making this post hidden because it doesnt seem well recieved. maybe its the wrong community for the feedback im after.
sorry.
TLDR; for my project i wanted the signal protocol that would work in a browser. i couldnt find something suitable… so empowered by AI, i tried to create something myself. i dont want to inspire undue confidence.
IMPORTANT: this project is not professionally audited or production ready.
for my p2p messaging project (a webapp) i wanted to explore an usage of the Signal protocol… the investigation is still in progress and far from finished. its clear that the Signal protocol is not intended for a p2p architecture with it needing things like pre-keys stored on servers. so it seems nessesary to adapt it.
i looked around for a suitable implementation i could use. compiling the implementation in lib-signal-go to a wasm seemed like an option that worked… i was concerned about it seeming unmaintained and not mention of an audit. perhaps naive, but i decided to see if it could put something together. i started off creating something using browser-based cryptograpy primitives. i would have like to keep it that way, but an ealier AI audit disagreed to using those primitives and so i moved towards an attempt in rust that compiles to wasm.
https://github.com/positive-intentions/cryptography/tree/staging/src/rust
i added several unit tests and and got AI to try create better securty audits, and i think its working well. (or at least well enough). AI’s security audit points me to many things i can improve throughout (so i will when i can).
this is fairly complicated stuff and i know better than to ask people to spend their own time to review my experimental project… im not sharing for you to review my code; im sharing this here if this is interesting for anyone to take a look.
(note: the repo is getting a bit too “full” and i will be splitting it into a separate repo for just the signal implementation.)
(note 2: im aiming for it to be aligned to the correct spec. im completely aware about concerns around using AI in the domain of cybersec. its great to have an opinion on the matter, but its not a fruitful conversation to be shocked that “AI is being used in 2025”. the source and audit are provided for transparency. if there is something wrong with the details, thats what i want to discuss and fix.)
thanks. this implementation is intended for a p2p messaging app. it works as a webapp and only stores data locally.
the signal architecture requires prekeys to be store on a server, in a p2p approach you dont need presigned keys and the double rachet starts immidiately (the tradoff is there is no offline messaging).
im investigating making it so that the service worker caches the initial static files… so page-refreshes dont update the loaded statics. there would be an explicit button to update the statics for the service worker. i have a basic concept working but it isnt finished enough for me to roll-out.
when open-source, there are additional capabilities that can be unlocked like being able to run the app from index.html without a static server. this would be stronger against anyone making changes on the network-level.
i understand why signal doesnt do a webapp like many other sevices like whatsapp… the p2p messaging architecture is fundamentally different.
