End2End Chat is a privacy-first, real-time chat application designed for maximum privacy and anonymity. It features three encryption modesโGroup Chat (unlimited members, shared AES-256 key), Private Chat (1-to-1, RSA-2048), and Password-Protected Rooms (secure 2-person sessions). Built with modern web technologies and a true zero-knowledge architecture, your conversations are always secure and never stored.
๐ฏ Core Philosophy:
No signup, no tracking, just secure conversations. Your messages, your keys, your privacy.
- ๐ Three Chat Modes: Group (unlimited), Private (max 2), Password (secure 2-person)
- ๐ก๏ธ True End-to-End Encryption: RSA-2048 + AES-256 GCM (hybrid)
- โก Real-Time Messaging: WebSocket-based instant delivery
- ๐ฅ Firebase Integration: Real-time session metadata and presence tracking
- ๐ Encrypted File Sharing: Images, videos, audio, documents up to 5MB
- ๐ผ๏ธ Screenshot Protection: Blocks Print Screen & clipboard access
- ๐ฅ Typing Indicators: See when others are typing (encrypted)
- ๐ Download Notifications: Know when files are downloaded
- ๐ฌ File Captions: Add text descriptions to shared files
- ๐ค Anonymous: No signup, email, or phone number required
- ๐ต๏ธ Zero Persistence: Messages exist only during active sessionsโno database, no tracking
- ๐ฑ Fully Responsive: Perfect on desktop, tablet, and mobile
- ๐จ Modern UI: Clean design with glassmorphism effects and Google Fonts
- ๐ Encrypted Session Links: Secure invite system with time-limited tokens
- ๐ฑ Progressive Web App (PWA): Installable on standard devices, offline support, and app-like experience
๐ Installable & Offline Ready
One-Click Installation:
- Desktop/Mobile: Install the app directly to your home screen or desktop
- Native Experience: Runs in its own window without browser UI elements
- Offline Capable: Core features load instantly even without internet
- Auto-Updates: Seamlessly updates in the background when new features arrive
Why PWA?
- โก Performance: Faster load times with efficient caching
- ๐ Security: Served over HTTPS, leveraging same security model
- ๐ฑ Accessibility: Works across all modern devices and platforms (iOS, Android, Windows, Mac)
- ๐ถ Resilience: Better handling of poor network conditions
๐ Privacy in the Digital Age
Most messaging apps collect extensive personal data, store conversations on servers, and require phone numbers or emails. This project demonstrates:
- True End-to-End Encryption: Messages encrypted on sender's device, decrypted only by recipient
- Zero-Knowledge Architecture: Server cannot read your messages even if it wanted to
- Anonymous Communication: No personal data required or stored
- Ephemeral Messaging: Messages exist only during active sessions
- Open Source Transparency: Every line of code is publicly auditable
๐ก๏ธ Advanced Security Implementation
- Hybrid Cryptography: RSA-OAEP + AES-GCM for optimal security and performance
- Client-Side Key Generation: Private keys never leave your device
- Perfect Forward Secrecy: Each session uses unique encryption keys
- Automatic Session Cleanup: No persistent message history
- Mode-Based Security: Choose encryption strength based on your needs
- Encrypted Session Links: Time-limited tokens for secure invitations
- Screenshot Protection: Prevents unauthorized capture of sensitive content
๐ Educational Value
This project serves as a learning resource for:
- Cryptography: Real-world implementation of RSA and AES encryption
- WebSocket Technology: Understanding real-time bidirectional communication
- React Best Practices: Modern component architecture and state management
- Security Patterns: Zero-knowledge design and privacy-first development
- Full-Stack Development: Complete frontend and backend integration
Session Metadata & Presence Tracking
What it does:
- Stores non-sensitive session metadata (NOT encrypted messages)
- Real-time user presence and online status
- Anonymous authentication for better user management
- Auto-cleanup of inactive sessions
Why it's secure:
- Encrypted messages are NEVER stored in Firebase
- Only routing information and presence data stored
- Complements E2E encryption (doesn't compromise it)
Implementation: // Client: src/config/firebase.config.ts // Service: src/services/firebase.service.ts // Server: server/services/firebaseAdmin.js
๐ Cryptographic Implementation
| Feature | Implementation | Security Benefit |
|---|---|---|
| ๐ Three Chat Modes | Group (AES-256 shared) / Private (RSA-2048) / Password (RSA + passphrase) | Flexible security for different use cases |
| ๐ End-to-End Encryption | RSA-OAEP 2048-bit + AES-GCM 256-bit | Industry-standard message protection |
