An open API service indexing awesome lists of open source software.

https://github.com/ryannzander/hush

A peer-to-peer, end-to-end encrypted messenger for messages, photos, and calls. Free and open source, designed privacy-first.
https://github.com/ryannzander/hush

anonymous anonymous-chat messager messaging privacy privacy-first rust

Last synced: 21 days ago
JSON representation

A peer-to-peer, end-to-end encrypted messenger for messages, photos, and calls. Free and open source, designed privacy-first.

Awesome Lists containing this project

README

          

# Hush

An end-to-end encrypted messenger for text, images, files, and voice messages.
Asynchronous and metadata-private by design, free and open source.

## Principles

Every design decision is measured against these:

1. **End-to-end always.** Every message and attachment is encrypted on the sender's device
and decrypted only on the recipient's. No relay ever holds plaintext or long-term keys.
2. **Minimal metadata.** We treat *who talks to whom, when, and how much* as sensitive as
content. Servers store nothing they don't strictly need, and we work to hide social
graph and timing even from our own infrastructure.
3. **No identifiers you didn't choose.** Identity is a cryptographic key, not a phone
number or email. Trust is established out-of-band (safety numbers / QR).
4. **Auditable.** AGPL-3.0, reproducible builds (goal), audited crypto libraries — never
hand-rolled primitives.
5. **One core, many shells.** All security-critical logic lives in a single Rust crate so
it is written and reviewed exactly once.

## Architecture (short version)

```
UI shells (egui desktop · WASM web) → core crate (Rust) → relay network
identity · E2E crypto opaque mailbox queues
messages · onion transport (self-hostable)
```

- **E2E crypto:** the audited [libsignal](https://github.com/signalapp/libsignal) library —
post-quantum X3DH (PQXDH) + Double Ratchet, with sealed sender for metadata privacy. We
never reimplement primitives or the ratchet.
- **Transport:** asynchronous store-and-forward into per-contact **mailbox queues** that
hold only opaque ciphertext, **onion-routed** so no relay learns who talks to whom. No
real-time channels; everything is delivered when the recipient next connects.
- **Local storage:** encrypted-at-rest (SQLCipher), keys sealed by the OS keychain.

See [ARCHITECTURE.md](ARCHITECTURE.md) and [THREAT_MODEL.md](THREAT_MODEL.md).

## Roadmap

| Phase | Scope | State |
|-------|-------|-------|
| 0 | Cryptographic core: identity, PQXDH, Double Ratchet (libsignal) | done |
| 1 | Message protocol: text/image/file/voice-clip types, framing, attachment chunking, all E2E | done |
| 2 | Private mailbox queues, out-of-band invitations, and a networked relay (`services/relay`) | done |
| 3 | Onion routing across relays (hide the social graph) | done |
| 4 | Persistent encrypted store (SQLCipher) + safety-number / QR verification UX | next |
| 5 | Desktop (egui) and web (WASM) clients; release binaries; hardening | in progress |

## Building

```sh
cargo test # run the core test suite
cargo build --release # privacy-minded release profile (stripped, panic=abort, LTO)
```

Requires the pinned Rust toolchain and `protoc` (libsignal compiles protobuf
definitions at build time). See [CONTRIBUTING.md](CONTRIBUTING.md) for setup.

## Security

Found a vulnerability? **Do not open a public issue.** See [SECURITY.md](SECURITY.md)
for coordinated disclosure.

## License

[AGPL-3.0-or-later](LICENSE). The network-use clause is deliberate: anyone running a
modified server must publish their source, so the privacy guarantees stay verifiable.