search

VityaSchel / session-web

Experimental project running Session messenger in a web browser online
https://session-web.pages.dev
1 stars 0 forks source link

Session-web fixes many vulnerabilities: we need an audit #1

Open qdhj opened 1 week ago

qdhj commented 1 week ago

We need an audit for this stuff, cuz' it's NEAT:

  1. Session uses exact port, so your interned provider can find out, that you USE Session, and if you live in a totalitarian government (like China or Russia), they can just send the police to raid you and read your messages on the device (beating out from you the password, if it's encrypted)
  2. Web client can be used through Tor, thus going around any censorship with whole power of the big Tor project
  3. Some secret OS, like Tails, don't let you download session, thus web-service is handy for political activists and cypherpunks
  4. As far as I understand, intruder (eg. government? haha) can make one (1) node and wait long enough until many users (or some exact user) accidentaly get it as first node, so IP and nickname can be linked to each other, thus person deanonymised in every open chat. Logging in Session through Tor fixes that.
  5. Web can be used from any device without a need to download & set up the app. It's easier to migrate between device and is compatible with any OS.
  6. Some folk furthermore may want to keep their drive clean and unsuspicious -- thus, without downloading messengers "for those who have secrets"/"for terrorists". Web-version helps.
  7. And else!

Thus, I'm praying for some rich buddy to buy this guy an audit. But this won't likely happen, so everybody reading this please donate to the guy!

VityaSchel commented 1 week ago

copying my thoughts on this from session channel where we discussed this:

I recommend waiting with review until I rewrite it with new sessionjs framework, currently it is very limited and based on somewhat between old framework and new one, web client is proof of concept, not actual client to be used, it will likely break with existing sessions due to lack of support for many types of messages and caveats, needs testing and polishing.

The good news is that, unlike swift client that I develop aiming at performance and ux, sacrificing some cool ideas and features in my mind that couldn't be implemented on swift due to apple's decision to make small subset od easy to use components to build app or use very complex structures where you have to reivent everything from scratch, I can tell that next version of the web client will be beautiful and feature rich, because it's easy to use react, css and js to create any component I want and I have many years of experience with that

Also always keep in mind that web client have one single centralized node (my proxy) which sees all unencrypted requests and sends them directly to swarms instead of oxen decentralized network, which should be fixed in future if I figure out how onion requests work and manage to redirect them to actual session nodes instead of directly to swarms

But surely my session projects will develop better & faster if you donate to me hloth.dev/donate and consider donating to oxen so that they can afford to hire me 😊 https://optf.ngo/donations