| ๐๏ธ Key Management | Client-side generation, memory-only storage | Private keys never transmitted |
| ๐ Hybrid Encryption | RSA for key exchange, AES for message content | Optimal security + performance |
| ๐ก๏ธ Perfect Forward Secrecy | Session-based ephemeral keys | Past messages remain secure |
| ๐ซ Zero-Knowledge Server | Server cannot decrypt any content | Complete privacy guarantee |
| ๐ฅ Session Controls | Group: Unlimited, Private: Max 2, Password: Max 2 | Mode-based restrictions |
| ๐ Encrypted Invites | Time-limited AES-encrypted session tokens | Secure link sharing |
โก Real-Time & Communication Features
- โก WebSocket Messaging - Socket.IO for instant real-time delivery (20MB file support)
- ๐ Group Mode - Unlimited members with shared AES-256 session key encryption
- ๐ Private Mode - Secure 1-to-1 chat with RSA-2048 (max 2 members)
- ๐ Password Mode - Protected rooms with passphrase authentication (max 2 members)
- ๐ Multi-Format Files - Images, videos, audio, documents (5MB max) encrypted in all modes
- ๏ฟฝ File Captions - Add descriptive text to any uploaded file
- ๏ฟฝ๐ Download Tracking - Real-time notifications when files are downloaded
- ๐ฅ Typing Indicators - See when others are typing (with privacy protection)
- ๐ต๏ธ Anonymous Usage - No login, signup, or personal data collection
- ๐ In-Memory Sessions - Zero database, messages only during active session
- ๏ฟฝ Auto-Reconnection - Seamless reconnection on network interruptions
- ๐ก๏ธ Screenshot Protection - Print Screen blocked, clipboard auto-cleared
- ๐ฑ Responsive Design - Perfect experience on all devices
- ๐ Encrypted Session Links - Share secure time-limited invite tokens
- ๐จ Modern UI/UX - Glassmorphism, smooth animations, gradient backgrounds
๐ฅ Session & Communication Management
- ๐ฌ Three Chat Modes - Group (unlimited), Private (max 2), Password (secure 2-person)
- ๐ Flexible Sessions - Create or join with unique session IDs
- ๐ Auto-Reconnection - Handles network interruptions gracefully
- ๐ฅ Multi-User Support - Group: broadcast to all, Private/Password: 1-to-1 only
- ๐ข Online Status - Real-time connection status indicators
- ๐ผ๏ธ Secure File Sharing - All file types encrypted before transmission
- ๐จ Modern Responsive UI - TailwindCSS with glassmorphism and gradients
- ๐ Individual Decryption - Each user maintains their own private key
- ๐ซ Strict Mode Enforcement - Private/Password modes enforce 2-member maximum
- ๐ฑ Mobile Optimized - Responsive breakpoints for all screen sizes
- ๐ Session Link Sharing - Encrypted tokens with expiration (24 hours)
- ๐ฏ Mode Selection UI - Clear visual indicators for each mode type
๐งโ๐ป Developer & Deployment Features
- ๐ ๏ธ Easy Setup - Minimal configuration, ready in minutes
- ๐ Well-Documented - Comprehensive inline comments and README
- ๐ง Extensible Architecture - Modular components for easy customization
- ๐ WebSocket Server - Node.js + Express + Socket.IO backend
- โก Vite Build System - Lightning-fast development and hot reload
- ๐ Scalable Design - Handles multiple concurrent sessions efficiently
- ๐ Deploy Anywhere - Vercel, Netlify, Heroku, Railway compatible
- ๐จ TailwindCSS - Utility-first styling with custom animations
- ๐ฑ Fully Responsive - Mobile-first design with smart breakpoints
- ๐ Production Ready - Console.log cleanup with proper logging utility
- ๐ฏ TypeScript - Type-safe development with improved DX
- ๐ SEO Optimized - Proper meta tags, sitemap, and canonical URLs
- ๐ Multiple Pages - Home, Features, Security, About, Abstract, Privacy, Terms
- ๐ญ Layout System - Consistent header/footer with conditional rendering
| Category | Technology | Purpose | Security Role |
|---|---|---|---|
| ๐จ Frontend | React 18 + TypeScript | Modern UI/UX with type safety | Prevents runtime errors and enhances security |
| ๐ Backend | Node.js + Socket.IO | Real-time WebSocket (20MB) | Encrypted message routing only |
| ๐ Cryptography | Web Crypto API | Native browser encryption | Hardware-accelerated security |
| ๐จ Styling | Tailwind CSS | Responsive utility-first design | Clean, professional interface |
| ๐ ๏ธ Build Tool | Vite | Fast development & optimization | Minimal bundle size |
| ๐ฆ Deployment | Vercel/Netlify | Global CDN hosting | HTTPS-only delivery |
| ๐ Routing | React Router v6 | Multi-page navigation | SEO-friendly URLs |
| ๐ญ Meta Tags | React Helmet Async | Dynamic SEO optimization | Better search visibility |
๐ Security-First Architecture Design
โโโโโโโโโโโโโโโโโโโ WebSocket โโโโโโโโโโโโโโโโโโโ
โ React Client โโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ Node.js Server โ
