Some time back while I was speaking with a friend of mine on Facebook, the topic of privacy came up - I no longer wanted to use Facebook. Unfortunately, he was kinda old school - he did not have a smartphone so we could not use Signal. So, inspired by Signal, I took it as a challenge to create an end to end encrypted messaging application. Yeah, I know I could use something like Matrix, but where's the fun in that.
I started formulating the design goals and issues. The initial draft looked something like this
### Design goals
1. Messages must be encrypted end to end
2. Should be open source and self hostable
3. Must not require any personal, identifiable information like email
4. Must not rely on any external services
5. Should be easy to use, even for a lay person
### Design Issues
1. Choice of language and framework - for both backend and frontend
2. End to end encryption means JS must be used (privacy conscious users tend to keep JS disabled)
3. Corollary to 2, the choice of encryption algorithm and JS library
For point 1, I chose Spring Boot as the backend framework with JPA/Hibernate to communicate with the DB after experimenting with plain servlets and Struts. For the frontend, I first prototyped in JavaScript, and then eventually when it got unwieldy, I started modularizing it with browserify and eventually switched to TypeScript.
For point 2, you can't have E2EE in a browser without JS. Fortunately, the app is open source so the code can be audited, and it can be self hosted so you don't have to suspect someone rigging the source code. Also, I implemented the chat functionality using a JSON API, so non browser clients can be created that don't use JS.
For point 3, I heard good things about SJCL so I went with it, but it's not maintained any more. I eventually plan to replace it with the browser native WebCrypto API.
You can find the app homepage [here](/projects/chatto-a-self-hosted-e2ee-chat-application/)