Built a small encrypted messenger that runs over any MQTT broker you host. The broker is just a dumb relay — it only sees ciphertext, never plaintext. Setup is dead simple: spin up an MQTT broker (EMQX, Mosquitto, whatever), share a room name and encryption key with someone, done. ChaCha20-Poly1305 + Argon2id, fresh salt and nonce per message. Rust backend (Tauri), React frontend, single portable exe around 5MB. There’s also a clipboard encryption mode — type plaintext, it encrypts to clipboard, paste into any app. Useful if you don’t want to run a dedicated chat client. Originally designed for people in censored regions, but it works as a minimal self-hosted secure chat for anyone who wants it. Limitations: no forward secrecy, no traffic obfuscation, Windows only for now. Tauri should make cross-compilation straightforward if anyone wants to build for Linux/macOS. Unlicense, public domain. I’m not maintaining it — fork and do what you want.
Journalists communicating with sources in censored regions
Whistleblowers sharing information securely
You and your peer agree on an encryption key (any string).
This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don’t use symetric encryption, don’t use passphrases, and they also possess forward secrecy.
It’s pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor’s meek-azure bridges use microsoft’s infrastructure, which nobody is able to block because everybody depends on it, even China).
I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It’s not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.
Thank you for your reply. In fact, this project is a one-off project and a vision. The original idea came from fear — my fear. The fear of having your communications surveilled, and the legal risks that come with having your speech monitored. I face all of these.
My vision: the software should be simple, easy to use, quickly distributable, non-commercial, available to every ordinary person, maximizing the cost of censorship for authoritarian governments — until the day when we can finally see the light.
For this reason, I gave up many complex designs.
Its goal: “two people get the software and can use it right away.” Only this way can more ordinary people in authoritarian countries embrace this kind of information protection. Indeed, more secure methods exist, but those tools are too complex. Moreover, citizens in authoritarian countries are naturally hostile toward such software. But an app that lets you chat in ciphertext directly on social media, or use it standalone, is something interesting. And citizens in many authoritarian countries are about to face ubiquitous surveillance — because of AI.
Based on this, anyone with some basic knowledge of Rust can quickly build and distribute it. For higher-risk scenarios, excellent community forks can address those needs.
This is my vision.
Note: This account will be retired soon to prevent tracing. And I hope we shall meet again, in the place where there is no darkness.
Why the 1-off release with no further development? (9 months ago)
Interestimg take though, using MQTT instead of XMPP
Thank you very much for your reply. In fact, this project is a one-off project and a vision. The original idea came from fear — the fear of having your communications surveilled, and the legal risks that come with having your speech monitored.
It had many ideas, which were eventually abandoned. I’m unable to continuously maintain and update this project, so it would need community forks.
The 9-month silence was also for the same reason. The account replying to you (clinamen0) will also be retired soon, to prevent tracing.
Due to throwaway account limitations, I can’t post this in many places. If you think this project is useful, feel free to share it wherever you think it fits.