thanks for your questions. i have a few links to share i hope will help answer your questions. but i will also try to answer them here. i think there is much to say, but i will try to keep it brief.
How is it hosted? What is the network topology? Which Trent must be trusted?
the app is hosted from me on AWS S3. the app is predominantly emphesising on browser-based client-side functionality for things like data storage, webrtc and cryptography.
same app is also hosted on github pages to show how users can take more control over their version of the chat app.
id like to make more time into investigating resiliancy by having federated modules hosted on multiple cloud providers. (currently its only on s3 and gh-pages)
Has the cryptography been audited? What are the primitives and protocols used? What kinds of guarantees, aside from basic privacy, are actually established?
im actively looking for feedback on the cryptography and would like to have it audited by a professionals. im currently in the process for asking for support from https://www.opentech.fund/labs/security-lab
as a sideproject, i dont want to undermine the efforts ive put into it, but i dont know what i can say for what i can guarantee. making the project open source is a big step towards clarity in how it works. at this early stage in development. i expect there will be breaking changes as i make changes and improvements. its important to note this project is a work in progress.
What happens during a disaster? Am I easy to dox, track, etc.? What bad things happen if somebody takes my phone from me?
maybe the threat model i linked previously can help answer that.
there is not registration database to hack so nothing traditionally centralized to be hacked. on the website im using google analytics. on the app itself is using nlevel-analytics.
a user profile in the context of the app is entirely browser-based and can be removed as simply as clearing site-data on any modern browser.
the user profiles can also be exported an imported. this functionality in the app is a bit flaky at the moment but it is intended to be a feature. ive tested it out enough to know its works. i would like to make it more robust.
im separately investigating having data encrypted at rest in the browser: https://programming.dev/post/21417459 (this investigation is far from finished, but is something i would like to introduce to this app)
“P2P encrypted” doesn’t sound like actual security
thanks for your questions. i have a few links to share i hope will help answer your questions. but i will also try to answer them here. i think there is much to say, but i will try to keep it brief.
How is it hosted? What is the network topology? Which Trent must be trusted?
Has the cryptography been audited? What are the primitives and protocols used? What kinds of guarantees, aside from basic privacy, are actually established?
What happens during a disaster? Am I easy to dox, track, etc.? What bad things happen if somebody takes my phone from me?
here is a previous post i made on the matter: https://www.reddit.com/r/crypto/comments/1fmoykr/secure_and_private_encrypted_p2p_chat_in
i hope this answers your questions. please feel free to ask more questions for clarity. i will do my best to answer them.