Privacy First

xo-elx introduces a private chat space leveraging IPFS for secure peer-to-peer communication, emphasizing user privacy and data security. Users are required to be at least 18 years old or have parental consent, reflecting the platform's commitment to responsible use and compliance with legal standards. The application is experimental, highlighting its innovative approach to encrypted communication but also noting the absence of guarantees for uptime or functionality. Users are responsible for managing their chat credentials and content securely, with lost credentials resulting in irreversible access loss.

Data Minimalism

xo-elx adheres to a strict data minimalism policy, ensuring that only the anonymous Chat-Id and Session-Key and no other personal data such as the Private-key or content shared by users is collected, stored centrally, or accessible to the platform decrypted. This approach extends to a cookie-free and tracking-free environment, enhancing user privacy. Data encryption via Aes256Gcm-Siv on IPFS and the absence of access to decryption keys by the platform safeguard user data against unauthorized access.

Secure Practices

Adhering to our terms ensures a secure experience. We advocate for the careful management of passwords and encrypted content, emphasizing the importance of encryption and secure storage for maintaining communication privacy. Users are advised to follow specific steps for secure application use, including password generation, secure storage, and cautious sharing of secret links. To illustrate, consider a sample key segmented into three critical components:

Sample Key: @AdverselyLearningWorm84:B/F0ZaOZkUoNd5jcsuGk4GZPLZeWPdfcOPApN3neHIM:8ea33a2549d6d25cf840978c90f9a6a5302f602d45bb7f64d07404735e0359cca59f4be8ffa5ed32e7e864dd50bb5ba62049105e80291eaed0e46e13bb904753

• Chat-ID: @AdverselyLearningWorm84 – This identifier is used to anonymously link to each chat space, ensuring that it is not associated with any personal data, thereby enhancing user privacy.
• Private-Key: B/F0ZaOZkUoNd5jcsuGk4GZPLZeWPdfcOPApN3neHIM – This encryption key is crucial for maintaining the confidentiality of communications within the chat space. It is never transmitted during user interactions such as sending or deleting messages, thereby safeguarding against unauthorized access and manipulation.
• Session-Key: 8ea33a2549d6d25cf840978c90f9a6a5302f602d45bb7f64d07404735e0359cca59f4be8ffa5ed32e7e864dd50bb5ba62049105e80291eaed0e46e13bb904753 – Used to verify and authorize specific user actions within the application, such as sending messages or clearing data (e.g., unpining in the IPFS context). This key helps manage user permissions securely.

It is crucial to note that even if an attacker gains access to the chat-ID and session-key, they would not be able to decrypt the data without the private-key. This layered security architecture ensures that each component plays a vital role in maintaining the overall integrity and confidentiality of the system.

Sync-Up Process and Security

Our Sync-Up process ensures secure password synchronization using WebSocket connections and ephemeral sessions. When an Initiator starts the process, a unique ticket ID is generated and shared with the Recipient. Both parties must be online and connected to the WebSocket server using this ticket ID. The WebSocket server facilitates real-time communication, ensuring the password exchange happens instantly without storing any data.

The security of this process is further enhanced by the following measures:

• Ephemeral Connections: The WebSocket connections are temporary and terminate automatically after the password exchange. This ensures no lingering data is stored on the server or frontend.
• User-Controlled Termination: Both the Initiator and the Recipient have the ability to terminate the connection manually. This provides an added layer of security by allowing users to immediately close the connection if they detect any suspicious activity.
• Single-Use Tickets: Each ticket ID is unique and can only be used once. If more than two connections are attempted with the same ticket ID, the server automatically terminates the connection to prevent unauthorized access.
• Real-Time Notifications: Both parties receive real-time notifications about the status of their connection, ensuring they are aware of any issues immediately.
• WebSocket Secure (WSS): On the client side, we use WSS (WebSocket Secure) for encrypted communication, providing an additional layer of security.
• Rust Server Implementation: The server-side is implemented in Rust, leveraging its memory safety and performance benefits. Rust's concurrency model ensures that our WebSocket server can handle multiple connections efficiently and securely.

By leveraging these security measures, the Sync-Up process ensures a secure and efficient password synchronization between the Initiator and the Recipient, minimizing the risk of unauthorized access and data breaches.

Notification and Security

Our platform uses the decentralized power of Polygon to ensure secure and private notifications. Each chat space is linked to a Polygon address, with this association remaining encrypted.

Every message in the chat triggers an Polygon transaction, which then sends a notification to the Zeal Wallet. Users just need to add their unique notification ID to the Zeal Wallet as a read-only account. This ID can be easily copied by clicking the lime green connection button in the chat space.

Encrypting the association between chat spaces and Polygon addresses ensures that only authorized users can access this information, protecting your data from unauthorized access.

By using a single root Polygon address to send notifications, we make it much harder to link members of a chat space, enhancing your privacy. This more decentralized method means there's no central server that could be compromised or used to track your activity. Notifications are sent securely and anonymously, ensuring no direct association of chat members.

We leverage the strong security features of Polygon and advanced encryption to provide a secure, private, and decentralized notification system. Our commitment is to protect your privacy and data, keeping your communications confidential and secure.

Encryption Resources

• shh-elx - An offline first secrets manager PWA.
• rec-elx - For recording encrypted videos.

Community Collaboration

The platform recognizes potential hurdles such as network delays inherent in IPFS technology, the complexity of managing secure links, and the critical importance of encryption key management. However, it also values the power of community collaboration. We are actively working to encourage our community to share their workflows and solutions using the hashtag #xoelx. This initiative aims to transform onboarding into a community-driven event, fostering a more inclusive and supportive environment for new users. By leveraging the collective knowledge and experience of our community, we hope to streamline the onboarding process, making it more accessible and efficient for everyone involved.

• Tutorial - Sync-Up: There is an Initiator and a Recipient, both need to be online at the same time to complete the password exchange.
• Tutorial - Notification: Remember to enable notifications for each new read-only wallet you add.

Contribute to the Evolution

xo-elx represents a forward-thinking attempt to utilize decentralized technology and advanced encryption for a privacy-centric communication platform. It calls on users to contribute to its evolution through responsible use and feedback, navigating the complexities of digital communication security while championing privacy and user autonomy.