I built an ephemeral, zero-footprint E2EE chat app using the Web Crypto API π
Hey DEV community! π
For the past few weeks, I've been building Nixvoid β a completely anonymous, real-time chat application that runs entirely in the browser.
The idea sparked from a frustration with modern "secure" messaging apps. Sure, they have end-to-end encryption, but they still want your phone number, your email, and your contact list. I wanted to build something where anonymity was the default, not an opt-in feature. No sign-ups, no tracking, no footprint.
How it works under the hood π οΈ
Nixvoid relies heavily on the native window.crypto.subtle API.
Key Generation: When you open the app, it generates an ECDH key pair.
Key Exchange: The public key is sent through Firebase (which acts only as a transit layer). The two clients derive a shared AES-GCM secret key.
Encryption: Every message is encrypted before it ever touches the network.
Here is a simplified idea of the core encryption flow:
javascript
// Deriving the AES-GCM key from the ECDH shared secret
const derivedKey = await crypto.subtle.deriveKey(
{
name: "ECDH",
public: remotePublicKey
},
localPrivateKey,
{ name: "AES-GCM", length: 256 },
false,
["encrypt", "decrypt"]
);
// Encrypting the payload
const iv = crypto.getRandomValues(new Uint8Array(12));
const encryptedMessage = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv: iv },
derivedKey,
new TextEncoder().encode(messageText)
);
The 10-Second Auto-Destruct Rule β±οΈ
End-to-End Encryption doesn't protect you from shoulder-surfing or a seized unlocked phone. To combat this, Nixvoid is deeply ephemeral.
Once a message is rendered on the recipient's screen, a 10-second timer starts. When it hits zero:
The DOM element is completely removed.
A signal is sent to immediately wipe the ciphertext from Firebase.
There are no databases holding your chat history. Once you close the tab, itβs gone forever.
UI Privacy Customizations
I also built in a few local privacy tweaks stored purely in localStorage:
Ghost Mode: Stops sending typing indicators.
Incognito Read: Blocks read receipts.
Feedback Wanted!
Iβd love for you guys to check it out, try breaking it, or review the architecture concept. Let me know what you think of the UI/UX as well!
π Live App: Nixvoid
Happy (and secure) coding! π
Top comments (0)