Simple encrypted web chat. Powered by socket.io, the web cryptography API.

Darkwire server is a Node.js application that requires redis.

darkwire-server

The Darkwire.io web client is written in JavaScript with React JS and Redux.

darkwire-client

To quickly get up and running, we recommend using Docker and Docker Compose.

$ docker-compose pull && docker-compose up

Darkwire client will be binded to port 80 while the server is on port 3000. Go to http://localhost. This will also start a redis instance running on port 6379.

If running in a public environment, be sure the modify ENV_VARS via docker-compose.yml.

environment:
    - API_HOST=dwserver
    - API_PROTOCOL=http
    - API_PORT=3000

Run setup-dev.sh to automatically clone server/client files and install dependencies, or clone the client and server repositories.

1. Create a Pull Request for the respective service with detailed changes
2. Wait for review and/or merges

Please report any security issues to [email protected].

If you are trying to access the legacy stable version of darkwire, you can use the oldest tag before v2.0.0 which is v1.6.0 or checkout the legacy branch.

Darkwire uses a combination of asymmetric encryption (RSA-OAEP), symmetric session keys (AES-CBC) and signing keys (HMAC) for security.

Here's an overview of a chat between Alice and Bob (also applies to group chats):

1. Bob creates a room and immediately creates a public/private key pair (RSA-OAEP).
2. Alice joins the room and also creates a public/private key pair. She is sent Bob's public key and she sends Bob her public key.
3. When Bob goes to send a message, three things are created: a session key (AES-CBC), a signing key (HMAC SHA-256) and an initialization vector (used in the encryption process).
4. Bob's message is encrypted with the session key and initialization vector, and a signature is created using the signing key.
5. The session key and signing key are encrypted with each recipient's public key (in this case only Alice, but in a group chat multiple).
6. The encrypted message, initialization vector, signature, encrypted session key and encrypted signing key are sent to all recipients (in this case just Alice) as a package.
7. Alice receives the package and decrypts the session key and signing key using her private key. She decrypts the message with the decrypted session key and vector, and verifies the signature with the decrypted signing key.

Group chats work the same way because in step 5 we encrypt keys with everyone's public key. When a message is sent out, it includes encrypted keys for everyone in the room, and the recipients then pick out the ones for them based on their user ID.

Darkwire does not provide any guarantee that the person you're communicating with is who you think they are. Authentication functionality may be incorporated in future versions.

Darkwire encodes documents (up to 4MB) into base64 using btoa and is encrypted the same way chat messages are.

1. When a file is "uploaded", the document is encoded on the client and the server recieves the encrypted base64 string.
2. The server sends the encrypted base64 string to clients in the same chat room.
3. Clients recieving the encrypted base64 string then decrypts and decodes the base64 string using atob.

Darkwire uses socket.io to transmit encrypted information using secure WebSockets (WSS).

Rooms are stored in memory on the server until all participants have left, at which point the room is destroyed. Only public keys are stored in server memory for the duration of the room's life.

Chat history is stored in each participant's browser, so it is effectively erased (for that user) when their window is closed.

Questions/comments? Email us at hello[at]darkwire.io

Found a bug or want a new feature? Open a ticket on Github.

Darkwire is maintained and hosted by two developers with full-time jobs. If you get some value from this service we would appreciate any donation you can afford. We use these funds for server and DNS costs. Thank you!

Bitcoin

189sPnHGcjP5uteg2UuNgcJ5eoaRAP4Bw4

Ethereum

0xD6e3D881036903999E2c0480fe9d2c20600C1c28

Litecoin

LUViQeSggBBtYoN2qNtXSuxYoRMzRY8CSX

PayPal: