Every mortgage calculator I could find couldn't answer most relevant questions. Is it better to put more down or invest the money? When is buying points worth it? Do mortgages affect your taxes? Are VA fees justified? So I put together realratecalculator.com/ to quickly find out.

Oh and there's a little chat box at the bottom. Lots of sites have chat. But this one runs a rust-compiled WASM binary that implements P-256 ECDH and ECDSA, and AES-GCM-SIV, generating an asymmetric keypair and saving it in your browser's local storage for end-to-end encryption.

But you know that ProtonMail trouble? Even seeing metadata like IP addresses, who's talking to who, is invasive and dangerous. So it uses a websocket with the server and negotiates WebRTC data connections with peers to create an onion-routing peer-to-peer metadata-hiding network

Tor and I2P do this on a very large scale. But if you're really paranoid, adversaries with extensive global surveillance might be able to track data in those kinds of systems being sent from one node and forwarded by others. So this uses scheduled & dummy or padded transmissions

Inspired by Adam Langley's pond, every few seconds it sends the exact same size encrypted data chunks to peers. Receiving or sending a message should have no impact on the metadata seen by a passive adversary.

Follow

Another big issue with secure chat apps is the fact that for those in greatest danger, like dissidents in oppressive regimes, even having one on your device is suspicious and may be enough to be persecuted. Visiting a mortgage calculator site though is far less suspicious.

· · Web · 1 · 0 · 0

A final issue with web based crypto like ProtonMail or secure chat apps on centrally managed app stores is that authorities could (and do) compel backdoors to be inserted in the Javascript or app to steal all your messages, or could (and do) block the app from being available.

This is self-contained in an html and a javascript file and can be saved on your device, even last I checked, iDevices, and with a URL change make its websocket and WebRTC connections without depending on the same JS running on the server or any app store's permissions.

This is all very alpha-quality proof of concept and not polished or reliable or audited or secure against many threat models, but it could be if refined enough. I hope it inspires people to embed censorship and metadata security everywhere. Let me know if you want the full code

Sign in to participate in the conversation
Scriptjunkie Social

scriptjunkie's server