this post was submitted on 03 Jun 2026
4 points (83.3% liked)

Privacy

9923 readers
103 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 3 years ago
MODERATORS
iopq@lemmy.world
4
WebRTC messenger architecture — sealed-sender push, encrypted signalling, looking for threat-model critique. Open Source GPLv3 (lemmy.ml)
submitted 4 hours ago by GradleSurvivor@lemmy.ml to c/privacy@lemmy.world
2 comments fedilink hide all child comments
 

A WebRTC messenger where message content never touches a server and the push layer can't see who's messaging whom

Android app, solo-built. Trying to find out where the architecture breaks before I scale it.

The core idea. Messages travel through direct WebRTC data channels (DTLS/SRTP) between two phones. No server stores, reads, or relays content. Group chats use a gossip protocol, sender fans out to a few reachable members who relay onward; members who come online late fetch missing messages from any peer who has them.

The supporting infrastructure, and what each piece can see.

  • Signalling: needed to set up any WebRTC connection. I use a Cloudflare Worker (ephemeral, nothing persisted). The SDP/ICE payload is encrypted with the recipient's public key before it leaves the sender, and the two participants are addressed by opaque per-session hashes. The relay forwards ciphertext between un-linkable identifiers.

  • Push wake-up: FCM, because Android. Sealed-sender design: the wake-up payload is encrypted to the recipient's public key, and the sender's identity is inside that envelope. The push layer sees who's receiving (it must, that's how push works), not who's sending. The FCM request is also forwarded via a Cloudflare Worker so Google doesn't see the sender's IP either.

  • TURN relay: Cloudflare again, for restricted networks. Carries encrypted packets only, like any TURN.

The code is open source (GPLv3).

I wrote a detailed white paper explaining the full architecture on my landing page: https://www.mindtheclub.com/

Mainly interested in where the design assumptions break. The sealed-sender piece, I'd like to know if the threat model I'm assuming there is too generous.

#infosec #privacy #WebRTC #cryptography #Android #FOSS #PeerToPeer

top 2 comments
sorted by: hot top controversial new old
[–] vk6flab@lemmy.radio 1 points 3 hours ago (1 children)

Congratulations, we genuinely need more applications in this space!

I'd be concerned about the usage of, if not dependence on, Cloudflare.

You don't say if you're going to open source this, and I think this kind of software requires it, but if any of your code requires that it's secret in order for it to stay secure, you have a problem.

Consider what happens to all aspects of your traffic if, actually, when, it travels through a hostile network.

How will all this work in double and triple NAT-ted networks, because that's becoming the norm.

[–] GradleSurvivor@lemmy.ml 0 points 3 hours ago

Thank you for the comment!

Actually it is open source (GPLv3): https://github.com/AndreaVagheggi/mindtheclub

I have tackled the Cloudflare dependency implementing a “sealed sender” feature, the wake-up/signalling payload is encrypted to the recipient's public key, and the sender's identity is inside that envelope. The push/signalling layer sees who's receiving, not who's sending.

I use the standard webRTC approach for hostile networks, which is TURN, also with Cloudflare.