Hacker News new | ask | show | jobs
by 8-prime 377 days ago
When the message you push out through that websocket are something that server knows about intrinsically, as in, the message contents are produced by the server there is nothing wrong with the approach.

When your server facilitates a communication between two clients and just acts as the infrastructure E2EE can become relevant. If the clients want to be able to exchange information withouth the server being able to snoop in on what is being sent, then you'd want to use E2EE. With that the server won't be able to read what is being sent.
1 comments
tonyhart7 377 days ago
- I have public chat that user can chatting in public room (seems like I dont need for this one)

- then notification service is probably something I want to E2EE then, but Idk about performance hit cost would be

link
0xFEE1DEAD 377 days ago
A public chat - like one that anyone can join at any time without needing an invitation?

If so, then you really don't need any extra encryption.

If not, then it depends on who's using your chat, how they use it, and for what purpose. Are the users of the chat room a small group with occasional users joining or leaving, or are many users expected to join and leave at any given moment?

That being said, encrypting the notifications won't bring any real benefits. A bad actor would simply focus on trying to compromise your server.

If you do decide that full e2ee would benefit your users, then look for someone who can help you implement it.

Implementing real e2ee for a 2 party chat is hard for someone without experience.

Implementing e2ee for a group chat is hard even for someone with experience.

link
tonyhart7 377 days ago
welp, I am just gonna look at Telegram/Signal source and make a lite version for it
link
mort96 377 days ago
I don't think you want to look at the source code, and I don't think you want to look at Telegram. You should have a look at the Signal Protocol: https://en.m.wikipedia.org/wiki/Signal_Protocol. It's well documented. Maybe there are libraries which implement it.

(Though I still think that "how can I protect against TLS being broken?" is the wrong question and you should instead ask "how can I ensure that TLS doesn't break?".)

link