โ (3 Encryption โ Socket.IO (20MB) โ (Port 3001) โ
โ Modes) โ โ Session Mgmt โ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ โ
localStorage In-Memory Map
(userId, keys) (Sessions + chatMode + Messages)
Mode Selection:
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โ GROUP MODE โ โ PRIVATE MODE โ โPASSWORD MODE โ
โ Shared AES โ โ RSA + AES โ โRSA + Phrase โ
โ Unlimited โ โ Max 2 users โ โ Max 2 users โ
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
Frontend Pages:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Header (Mobile Menu + Desktop Nav) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Home | Features | Security | Abstract โ
โ About | Privacy | Terms โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layout System (Conditional Footer) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก๏ธ Security Principles:
- Three Encryption Modes: Group (shared) / Private (1-to-1) / Password (protected)
- Zero-Knowledge Server: Server only routes encrypted data, cannot decrypt
- Client-Side Encryption: All cryptographic operations in browser
- Memory-Only Keys: Private keys never touch storage or network
- Ephemeral Sessions: Complete data cleanup on session end
- No Database: Messages exist only in server memory during active session
- Mode-Based Limits: Private/Password sessions restricted to 2 members
- Encrypted Invites: Time-limited AES-encrypted session tokens (24h expiry)
- Responsive Layout: Proper flex layout prevents white space issues
๐ Your support helps maintain and improve this privacy-focused project!
Supporting privacy tools contributes to a safer digital world for everyone.
๐ด Live Demo Instructions
- ๐ Visit Demo: https://chatend2end.vercel.app
- ๐ Enter Name: Provide a display name (no signup required)
- ๐ฏ Choose Mode:
- Group ๐ฅ - Unlimited members, shared encryption
- Private ๐ - 1-to-1 chat (max 2 people)
- Password ๏ฟฝ - Protected room (max 2 people)
- ๐ Create/Join:
- Create a new session and get shareable link
- Or join existing session with code
- ๐ Start Chatting: Experience encrypted messaging
- ๐ Share Files: Drag & drop encrypted files up to 5MB
- ๐ก๏ธ Verify Security: Check encryption indicators
๐ Security Verification:
- Open browser DevTools โ Network tab to see encrypted payloads
- Verify that no plain text messages are transmitted
- Confirm private keys remain in browser memory only
- Check Session Storage for encrypted session data
๐ฑ Mobile Testing:
- Hamburger menu for navigation on mobile
- Responsive layout works on all screen sizes
- Touch-optimized UI elements
๐จ Modern UI Features:
The interface features a clean, modern design with:
- Glassmorphism Effects: Backdrop blur and transparent overlays
- Gradient Backgrounds: Smooth blue โ purple โ pink transitions
- Real-Time Indicators: Encryption status, typing indicators, online status
- Mode Selection: Visual cards for Group, Private, and Password modes
- File Sharing UI: Drag-and-drop with preview and captions
- Responsive Layout: Perfect on desktop, tablet, and mobile
- Mobile Navigation: Hamburger menu with smooth animations
- Toast Notifications: Non-intrusive alerts for downloads and events
๐ Available Pages:
- ๐ Home: Session creation with mode selection
- โจ Features: Complete feature showcase with hover effects
- ๐ก๏ธ Security: Detailed security and encryption documentation
- ๐ Abstract: Technical and non-technical project overview
- ๐ฅ About: Developer story and technology stack
- ๐ Privacy: Privacy policy and data handling
- โ๏ธ Terms: Terms of service and usage guidelines
Preview Features:
- ๐จ Clean Material Design inspired interface
- ๐ Visual Encryption Indicators showing message security status
- ๐ฅ Anonymous User Avatars with session-based identities
- ๐ฑ Responsive Breakpoints optimized for all screen sizes (sm, md, lg, xl)
- โก Real-time Typing Indicators with encrypted status
- ๐ก๏ธ Mode Badges showing current encryption mode (Group/Private/Password)
- ๐ฏ Smart Spacing no white space issues on any screen size
๐ Required Tools
๐ ๏ธ Development Environment:
- Node.js: Version 18 or higher (Download)
- npm: Comes with Node.js (or use yarn/pnpm)
- Git: For cloning the repository (Download)
- Modern Browser: Chrome, Firefox, Safari, or Edge with Web Crypto API support
๐ป Development Tools:
- Code Editor: VS Code, WebStorm, or your preferred IDE
- Terminal: PowerShell, Command Prompt, or Bash
๐ฏ Quick Setup (Recommended)
# 1๏ธโฃ Clone the repository
git clone https://github.com/Arya182-ui/End2end-Chat.git
cd End2end-Chat
# 2๏ธโฃ Install frontend dependencies
npm install
# 3๏ธโฃ Install server dependencies
cd server
npm install
cd ..
