This project is aiming to create the most secure and private chat app. It will heavily depend on how you use it. Here are some reccomended security optimizations/advice to keep your data secure and private:
- Use a self-hosted instance of the app.
- Use a VPN to protect your data from being intercepted.
- Only connect to trusted peers.
- Validate public key hashes.
- You and your peer should use a secure device/os/browser with the latest updates.
- use general security practices like not sharing sensitive information, not clicking on suspicious links, etc.
These recommendations are bizarre.
- Is it really P2P if you need to a host your own instance?
- Use a VPN? So a company can now track you instead of the ISP?
- If it’s aiming to be safe, then why not share sensitive information?
If you want secure and private, then I would first look at Session.
I’d say self-hosting is done for control over your data, not security. A typical end user will not know how to self-host, how to pick a privacy-respecting VPN, let alone secure their system. If your aim is to get to that same level of security, then I feel like the current direction is flawed, at least from what I took away from the readme.
Or, in other words, “self-hosting is more secure given the option” sounds kind of like “writing your own software is more secure”.