A secure instant messaging system with double encryption
Only the sender and the recipient have the power to decrypt a message
How is it done?
The password associated with different accounts are never saved in our databases,
only a hash value which is generated with a salt consisting of a pseudo-random string of bytes (to prevent rainbow table attacks) is
sent to us and subsequently written in our databases, when you register. A hash function (with salt) is irreversible, so reversing the function to find
your password is impossible. We are the ones who wrote the code for this website and even we do not have the power to ever know your password.
Hash Encryption Key (private instant messaging)
Your messages are first encrypted by the server (different keys for different users). Then, it is encrypted a second time using the hash encryption key.
The HASH ENCRYPTION KEY (HEK) is a hash value of your password (with different salt than for password validation) generated when you login your account
which is temporarily saved on your local machine through the sessionStorage feature. It is used to encrypt and decrypt your sent and received messages. SessionStorage variables can't be accessed by our servers
(unlike COOKIES or SESSION VARIABLES). Hence, this key is only accessible to you through your browser after you login and it is immediately erased from the browser
when you close it, when you close the tab or when you log out.
need to memorize any new passwords or type your password each time you want to view or send messages.
1. The first reason sessionStorage variables were used instead of normal session variables to store
the HEK was because
admins of this website could technically access session variables. For complete privacy and security, people shouldn't trust anyone not to look at their messages (not even the creators of the website), it shouldn't even be a possibility
and that is the level of privacy we achieved with FreeSpeech.
2. Since sessionStorage variables can't even be transferred through tabs, when you open a new tab
of FreeSpeech, it stops decrypting messages since the HEK wasn't transferred. Even if it slightly decreases some functionality,
it tremendously increases the security for your password and your messages which was the main focus of this project.
3. The third
reason is because new browsers like the new version of Chrome stopped destroying sessions even after you close the browser, which means that the session variables aren't destroyed either.
So, it is possible
your key is saved on the server for a very long time even after you close the browser which makes using session variable an extremely bad idea.
Using sessionStorage variables on the other hand is staggeringly more secure.
WorldChat is a groupchat for the whole world
where every user can interact with each other instantly. You don't need an account to use this feature since guests can chat from the login page.
Once a message is received, without your password, nobody CAN decrypt any
messages in which you are a sender or a receiver. Hence, be careful on how you store your password and make sure no one else except you can access it. If you forget or lose your password, you cannot reset it, so it would be impossible to decrypt your past messages or to access your account.
Created by Mathusan Chandramohan