# 4๏ธโฃ Start the WebSocket server (Terminal 1)
cd server
node server.js
# 5๏ธโฃ Start the frontend (Terminal 2 - new terminal)
npm run dev๐ Your encrypted chat app will be running at:
- Frontend:
http://localhost:5173(Vite dev server) - Backend:
http://localhost:3001(WebSocket server)
๐ First-Time Setup Notes:
- The server must be running before starting the frontend
- Both terminals must remain open during development
- Hot reload enabled for frontend changes
- Server requires manual restart for changes
๐ฌ Development Setup with Testing
# Clone and setup
git clone https://github.com/Arya182-ui/End2end-Chat.git
cd End2end-Chat
# Install all dependencies
npm install
cd server && npm install && cd ..
# Start server in background (Terminal 1)
cd server
node server.js
# Start frontend with hot reloading (Terminal 2)
npm run dev
# Build for production testing
npm run build
npm run preview๐ Setup with Google Technologies (Optional but Recommended)
The application works in Demo Mode without any API keys, but for full functionality, set up Google Technologies:
- Go to Firebase Console
- Create a new project or select existing
- Enable Realtime Database:
- Go to Realtime Database โ Create Database
- Choose location and start in test mode
- Enable Anonymous Authentication:
- Go to Authentication โ Sign-in method
- Enable Anonymous
- Get your config:
- Project Settings โ General โ Your apps
- Copy the Firebase config object
- For server (Admin SDK):
- Project Settings โ Service Accounts
- Generate new private key (downloads JSON file)
- Go to Google Cloud Console
- Enable Cloud Translation API
- Go to APIs & Services โ Credentials
- Create API Key (restrict to Translation API for security)
- Copy the API key
- Visit Google AI Studio
- Create a new API key
- Copy the key
Frontend (create .env in project root):
VITE_FIREBASE_API_KEY=your_firebase_api_key_here
VITE_FIREBASE_AUTH_DOMAIN=your_project.firebaseapp.com
VITE_FIREBASE_PROJECT_ID=your_project_id
VITE_FIREBASE_DATABASE_URL=https://your_project-default-rtdb.firebaseio.com
VITE_FIREBASE_STORAGE_BUCKET=your_project.appspot.com
VITE_FIREBASE_MESSAGING_SENDER_ID=123456789
VITE_FIREBASE_APP_ID=1:123456789:web:abcdef123456
VITE_GEMINI_API_KEY=your_gemini_api_key_here
VITE_DEMO_MODE=falseBackend (create server/.env):
PORT=3001
CLIENT_URL=http://localhost:5173
# Firebase Admin SDK (from downloaded JSON)
FIREBASE_PROJECT_ID=your_project_id
FIREBASE_CLIENT_EMAIL=firebase-adminsdk-xxxxx@your_project.iam.gserviceaccount.com
FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nYour private key here\n-----END PRIVATE KEY-----\n"
# Google Cloud Translation
GOOGLE_CLOUD_TRANSLATE_KEY=your_translation_api_key_here
# Gemini AI
GEMINI_API_KEY=your_gemini_api_key_here
DEMO_MODE=false# Terminal 1 - Server with Google Technologies
cd server
npm start
# Terminal 2 - Frontend with Google Technologies
npm run devโจ Now you have:
- ๐ฅ Real-time session metadata in Firebase
- ๐ Live message translation (12+ languages)
- โจ AI-powered smart replies
- ๐ก๏ธ Automated content moderation
- ๐ Sentiment analysis
๐ญ Demo Mode (No API Keys Required)
Run the app without any Google API keys:
# Terminal 1 - Server in Demo Mode
cd server
DEMO_MODE=true node server.js
# Terminal 2 - Frontend in Demo Mode
VITE_DEMO_MODE=true npm run devDemo Mode Features:
- โ Full end-to-end encryption working
- โ All UI components visible
- โ Mock translations (shows demo messages)
- โ Mock AI suggestions (predefined responses)
- โ No real API calls (perfect for testing)
- โ No API costs or rate limits
Note: Demo mode is great for development and testing, but for production or hackathon demos, use real API keys for full functionality.
