Mark Nadal

@marknadal

So You Want to Build a P2P Twitter with E2E Encryption?

Part I: Understanding and Creating Cryptographic Identities.

All with MIT licensed Open Source code, and that works right in the browser with realtime updates?

Then you’ve come to the right spot. First, watch these 1 minute explainer videos on how cryptography works:

Second, thanks to the work of @mhelander on the SEA framework (Security, Encryption, Authorization), your app will use the latest native Web Crypto API for all the functions explained in the above video series — like ECDSA, PBKDF2, AES, and more. Here is a demo of it working in action:

To get started building your app, just include SEA in your app:

<script src="https://cdn.jsdelivr.net/npm/gun/gun.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun/lib/cryptomodules.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun/sea.js"></script>
Note: If the CDN becomes compromised, your app could be hacked, consider Electron-ifying your app to remove any hosts. Also, lib/cryptomodules name will change in the future, you'll need to keep your app up to date.

Now in your javascript, you instantiate gun and and reference your user:

var gun = Gun();
var user = gun.user();

To create a cryptographic identity backed by a public/private key-pair (see the video explainer), just do:

// Browser Native Web Crypto API used to PBKDF2 extend password.
user.create('alice', 'unsafepassword', function(ack){
// done creating user!
});

Once you have created a user, you can log them in with:

// Browser Native Web Crypto API used to PBKDF2 extend password.
user.auth('alice', 'unsafepassword', function(ack){
// logged in!
});

Finally, you can then save data to the account that nobody else can write to:

var alice = {name: "Alice"};
alice.boss = {name: "Fluffy", species: "Kitty", slave: alice};
user.get('profile').put(alice);

When it is stored on disk or sent over the wire, it uses cryptographic signatures (see the video explainer), to secure the account and data without relying upon any trusted servers!

And then when you use GUN to read the data, it automatically verifies and decrypts the data for you:

user.get('profile').get('boss').get('slave').get('name').val(data =>
console.log("The boss's slave's name is:", data); // Alice
);

Try running it yourself in a Codepen!

Now that you have P2P identities, you can combine it with the logic from the 5min interactive ToDo app tutorial, to create a list of tweets from the user.

We’ll go over how to do this in Part II. As for now, realize and play with the mind-blowing idea that you now have secure user accounts, without any centralized or federated servers to authorize them!

Follow us on Twitter while we kill Twitter, or read about how future social networks will work, or make a PR to improve this article, and don’t forget to share!

More by Mark Nadal

Topics of interest

More Related Stories