you have most of the principles down.
what i didn't yet see articulated with chat-e2ee is how the actual code itself verifies itself to the user in the browser? it sounds to me like it assumes the server which serves the code is 'trusted', while the theoretically different server(s) which transmits the messages can be 'untrusted'.
-
cool, sounds like you have most of the principles down.
what i didn't yet see articulated with chat-e2ee is how the actual code itself verifies itself to the user in the browser? it sounds to me like it assumes the server which serves the code is 'trusted', while the theoretically different server(s) which transmits the messages can be 'untrusted'.
I think that's by design and the nature of the setup. Anyone with the URL can communicate.
-
I think that's by design and the nature of the setup. Anyone with the URL can communicate.
ah fair enough. i think that was the initial confusion from myself and perhaps the other user in this discussion. i didn't realise your use cases.
it's always a fun topic to discuss and got me thinking about some new ideas
-
This sounds amazing. It's unfortunate that Graphene OS has so much toxicity around it, but this design decision is amazing. Love it.
I tried quickly looking for the feature, but I couldn't find it. I searched for "Graphene OS Matrix chat homepage guest user", "Graphene OS chat homepage guest user", "Graphene OS chat homepage", and "Graphene OS homepage QR" but didn't find what you mentioned.
Matrix config has an option named "guest mode", that is what I believe they're using.
-
ah fair enough. i think that was the initial confusion from myself and perhaps the other user in this discussion. i didn't realise your use cases.
it's always a fun topic to discuss and got me thinking about some new ideas
Right?! This is why I love the Fediverse and FOSS.
Have a good night/day
Hope you find new fun ideas as well!
-
Matrix config has an option named "guest mode", that is what I believe they're using.
Ah. I searched for it and found that guest mode was disabled on Matrix.org's servers. I wonder if making it work in another server is easy…
-
That matters? Why does developer behavior influence your judgement over whether you will use certain pieces of software? Just curious
You're bringing up a fair point, similar to "can you separate the art from the artist"? I think it's possible; I've seen mean and disparaging people do amazing work. Heck, at times I've been a cranky worker cranking out good work.
However, I also know that toxic people are hard to work with and limit their own potential and that of others. A quick look at the ACT literature, the intrinsic motivation literature, the learned-helplessness literature, and the Lybomirsky et al. meta-analyses from 2008 and 2018 all point to the same idea: psychologically flexible people are happier and that leads to better work and more productivity, but not the other way around.
-
It has. Strangely enough they posted a code of conduct after that feedback and started weilding the ban hammer. However I cannot speak to outside forums like XDA or Reddit or even comms here. I tend to stick to their forums or github
Oh wow. That's a pleasantly surprising code of conduct. If the code of conduct is consequential, I stand corrected about my view of Graphene OS.
- "Respectful and kind". Amazing.
- "Harassment is not tolerated". Hell yeah.
- "Be respectful and constructive." Brilliant.
-
out of interest, do you actually mean no login, or do you mean no email-verified login?
No login at all. You just open the URL and there's a text box waiting for you to send a message to me.
-
Idk how to help you, snek boi.
That's alright
-
No login at all. You just open the URL and there's a text box waiting for you to send a message to me.
So you want a guestbook from 1996?
-
it's so easy to chat with you!
hi
I'm nicole, but you can call me the fediverse chick
Is that a crack pipe
-
Here's my problem: every F(L)OSS and E2EE solution that I know of requires other people to download an app or log in.
I want to reduce the friction for others to communicate for me. I want to give a business card with a URL where people can go and immediately send messages to my Matrix or my email or something, and they don't need to log in at all.
They just open their browser, go to snek_boi.io or whatever and a chat appears.
A couple of years ago, I was suggested Cactus Comments. I suppose that works, but I was wondering if there are other solutions. I was wondering if now there was an even easier solution for my purposes.
You mean a "contact form?" They're everywhere.
-
Here's my problem: every F(L)OSS and E2EE solution that I know of requires other people to download an app or log in.
I want to reduce the friction for others to communicate for me. I want to give a business card with a URL where people can go and immediately send messages to my Matrix or my email or something, and they don't need to log in at all.
They just open their browser, go to snek_boi.io or whatever and a chat appears.
A couple of years ago, I was suggested Cactus Comments. I suppose that works, but I was wondering if there are other solutions. I was wondering if now there was an even easier solution for my purposes.
Isn't this asking for trouble with spam, bots etc?
-
Isn't this asking for trouble with spam, bots etc?
Yes. I suppose I’d like to try it. Maybe the cost is worth the benefits.
-
it's so easy to chat with you!
hi
I'm nicole, but you can call me the fediverse chick
Who is she? Whats up? Is this a 'how do you do fellow kids'
-
Here's my problem: every F(L)OSS and E2EE solution that I know of requires other people to download an app or log in.
I want to reduce the friction for others to communicate for me. I want to give a business card with a URL where people can go and immediately send messages to my Matrix or my email or something, and they don't need to log in at all.
They just open their browser, go to snek_boi.io or whatever and a chat appears.
A couple of years ago, I was suggested Cactus Comments. I suppose that works, but I was wondering if there are other solutions. I was wondering if now there was an even easier solution for my purposes.
Jitsi Meets?
