103
submitted 1 week ago by Tiuku@sopuli.xyz to c/opensource@lemmy.ml

Bored on holidays or miss Omegle? Come chat with us on MeroChat!

It's a web based random chat where you're presented with a flow of user profiles, whom you can choose to chat with. And of course someone else might find you the same way and send you a message out of the blue (provided your privacy settings allow it).

And here's the code. (Written in PureScript!) A lot remains to be done but it's a joyful thing already.

all 23 comments
sorted by: hot top controversial new old
[-] Undertaker@feddit.org 24 points 1 week ago

Messages are not end to end encrypted and can thus be read from service provider.

Additionally Google is integrated into website.

[-] Tiuku@sopuli.xyz 14 points 1 week ago

That's true. It's due to lack of implementation.

Getting e2ee right is tricky business. Any help or insight would be appreciated.

[-] semperverus@lemmy.world 7 points 1 week ago* (last edited 1 week ago)

Look into libaxolotl (AKA "OMEMO"), it is the same system Signal uses and is highly standardized.

[-] waffle@sh.itjust.works 5 points 1 week ago

I know Matrix has E2EE with some public documentation on its implementation. Maybe it could help you? Idk how familiar you're with E2EE or what kind of implementation you'd want, anything will have drawbacks :/

[-] Tiuku@sopuli.xyz 4 points 1 week ago* (last edited 1 week ago)

Thanks for the tip!

I have somewhat of a grasp on how Signal does it, but that's very client oriented. How to go about it a web app is a mystery to me.

[-] waffle@sh.itjust.works 5 points 1 week ago* (last edited 1 week ago)

Yeah, I'm not used to E2EE in the browser either and StackExchange seems to agree that there's no nice solution :/

The sanest option in terms of user practicality to me appears to be storing the private key on the server, maybe encrypted with the user's password, and sending it to the user on successful login where it would be decrypted client side. It seems like it's more or less what MEGA is doing since they have a similar issue

If the server having temporary access to the user's password is an issue maybe the password could be partially pre-hashed before being sent?

It's be interesting to talk about it with someone with more experience, especially since implementing all of that will be a pain so it can't be redone every Thursday

[-] Tiuku@sopuli.xyz 3 points 1 week ago

The sanest option in terms of user practicality to me appears to be storing the private key on the server, maybe encrypted with the user's password, and sending it to the user on successful login where it would be decrypted client side.

That does seem reasonable, but it doesn't solve the trust issue. The server might always send a modified script that just uploads the plaintext private key.

That said it would still be useful in other ways. Like in a breach the data would be secure.

[-] waffle@sh.itjust.works 2 points 1 week ago

The server might always send a modified script that just uploads the plaintext private key.

Yeah, you'd need a way to validate the client code before it's executed to solve that issue

Section "2. Client application security" of MEGA's Security Whitepaper discusses this exact problem. Their best solution to that issue is to just cram the whole frontend in a signed web extension and not serve any code to the user when the extension is active, which is not very user friendly but works for those who want an extra layer of protection

I just can't find a good user-friendly implementation, sorry for not being of more help. The web just isn't E2EE-friendly ig :/

[-] Tiuku@sopuli.xyz 2 points 1 week ago

You've helped enough :)

Hmmm I see.

We have an app in the making, so I guess we will eventually implement proper e2ee there and then just try our best in the browser.

[-] waffle@sh.itjust.works 2 points 1 week ago

Damn already working on an app? That's so cool! Starting E2EE there is definitely a good idea then!

MeroChat is such a nice project, thank you for working on it <3

[-] chobeat@lemmy.ml 3 points 1 week ago

yey, more friends to chat with.

Why upload duck-face pictures when you can talk about dancing plagues of the 16th century?

Hilarious ๐Ÿ˜‚ looks like you (and others?) have put some effort into this.

[-] Tiuku@sopuli.xyz 9 points 1 week ago

I can't take too much credit myself, but yes, effort has been put. ๐Ÿ˜„๐Ÿ˜Œ

[-] ltxrtquq@lemmy.ml 6 points 1 week ago

At the bottom of the page, "Privacy Policy" is misspelled "Privacy Police". I don't know if you have any power to change that, but I thought I should point it out.

[-] Tiuku@sopuli.xyz 2 points 1 week ago

Noted, thanks!

[-] Alfenstein@lemmy.ml 4 points 1 week ago

Cool ๐Ÿ˜Ž But it feels more like a dating app than an Omegle alternative. But I like the concept.

[-] acockworkorange@mander.xyz 2 points 1 week ago

An interesting solution to increase TTD* in random webchat.

*TTD: time-to-dick

[-] wiki_me@lemmy.ml 0 points 1 week ago

Written in PureScript

Using a purely functional niche language like that will really prevent good developers from contributing IMO.

[-] Tiuku@sopuli.xyz 6 points 1 week ago

Or it might encourage someone to learn a new paradigm :)

[-] wiki_me@lemmy.ml 1 points 1 week ago

You could have a multi-paradigm programming language and use FP techniques in the code. And at least in my university there was an introduction to FP and i assume that is true for most CS degree programs.

Anyway no offence but i wonder how many of the people who upvoted you actually programmed in a purely functional programming language . i read and did the exercises for real world haskell and i don't think purely functional programming language can create the clearest code. i can see the advantages but a language with a strong support for FP and OOP would be better IMO (Ruby?). I also can't think of a popular FOSS project that uses a purely functional language (pandoc is an exception, but that seems like a sweet spot for FP).

But it is a cool project and i like the endeavor.

[-] kekmacska@lemmy.zip 0 points 1 week ago

these are not real people, just bots

[-] Tiuku@sopuli.xyz 2 points 1 week ago* (last edited 1 week ago)

I'm not saying that a single bot hasn't gotten through, but probably you're referring to the auto filled profiles? It's just a way for them to be non-empty.

this post was submitted on 25 Dec 2024
103 points (97.2% liked)

Open Source

31875 readers
76 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS