Skip to main content

Veilid: A new secure peer-to-peer network for chat and messaging

 The Cult of the Dead Cow, a prominent Infosec group from DEF CON, has unveiled Veilid, an innovative open source project. This project facilitates applications to establish peer-to-peer connections and share information in a decentralized manner. The main objective is to enable various types of apps – mobile, desktop, web, and headless – to communicate privately and securely across the internet without relying on centralized systems, often owned by corporations.


Veilid offers a codebase that developers can integrate into their applications. This code enables their clients to participate in a peer-to-peer network, fostering communication within a community of users. During a DEF CON presentation, Katelyn "medus4" Bowden and Christien "DilDog" Rioux elaborated on the technical aspects of the project, which took three years to develop.


The system is primarily coded in Rust, complemented by elements of Dart and Python. It draws inspiration from both the anonymity features of the Tor service and the peer-to-peer InterPlanetary File System (IPFS). When two apps connect via Veilid, neither of the clients can ascertain the other's IP address or location. This approach enhances privacy and prevents app makers from accessing this information as well.


Veilid's design documentation can be found here, while its source code is available under the Mozilla Public License Version 2.0.


Unlike Tor, Veilid doesn't rely on exit nodes. All nodes within the Veilid network are equal. Even if entities like the NSA were to attempt surveillance on Veilid users, they would need to monitor the entire network, which is ideally challenging. Rioux likened Veilid to a fusion between Tor and IPFS, delivering a novel approach.


Each instance of an app employing the Veilid library acts as a network node, facilitating communication with other nodes through a 256-bit public key ID. There are no privileged nodes or single points of failure. The project is compatible with various platforms including Linux, macOS, Windows, Android, iOS, and web applications.


Veilid supports both UDP and TCP communication. Connections are secured through authentication, strong end-to-end encryption, digital signatures, and timestamps. The cryptography used, termed VLD0, employs established algorithms to avoid potential weaknesses. This involves XChaCha20-Poly1305 for encryption, Elliptic curve25519 for authentication and signing, x25519 for key exchange, BLAKE3 for cryptographic hashing, and Argon2 for password hashing.


Files saved by Veilid are fully encrypted, and encrypted table store APIs are provided for developers. Encryption keys for device data can be password protected.


The system ensures no tracking, data collection, or IP addresses are exposed, countering the monetization of internet use. VeilidChat, a secure instant messaging app akin to Signal, was developed as a demonstration of the system's capabilities. The potential success of Veilid could disrupt the surveillance capitalism landscape, potentially addressing previous mixed results in similar endeavors. The Cult of the Dead Cow is known for its effective accomplishments, making Veilid's prospects promising.

Popular posts from this blog

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'

Safeguarding Internet Privacy: Supreme Court of Canada Upholds Protection of IP Addresses

In a recent ruling, the Supreme Court of Canada affirmed the significance of privacy rights concerning internet addresses. The court declared that police cannot simply obtain a suspect’s IP address without a court order, emphasizing the expectation of privacy that Canadian residents hold for such information. The court's decision stemmed from a case in 2017 involving Calgary police investigating fraudulent online activities at a liquor store. Initially, police demanded IP addresses from a credit card processor, which eventually led to obtaining subscriber information from Telus. This information was pivotal in making arrests and securing convictions in multiple offenses. Despite previous convictions, the accused contested the legality of obtaining IP addresses without proper authorization. The Supreme Court, in a 5-4 decision, asserted that IP addresses carry a reasonable expectation of privacy, necessitating judicial approval before access. The ruling emphasizes that obtaining jud

AT&T Resets Millions of Customer Passcodes After Data Leak: What You Need to Know

AT&T recently confirmed a significant data breach affecting over 7.6 million current customers and 65 million former customers. The leaked information, which dates back to 2019 or earlier, includes personal details like names, addresses, phone numbers, and social security numbers. Fortunately, financial information and call history were not compromised. In response to the breach, AT&T has reset passcodes for affected customers. Passcodes, usually four-digit numbers, serve as an additional layer of security when accessing accounts. However, security experts warn that the encrypted passcodes leaked alongside customer information could be easily deciphered, posing a risk of unauthorized account access. Affected customers are advised to set up free fraud alerts with major credit bureaus and remain vigilant for any suspicious activity related to their accounts. AT&T is proactively reaching out to impacted customers via email or letter to inform them about the breach and the meas