Skip to main content

Veilid: A new secure peer-to-peer network for chat and messaging

 The Cult of the Dead Cow, a prominent Infosec group from DEF CON, has unveiled Veilid, an innovative open source project. This project facilitates applications to establish peer-to-peer connections and share information in a decentralized manner. The main objective is to enable various types of apps – mobile, desktop, web, and headless – to communicate privately and securely across the internet without relying on centralized systems, often owned by corporations.


Veilid offers a codebase that developers can integrate into their applications. This code enables their clients to participate in a peer-to-peer network, fostering communication within a community of users. During a DEF CON presentation, Katelyn "medus4" Bowden and Christien "DilDog" Rioux elaborated on the technical aspects of the project, which took three years to develop.


The system is primarily coded in Rust, complemented by elements of Dart and Python. It draws inspiration from both the anonymity features of the Tor service and the peer-to-peer InterPlanetary File System (IPFS). When two apps connect via Veilid, neither of the clients can ascertain the other's IP address or location. This approach enhances privacy and prevents app makers from accessing this information as well.


Veilid's design documentation can be found here, while its source code is available under the Mozilla Public License Version 2.0.


Unlike Tor, Veilid doesn't rely on exit nodes. All nodes within the Veilid network are equal. Even if entities like the NSA were to attempt surveillance on Veilid users, they would need to monitor the entire network, which is ideally challenging. Rioux likened Veilid to a fusion between Tor and IPFS, delivering a novel approach.


Each instance of an app employing the Veilid library acts as a network node, facilitating communication with other nodes through a 256-bit public key ID. There are no privileged nodes or single points of failure. The project is compatible with various platforms including Linux, macOS, Windows, Android, iOS, and web applications.


Veilid supports both UDP and TCP communication. Connections are secured through authentication, strong end-to-end encryption, digital signatures, and timestamps. The cryptography used, termed VLD0, employs established algorithms to avoid potential weaknesses. This involves XChaCha20-Poly1305 for encryption, Elliptic curve25519 for authentication and signing, x25519 for key exchange, BLAKE3 for cryptographic hashing, and Argon2 for password hashing.


Files saved by Veilid are fully encrypted, and encrypted table store APIs are provided for developers. Encryption keys for device data can be password protected.


The system ensures no tracking, data collection, or IP addresses are exposed, countering the monetization of internet use. VeilidChat, a secure instant messaging app akin to Signal, was developed as a demonstration of the system's capabilities. The potential success of Veilid could disrupt the surveillance capitalism landscape, potentially addressing previous mixed results in similar endeavors. The Cult of the Dead Cow is known for its effective accomplishments, making Veilid's prospects promising.

Popular posts from this blog

Safeguarding Internet Privacy: Supreme Court of Canada Upholds Protection of IP Addresses

In a recent ruling, the Supreme Court of Canada affirmed the significance of privacy rights concerning internet addresses. The court declared that police cannot simply obtain a suspect’s IP address without a court order, emphasizing the expectation of privacy that Canadian residents hold for such information. The court's decision stemmed from a case in 2017 involving Calgary police investigating fraudulent online activities at a liquor store. Initially, police demanded IP addresses from a credit card processor, which eventually led to obtaining subscriber information from Telus. This information was pivotal in making arrests and securing convictions in multiple offenses. Despite previous convictions, the accused contested the legality of obtaining IP addresses without proper authorization. The Supreme Court, in a 5-4 decision, asserted that IP addresses carry a reasonable expectation of privacy, necessitating judicial approval before access. The ruling emphasizes that obtaining jud

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'

Apple approves single letter name for twitter IOS app

In a series of noteworthy updates, Twitter, the popular social media platform, has officially rebranded itself to a single-letter name "X" on the App Store, marking a significant change in its visual identity. This move came after weeks of alterations to its social media handles, interface branding, and even web redirects, generating quite a buzz among its users and followers. Interestingly, Apple usually maintains a policy against allowing developers to name their apps with just a single character. However, it seems that Twitter's parent company, X Corp., led by the renowned entrepreneur Elon Musk, managed to secure an exception from Apple, granting them the unique opportunity to use "X" as the app's name. This exception was particularly significant, as the App Store Connect portal typically displays an error when developers attempt to use a single character as the app's name. In conjunction with the name change, Twitter also revamped its App Store tagl