DEV Community: PulseSOVP The latest articles on DEV Community by PulseSOVP (@pulsesovp). https://dev.to/pulsesovp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3968088%2F59e9d9d2-c660-40cf-b2d1-470215c55ef1.png DEV Community: PulseSOVP https://dev.to/pulsesovp en I built a fully anonymous, E2E-encrypted P2P messenger that runs entirely in the browser #webdev #privacy #javascript #cryptography PulseSOVP Thu, 04 Jun 2026 10:34:42 +0000 https://dev.to/pulsesovp/i-built-a-fully-anonymous-e2e-encrypted-p2p-messenger-that-runs-entirely-in-the-browser-webdev-2pof https://dev.to/pulsesovp/i-built-a-fully-anonymous-e2e-encrypted-p2p-messenger-that-runs-entirely-in-the-browser-webdev-2pof <p>That's the whole relay. The operator genuinely <em>cannot</em> read messages — not because of policy, but because the math doesn't let them.</p> <p>The honest tradeoff: the relay can see <em>that</em> a message was sent (metadata), even if it can't see <em>what</em>. For real anonymity you'd want onion-routing the fan-out. That's on the roadmap.</p> <h2> A few things I learned along the way </h2> <ul> <li> <strong>IndexedDB is a real database, not localStorage.</strong> Treat it like one. Versioned schema, compound index <code>[conversationId, timestamp]</code>, cursor-based pagination. "Load last 50 messages" is O(log n) with the right index.</li> <li> <strong>Service Workers can do encrypted push.</strong> The push payload itself is ciphertext, so the push service (FCM/Mozilla) only ever sees ciphertext. The SW decrypts and displays.</li> <li> <strong>The pubkey <em>is</em> the identity.</strong> No username lookup table. The "Vault ID" users see is just a hash of the client's x25519 pubkey, generated in the browser. Free anonymity.</li> <li> <strong>Don't roll your own crypto layer.</strong> I almost wrote a custom TweetNaCl wrapper. Then I realized I was reinventing <code>tweetnacl-util</code>. Just use it.</li> </ul> <h2> What's next </h2> <ul> <li>Native iOS / Android (federated, still no phone number)</li> <li>Onion routing the relay fan-out</li> <li>Per-message forward secrecy (real Double Ratchet, the Signal way)</li> <li>Independent security audit</li> <li>Open-sourcing the relay</li> </ul> <h2> Try it / AMA </h2> <ul> <li> <strong>Live web app:</strong> <a href="https://pulse.moneymates.app" rel="noopener noreferrer">pulse.moneymates.app</a> </li> <li> <strong>Project + architecture deep-dive:</strong> <a href="https://getpulse.moneymates.app" rel="noopener noreferrer">getpulse.moneymates.app</a> </li> </ul> <p>If you want to:</p> <ul> <li>Tell me the relay code is wrong</li> <li>Argue X25519 vs Curve25519</li> <li>Roast the "blind relay" claim</li> <li>Share IndexedDB anti-patterns I might still have</li> </ul> <p>The comments are open. AMA.</p> javascript privacy showdev webdev