Welcome to ChatCrypt
A real end-to-end encrypted group chat which does not store anything in the cloud. No databases, no accounts, no chat logs.
Aimed for those who want to be sure that their conversations kept private and prefers increased security over fancy features. It does not try to replace popular messaging applications, but to provide an alternate secure channel for confidential discussions.
Our goal was to create an anonymous chat platform which can be safely used over inspected infrastructures and conversations cannot be recovered even if the server is being seized or someone got interrogated.
We have ended up with a unique solution which does not require any sort of data storage and assures that messages cannot be decrypted even with the complete knowledge of the server contents, network traffic, and provided secret passwords.
Triple encryption - Messages are protected by two additional security layers on top of the standard TLS protocol.
Outstanding privacy - Conversations happen without providing any personal detail or account.
Real-time messaging - Every data exchanged immediately between the parties, nothing is queued or stored even for a single second.
How it works
The client application establishes a WebSocket (over TLS) connection with the chat server then they create an additional encrypted layer using ECDH for key exchange and AES-256 for ciphering. During key exchange messages from the server are RSA signed and being verified by the client to make sure it is not connecting to a forged destination. This second layer also prevents transparent proxies (with own CA certificates installed on the client) from inspecting their communication.
Once the server connection is secured it joins the given channel and starts building up end-to-end encrypted layers with each individual member using ECDH for key exchange and ChaCha20-Poly1305 for ciphering. Shared ECDH keys are combined with the provided channel passwords which results in unique and one-time encryption keys between the parties. These keys cannot be reconstructed even with the knowledge of the second layers decrypted network traffic and the secret passwords. Additionally, this method ensures that members entering the same channel with a different password cannot communicate with each other.
Worth mentioning that the channel password never leaves the client, the username is only transmitted over the third layer among the members, and the channel name is received by the server in an SHA-256 hashed form through the second layer.
We may provide the source code of the server and client application upon a well-founded request (e.g. educational use, security audit).
The privacy of our visitors is of extreme importance to us. This section outlines the types of personal information is received and collected by this website and how it is used.
This website makes use of web server log files. The information inside the log files includes internet protocol (IP) addresses, type of browser, Internet Service Provider (ISP), date/time stamp, referring/exit pages, and number of clicks to analyze trends, administer the site, track user's movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable.
Web server log files are deleted after 90 days.
Google Analytics on this website is set to store data that is associated with cookies, user identifiers, or advertising identifiers for up to 14 months (currently the lowest option).
Be advised that ChatCrypt is a hobby project and provided "as is", without warranty of any kind.
However, there were no complaints so far.
Please feel free to contact us with any questions or suggestions.