Two terminals required for full functionality:
Terminal 1 - WebSocket Server (Port 3001):
cd server
node server.jsโ
Server running on http://localhost:3001
โ
Handles WebSocket connections
โ
Manages sessions in memory
โ
Supports file uploads up to 20MB
Terminal 2 - React Frontend (Port 5173):
npm run devโ
Frontend running on http://localhost:5173
โ
Hot module replacement enabled
โ
Connects to WebSocket server
โ
Auto-opens in default browser
๐ง Development Tips:
- Keep both terminals visible to monitor logs
- Server logs show connection/disconnection events
- Frontend shows Vite build status
- Use
Ctrl + Cto stop either server - Changes to server.js require manual restart
- Frontend changes auto-reload instantly
๐๏ธ WebSocket Session Storage (In-Memory)
// Server In-Memory Structure (No database persistence)
{
sessions: Map<sessionId, {
members: Map<userId, {
socketId: string,
publicKey: string,
userName: string
}>,
messages: Array<{
id: string,
from: userId,
encrypted: string, // Base64 AES-encrypted content
encryptedKeys: Map<userId, string>, // RSA-encrypted AES keys
timestamp: number,
type: "text" | "image" | "video" | "audio" | "file",
fileName?: string,
fileSize?: number,
caption?: string
}>
}>
}๐ Security Properties:
- Zero Persistence: All data in server memory, cleared on disconnect
- Forward Secrecy: Each message uses unique AES key
- Perfect Forward Secrecy: RSA keys are session-ephemeral
- Minimal Metadata: Only routing info (userId, socketId)
- Auto-Cleanup: Sessions deleted when all users leave
๐ Hybrid Encryption Algorithm
๐ Encryption Process:
// 1. RSA Key Pair Generation (Per Session)
const keyPair = await crypto.subtle.generateKey(
{
name: "RSA-OAEP",
modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1]),
hash: "SHA-256"
},
true, // extractable
["encrypt", "decrypt"]
);
// 2. AES Key Generation (Per Message)
const aesKey = await crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256
},
true,
["encrypt", "decrypt"]
);
// 3. Message Encryption Process
const encryptedMessage = await crypto.subtle.encrypt(
{
name: "AES-GCM",
iv: crypto.getRandomValues(new Uint8Array(12))
},
aesKey,
messageBuffer
);
// 4. AES Key Encryption (for each recipient)
const encryptedAESKey = await crypto.subtle.encrypt(
{
name: "RSA-OAEP"
},
recipientPublicKey,
aesKeyBuffer
);๐ Security Benefits:
- RSA-OAEP: Prevents chosen-ciphertext attacks
- AES-GCM: Provides both encryption and authentication
- Unique IV: Each message has cryptographically random initialization vector
- Key Isolation: Each message uses a fresh AES key
๐ Message Flow & Security Protocol
๐จ Secure Message Flow (3 Modes):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WebSocket Message Flow (3 Modes) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ GROUP MODE (Shared Key): โ
โ 1. Creator generates session AES key in browser โ
โ 2. Session key encrypted with each member's RSA public key โ
โ 3. Members decrypt session key with their RSA private key โ
โ 4. All messages encrypted/decrypted with shared AES key โ
โ โ
โ PRIVATE MODE (Per-Message): โ
โ 1. Alice generates RSA key pair in browser โ
โ 2. Alice sends public key to WebSocket server โ
โ 3. Server stores Alice's public key with socketId โ
โ 4. Bob retrieves Alice's public key from server โ
โ 5. Bob generates AES key for message โ
โ 6. Bob encrypts message with AES โ
โ 7. Bob encrypts AES key with Alice's RSA public key โ
โ 8. Server routes encrypted payload via Socket.IO โ
โ 9. Alice decrypts AES key with RSA private key โ
โ 10. Alice decrypts message with AES key โ
โ โ
โ PASSWORD MODE (Protected): โ
โ 1. Creator sets room password (min 5 chars) โ
โ 2. Password hashed and stored with session โ
โ 3. Joiner must provide correct password to access โ
โ 4. Uses same RSA encryption as Private mode โ
โ 5. Strict 2-member limit enforced โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก๏ธ Security Guarantees:
- End-to-End Encryption: Only sender and recipient can read messages
- Perfect Forward Secrecy: Compromised keys don't affect past messages
- Anonymous Communication: No personal identifiers required
- Ephemeral Sessions: Complete cleanup when session ends
- Zero-Knowledge Server: WebSocket server cannot decrypt content
- Download Tracking: Encrypted file download notifications
- Mode Isolation: Each mode enforces its own security rules
- Session Link Security: Encrypted tokens with 24-hour expiration
๐ Cryptographic Security Measures
| Security Layer | Implementation | Protection Against |
|---|---|---|
| ๐ Transport Security | HTTPS/TLS 1.3 + WSS (WebSocket Secure) | Man-in-the-middle attacks |
| ๐๏ธ Key Management | Client-side RSA-2048 generation | Key compromise via server breach |
| ๐ Message Encryption | AES-GCM-256 per message | Content interception |
| ๐ก๏ธ Authentication | Public key cryptography | Identity spoofing |
| ๐งน Data Retention | Zero persistent storage | Long-term data exposure |
| โก Forward Secrecy | Ephemeral session keys | Historical message compromise |
โ Cryptographic Standards:
- RSA-OAEP with SHA-256 padding
- AES-GCM with 256-bit keys and 96-bit IVs
- Cryptographically secure random number generation
- Web Crypto API for browser-native security
๐ซ Privacy & Anonymity Features
๐ต๏ธ Anonymous by Design:
- โ No Account Creation: Zero personal information required
- โ No Email/Phone: No contact information collected
- โ No IP Logging: WebSocket server doesn't log connection IPs
- โ No Tracking: No analytics or behavioral monitoring
- โ No Persistent IDs: Session-based temporary identifiers only
๐งน Data Minimization:
- Ephemeral Sessions: All data deleted when session ends
- Memory-Only Keys: Private keys never written to storage
- Minimal Metadata: Only essential routing information stored
- Automatic Cleanup: In-memory sessions auto-delete on disconnect
โ ๏ธ Security Considerations & Limitations
๐ฏ Educational & Demo Purpose:
- This is a demonstration project for educational purposes
- Not intended for highly sensitive or classified communications
- Recommended for learning cryptography and secure messaging concepts
๐ง Production Considerations:
- Implement rate limiting for abuse prevention
- Add Content Security Policy (CSP) headers
- Consider additional authentication for sensitive deployments
- Perform regular security audits and penetration testing
- Implement proper error handling without information disclosure
๐ก๏ธ Threat Model:
- Protected Against: Passive surveillance, server breaches, MITM attacks
- Not Protected Against: Endpoint compromise, malicious browser extensions
- Trust Assumptions: Users trust their device and browser security
Details
๏ฟฝ Frontend Deployment (Vercel/Netlify)Step 1: Update WebSocket URL
Edit src/services/websocket.ts:
const SOCKET_URL = 'https://your-server.herokuapp.com'; // Your server URLStep 2: Build Project
npm run buildStep 3: Deploy
- Vercel:
vercel --prod - Netlify: Drag
dist/folder to Netlify dashboard - GitHub Pages: Use GitHub Actions workflow
๐ Backend Deployment (Heroku/Railway/Render)
Step 1: Create Procfile
web: node server.js
Step 2: Update CORS in server/server.js:
cors: {
origin: "https://your-frontend.vercel.app",
methods: ["GET", "POST"]
}Step 3: Deploy
# Heroku
heroku create your-app-name
git push heroku main
# Railway
railway up
# Render
# Connect GitHub repo in dashboard๐ก๏ธ Enhanced Security Settings
๏ฟฝ WebSocket Server Security (Production):
// server/server.js - Production Configuration
const io = new Server(server, {
cors: {
origin: process.env.ALLOWED_ORIGINS || "https://your-frontend.vercel.app",
methods: ["GET", "POST"],
credentials: true
},
maxHttpBufferSize: 20 * 1024 * 1024, // 20MB
pingTimeout: 60000,
pingInterval: 25000,
transports: ['websocket', 'polling']
});
// Rate limiting middleware
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use(limiter);๐ Content Security Policy (CSP):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
connect-src 'self' wss://your-server.herokuapp.com https://your-server.herokuapp.com">
๐ Quick Start Guide
1๏ธโฃ Choose Your Mode:
- Group Chat: For team discussions, multiple participants, broadcast messaging
- Private Chat: For sensitive 1-to-1 conversations (max 2 members)
2๏ธโฃ Create Secure Session:
- Select your preferred mode (Group or Private)
- Click "Create New Session" to generate encrypted chat room
- Your browser creates a unique RSA-2048 key pair
- Share the session code with intended participants only
3๏ธโฃ Join Session Securely:
- Enter the session code provided by the creator
- Your browser generates its own encryption keys
- Public keys are automatically exchanged securely
- Private Mode: Only 1 joiner allowed (creator + joiner = 2 max)
4๏ธโฃ Verify Encryption:
- Look for the mode badge (๐ Group or ๐ Private)
- Verify that "Encrypted" status shows for all communications
- Check that private keys remain "Local Only"
5๏ธโฃ Send Encrypted Messages:
- Type your message in the input field
- Group Mode: Message encrypted once with shared session key, broadcast to all
- Private Mode: Message encrypted separately for each recipient
- Recipients decrypt messages with their private keys
6๏ธโฃ Share Files Securely:
- Drag and drop images or files into the chat
- Files are encrypted with the same mode-specific security standards
- Both modes: Support images, videos, audio, documents up to 5MB
- File metadata is minimized for privacy
