E2EE is fundamentally broken

[JavaDerg]

Hey, I'm too lazy to properly outline the issues I found, so I will just list them in a non-specific order, especially as the protocol effectively needs to be entirely redone anyway.

• Encrypting messages with RSA-OAEP which can only safely handle messages up to 245 bytes with 2048bit keys.
• • RSA in 2025.
• • RSA 2048bit keys, and not 4096.
• Extremely easy to MITM attack, the server can literally just swap out the received keys with their own.
• Files aren't encrypted at all.
• Leaks metadata everywhere, even when avoidable.
• No way to verify if the other party is who they claim to be / security numbers.
• Replay attack.
• AES key should be encrypted before exchange #378

Unsure if there is more, i genuinely only spend 15 minutes with the source code.

Here are some resources to maybe help you get a better protocol working.
Also look at the double ratchet as reference :)

• https://nostarch.com/serious-cryptography-2nd-edition (pdfs exist, but genuenly great book worth the money)
• https://soatok.blog/2020/06/10/how-to-learn-cryptography-as-a-programmer/

[muke1908]

@JavaDerg Thanks a lot for taking your time review and sharing important findings. Appreciate the learning materials I'll add them to the readme and create issues separately.

Unsure if there is more, i genuinely only spend 15 minutes with the source code.

I am sure there will be many more issues since it's a fun playground for learning and made by learner (including myself), but thank you again for your 15 min.