Y'all, would anyone with a crypto/distributed systems background like to join me in a brief security/privacy analysis of this thing in a week or two? From a cursory glance it looks a bit like a vibe-coded security disaster. Like, signature verification is optional and seems to fail silently, peer identities aren't actually verified before accepting keys, it's not actually anonymous since it has public, long-term identity keys etc.
https://github.com/jackjackbits/bitchat
jaseg
npub1cf…h67h8
2025-07-07 10:43:56 UTC
Author Public Key
npub1cf6khe43y948lrtdp7w5sdvl08tqla027lfquelytmyv66c34w6qgh67h8Seen on
wss://relay.mostr.pubPublished at
2025-07-07 10:43:56 UTCEvent JSON
{
"id": "e5f9b9b71b71f1af296cfd60818651c4f9feff558dacfec2b0a6c634cdc662a1",
"pubkey": "c2756be6b1216a7f8d6d0f9d48359f79d60ff5eaf7d20e67e45ec8cd6b11abb4",
"created_at": 1751885036,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/users/jaseg/statuses/114811537777160704",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "Y'all, would anyone with a crypto/distributed systems background like to join me in a brief security/privacy analysis of this thing in a week or two? From a cursory glance it looks a bit like a vibe-coded security disaster. Like, signature verification is optional and seems to fail silently, peer identities aren't actually verified before accepting keys, it's not actually anonymous since it has public, long-term identity keys etc.\n\nhttps://github.com/jackjackbits/bitchat",
"sig": "2ead571ab53cd8ac404945d6a3f39b8797bbccaeb0fcb76d0ab1800d71e8663db6526bfdf3f3cb0c9d505a60b74eda556c2802286d5d5ab40b78b43b94b8a0ec"
}