What does “authentication” mean if there’s no server? - the app uses browser based cryptography functions as described here: github.com/…/Cryptography.tsx … basically asymmetric and symmetric keys are generated between peers on the initial connection and stored on device (indexedDB). maybe this helps: positive-intentions.com/docs/…/authentication/
How do browsers behind NAT connect to each other? - the app is using peerjs and so it also uses the peerjs-server as a connection broker. im investigating things like exchanging webrtc connection data offline with things like qr-codes.
How does it verify that the other chat partner is who they say they are? - the asymmetric keys exchanged after the initial connections. i cant drive home a point more clearly. the first connection should be secure, the peerID is cryptographically random, but i have to defer the responsibility of exchanging this ID to a peer they trust. positive-intentions.com/docs/…/getting-started#se…
Why use this and not Simplex? - this app is a work in progress and not ready to replace anything.
this is a side project and im unable set anything aside for having security professionals take a look. its important to note, i am not a cryptography expert… i just know enough to create the app. i try to make this clear in all of my posts that it is for testing purposes only because it could be irresponsible to advertise this this fully working. while the security attempt is genuine. to fix various issues throught the app, i expect there will be breaking changes.
further more about security assessment; while the app is open source, i found that its too complicated for a security assessment without a budget. this is going to be addressed in a ground up implementation of the p2p framework. github.com/positive-intentions/p2p … this will eventually replace what is being used in the app and will make it easier to inspect how it works.