ONYX Messenger's Crypto Architecture: XChaCha20-Poly1305 Shields Chats, But Group Features Leak Security Guarantees
The discussion revolves around ONYX, a complex, open-source messenger detailing its cryptographic framework. The system employs X25519 ECDH and XChaCha20-Poly1305 for private conversations, while supporting LAN mode via UDP broadcast for direct communication.
The technical debate centers on capability gaps: private chats boast strong E2EE protocols, but the group and channel functionality explicitly lack this protection. User `wardcore` confirms users require self-hosting using a separate Rust server for full group control. Furthermore, user `ken` criticized the development workflow, demanding smaller, more frequent commits for code review.
The clear divide shows that while the underlying crypto for one-on-one use is technically defined and robust, the current implementation leaves group communication insecure by design, pushing the burden of true privacy onto the end-user's ability to maintain self-hosted infrastructure.
Key Points
Private chats use X25519 ECDH and XChaCha20-Poly1305 for E2EE.
Multiple posters cite this specific combination as the cryptographic standard for direct messaging.
Group and channel chats do not support inherent E2EE.
`wardcore` states these features fail to provide the encryption of private chats, necessitating self-hosting for control.
The messenger collects limited metadata, not full personal identifiers.
`wardcore` confirmed collection is limited to username and IP address, explicitly denying collection of phone numbers or emails.
LAN mode bypasses central servers entirely.
`wardcore` detailed direct device communication using UDP broadcast, eliminating server dependency.
Development process needs overhaul.
`ken` criticized the developer for infrequent and large commits, making the code base difficult for outsiders to verify.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.