7๏ธโฃ Leave Session Safely:
- Close browser tab or click "Leave Session"
- All keys and data are automatically cleaned up
- Session becomes inaccessible to prevent future access
๐ก๏ธ Security Best Practices
๐ Operational Security (OpSec):
- Use Incognito/Private Browsing: Prevents local storage of any data
- Fresh Browser Session: Clear cookies and cache before important chats
- Secure Networks: Use trusted Wi-Fi or cellular connections
- Updated Browser: Ensure Web Crypto API is latest version
- Device Security: Lock your device when not in use
๐ซ What NOT to Do:
- โ Don't share session codes in insecure channels (email, SMS, social media)
- โ Don't use on shared or public computers
- โ Don't trust browser extensions during sensitive conversations
- โ Don't screenshot or copy-paste sensitive encrypted messages
- โ Don't leave sessions open unattended
โ Security Verification:
- Check Encryption Status: Verify ๐ icons appear on all messages
- Verify Participants: Confirm session has only intended users
- Monitor Session Activity: Watch for unexpected participants joining
- Test Message Delivery: Ensure messages decrypt correctly for recipients
๐ Technical Verification
๐ต๏ธ For Advanced Users - Verify Security:
# Open browser developer tools and check:
# 1. Network Tab - Verify encrypted payloads
console.log("All network requests should show encrypted base64 data only");
# 2. Application/Storage Tab - Verify no plain text storage
localStorage; // Should be empty or contain no sensitive data
sessionStorage; // Should contain no plain text messages
# 3. Console verification
console.log("Private keys should never appear in network requests");
console.log("All message content should be base64 encrypted strings");๐ฌ Cryptographic Verification:
- Key Generation: RSA-OAEP 2048-bit keys generated with Web Crypto API
- Message Encryption: AES-GCM 256-bit with random IV per message
- Key Exchange: Public keys transmitted, private keys stay local
- Perfect Forward Secrecy: Each message uses unique AES key
๐ Security-Focused Contributions
๐ก๏ธ Security Improvements:
- Cryptographic Audits: Review encryption implementation
- Vulnerability Assessment: Identify and report security issues
- Security Documentation: Improve security explanations
- Penetration Testing: Test application security boundaries
๐ง Technical Enhancements:
- Performance Optimization: Improve encryption speed
- Browser Compatibility: Extend Web Crypto API support
- User Experience: Enhance security indicators and flows
- Code Quality: Refactor for better maintainability
๐ Documentation & Education:
- Security Tutorials: Create educational content about E2E encryption
- Best Practices: Document secure usage patterns
- Translation: Multi-language documentation
- Examples: Real-world usage scenarios
๐ฏ Contribution Guidelines
๐ Before Contributing:
- Read Security Policy: Understand our security-first approach
- Review Architecture: Familiarize yourself with encryption design
- Check Issues: Look for existing security concerns or features
- Security Discussion: Propose security changes in issues first
๐ Development Process:
# 1๏ธโฃ Fork the repository
git clone https://github.com/your-username/End2end-Chat.git
# 2๏ธโฃ Create security-focused branch
git checkout -b security/feature-name
# 3๏ธโฃ Make improvements with security in mind
# - Test encryption functionality
# - Verify no data leaks
# - Maintain zero-knowledge principles
# 4๏ธโฃ Submit pull request with security checklistโ Security Checklist for PRs:
- No private keys exposed in code or logs
- All new features maintain E2E encryption
- No sensitive data stored persistently
- Cryptographic operations use Web Crypto API
- Security documentation updated
๐ฎ Security & Privacy Enhancements
๐ก๏ธ Advanced Security Features:
- Post-Quantum Cryptography: Preparation for quantum-resistant algorithms
- Perfect Forward Secrecy: Enhanced key rotation mechanisms
- Secure Multiparty Computation: Advanced group encryption protocols
- Zero-Knowledge Proofs: Identity verification without data exposure
๐ Platform Extensions:
- Mobile Apps: Native iOS/Android with same security principles
- Desktop Apps: Electron-based with enhanced security isolation
- Browser Extension: Secure chat overlay for any website
- API Integration: Secure messaging SDK for other applications
๐ฌ Research Areas:
- Homomorphic Encryption: Computing on encrypted data
- Decentralized Architecture: P2P WebRTC connections
- Blockchain Integration: Immutable public key distribution
- Secure Voice/Video: End-to-end encrypted multimedia communication
๐ MIT License Terms
Permission is hereby granted, free of charge, to any person obtaining a copy of this software...
- โ Commercial Use: Use in commercial projects
- โ Modification: Modify and customize the code
- โ Distribution: Share and redistribute
- โ Private Use: Use for personal projects
โ ๏ธ Limitation: No warranty or liability provided
Full license text available in LICENSE file.
โ ๏ธ Important Disclaimers
๐ Educational Purpose:
- This project is designed for educational and demonstration purposes
- Not intended for highly sensitive or classified communications
- Users should understand cryptographic limitations and threats
๐ก๏ธ Security Disclaimers:
- No warranty of absolute security provided
- Users responsible for their own operational security
- Regular security audits recommended for production use
- Consider professional security review for sensitive deployments
๐ Data & Privacy:
- No personal data collected by the application
- WebSocket server doesn't persist any user data
- Users responsible for compliance with local privacy laws
- In-memory sessions auto-delete on disconnect
๐ง Core Technologies & Libraries
| Technology | Purpose | Why We Love It |
|---|---|---|
| โ๏ธ React | Frontend Framework | Modern, component-based UI development |
| ๏ฟฝ Socket.IO | WebSocket Library | Real-time bidirectional communication |
| ๐ข Node.js | Backend Runtime | Fast, scalable server infrastructure |
| ๐ Web Crypto API | Cryptography | Browser-native, secure encryption |
| ๐จ Tailwind CSS | UI Styling | Rapid, responsive design system |
| โก Vite | Build Tool | Lightning-fast development and builds |
| ๐ TypeScript | Type Safety | Enhanced code quality and security |
๐ค Inspiration & Learning Resources
๐ Cryptographic Education:
- Signal Protocol: Inspiration for modern E2E encryption
- OpenPGP: Foundation of public key cryptography principles
- OWASP: Security best practices and vulnerability guidelines
- Mozilla Crypto: Web Crypto API documentation and examples
๐ Security Research:
- Cryptography Engineering by Ferguson, Schneier, and Kohno
- Applied Cryptography by Bruce Schneier
- The Crypto Papers - Academic cryptographic research
- IETF RFCs - Cryptographic standards and protocols
๐ฅ Community Contributors:
- Security researchers who review cryptographic implementations
- Open source developers advancing web security standards
- Privacy advocates promoting secure communication tools
- Educational institutions teaching cryptography and cybersecurity
๐ฏ Project Supporters & Motivations
๐ Privacy Advocates:
- Everyone fighting for digital privacy rights
- Developers creating secure, user-friendly encryption tools
- Educators teaching the importance of cryptographic literacy
- Users who prioritize security over convenience
๐ Development Community:
- Stack Overflow contributors solving complex cryptographic questions
- GitHub community providing feedback and security reviews
- React, Node.js, and Socket.IO teams for excellent developer documentation
- Web standards organizations advancing browser security APIs
โ Coffee Supporters:
- Those who support open source development through coffee donations
- Contributors who help maintain and improve the project
- Users who star, fork, and share the project
- Security researchers who provide valuable feedback
We have seamlessly integrated PrivyChat to provide secure Video and Voice Calling capabilities directly within our platform.
PrivyChat is an open-source, ultra-secure, and ephemeral messaging platform designed for maximum privacy. It operates entirely in RAM (Random Access Memory) with a "Zero-Trust" philosophy.
"Privacy is not a crime. It is a fundamental human right."
| Feature | Description |
|---|---|
| ๐ฅ Video & Voice Calls | High-definition Peer-to-Peer (WebRTC) video and audio calls. No server recording. |
| ๐ต๏ธโโ๏ธ RAM-Only Architecture | Data exists only in volatile memory. If the server restarts, 100% of data is lost instantly. |
| ๐ญ Stealth Features | Decoy Calculator Mode, Ghost Mode (blurred messages), and Browser Panic Button. |
| โก Ephemeral Messaging | Messages are never stored on a hard drive. Zero-trace forensics. |
| ๐ Spy-Grade Security | PBKDF2 Key Generation + AES-GCM Message Encryption + HTTPS/WSS Transport. |
- Click the "Video Call" link in the navigation header of
SecureChat. - You will be securely redirected to the PrivyChat secure environment.
- Your connection is hand-offed to a dedicated, ephemeral video room.
- Zero-Knowledge Server: The PrivyChat server routes encrypted blobs but cannot read them.
- Plausible Deniability: Features like a "Decoy Vault" redirect to a weather app to hide your activity.
- Advanced UI: Glassmorphism design, Matrix Hacker themes, and Voice Masks (Robot, Monster).
Powered by PrivyChat - The Zero-Trace Spy Messenger.
- Marlon Brando
Made with ๐ for a more secure digital world
