Releases: SecureBitChat/securebit-chat
Release list
SecureBit.chat 4.10.0
SecureBit.chat 4.10.0
You can now keep several independent conversations open at the same time.
What is new
- Multiple sessions: every chat runs its own encrypted WebRTC session with separate keys and SAS verification, so conversations never mix.
- A side panel lists your open chats with unread badges. Switching is instant, and starting a new chat leaves the others connected.
- Per-chat local labels: you can name any chat for yourself. The label is stored only on your device and is never sent to the other side.
- Availability status: set yourself to Available, Away, Busy or Invisible, and connected peers can see it. It is sent end to end and never stored on a server.
Other improvements
- Code blocks now have syntax highlighting (bundled locally, the snippet is never executed).
- More reliable update handling and offline message queueing.
No accounts, no servers storing messages. Everything runs in the browser.
v4.9.0 — Full redesign + reworked offline mode
SecureBit.chat v4.9.0 — Full redesign + reworked offline mode
A ground-up visual redesign of the entire application, plus a reworked offline experience and WhatsApp-style message delivery status.
Open a secure channel
Encrypted conversation
Redesign
Landing page, "Why unique" / partners / roadmap / community sections, connection setup, in-chat header, real-time security verification report, file transfer, and the PWA install / update / offline / install-guide dialogs.
Offline mode, reworked
- Sending while offline shows a single ✓ and queues the message; it transmits automatically on reconnect, keeping its original send time.
- A message addressed to an offline peer stays at one check until they return — the offline client holds it back and surfaces it on reconnect with a "Connection restored" notice.
- Delivery status on every message: sending → ✓ sent → ✓✓ delivered (peer-acknowledged), plus a clear "not sent" state — via an authenticated delivery-receipt control message.
- Browser offline state no longer leaks into the P2P connection indicator.
Resilient file transfer
Per-chunk segmented progress, receiver-driven retransmission of missing chunks with auto-resume after a connection blip, corrected receive rate limits, and automatic save on completion.
No protocol or cryptography weakening — end-to-end encryption, SAS verification and PFS are unchanged.
v4.8.20 — Secure chat tools: completed, fixed and polished
Completes the messaging controls introduced in v4.8.14 and fixes the bug that made them appear broken for recipients. Every per-message option travels inside the encrypted message envelope (never in the sanitized text), so message content can neither spoof nor corrupt these controls.
Features
- Code blocks — a
Codebutton sends the message as a monospace code window with lightweight syntax highlighting and a one-click Copy button; the clipboard auto-clears ~30s after copying. Enabling code mode expands the input (monospace, 8 rows). Highlighting is built from already-sanitized text via React nodes only — noinnerHTML, no remote scripts, no new XSS surface. - View-once — the sender picks how long the message stays visible after the peer opens it (5s / 15s / 30s / 1m); the recipient sees a blurred bubble, taps to reveal, then it is wiped. Cooperative (not screenshot-proof).
- Disappearing messages — a timer picker (30s / 5m / 1h) auto-deletes on both sides with a live countdown.
- Unsend (delete for everyone) — removes your message locally and asks the peer to drop it too.
- One composer toolbar next to Send files; borderless buttons with the brand-orange active state; time pickers open upward and are mobile-friendly.
Fixed
- Per-message metadata was silently dropped for recipients.
NotificationIntegrationwrappedonMessageanddeliverMessageToUIwith two-argument shims that dropped the third argument (meta). With notifications enabled, view-once, disappearing timers and unsend all failed on the receiving side. Both wrappers now forward all arguments. Addedtests/notification-meta-forwarding.test.mjs. - Chat would not open after SAS — composer props were threaded into the wrong component (
EnhancedConnectionSetupvsEnhancedChatInterface), throwingReferenceError: nowTick. Fixed.
Removed
- Panic wipe button — disconnecting already wipes keys and clears session state.
Security model unchanged: ECDH + DTLS + SAS, anti-replay, receive-side DOMPurify. Per-message metadata is whitelisted and bounded by _sanitizeMessageMeta. Full test suite: 19 files, all passing.
Live at https://securebit-chat.fly.dev/
v4.8.15 — Fix: chat not opening after SAS (v4.8.14 regression)
Patch for a regression in v4.8.14.
Fixed
- The secure chat failed to open after both peers confirmed the SAS code. The new composer props (
nowTick, code/view-once/timer state, unsend/expire handlers) were threaded into the siblingEnhancedConnectionSetupcomponent instead ofEnhancedChatInterface, where the message list and composer actually live. The verified-state re-render then threwReferenceError: Can't find variable: nowTickand the chat never rendered. Props are now wired ontoEnhancedChatInterface.
No behavioural change to the v4.8.14 messaging features (code blocks, view-once, disappearing, unsend, panic) otherwise.
Live at https://securebit-chat.fly.dev/
v4.8.14 — Secure chat tools: code blocks, view-once, disappearing, unsend, panic
Privacy-focused messaging controls in the composer. Per-message metadata (id / view-once / timer) travels inside the encrypted message envelope, never in the sanitized text, so message content cannot spoof or corrupt these controls.
Added
- Code blocks — a button wraps the message in a fenced block; both peers render a monospace code window with a copy button. Built from already-sanitized text via React nodes only (no
dangerouslySetInnerHTML) — no new XSS surface. - Clipboard auto-clear — copying a code block clears the clipboard after ~30s, only when it can confirm the clipboard still holds the copied value (never clobbering a later copy).
- View-once messages — recipient sees a blurred bubble that reveals on tap and is then wiped. Honestly cooperative (a malicious client or screenshot can still capture it) — hygiene, not a guarantee.
- Disappearing messages — optional 30s / 5m / 1h timer auto-deletes on both sides with a live countdown; incoming TTL clamped to [5s, 24h].
- Unsend (delete for everyone) — removes your message locally and asks the peer to drop it via a new
message_deletecontrol message. - Panic wipe — one button clears the conversation, wipes keys and disconnects, behind a confirm prompt.
Security
- New per-message metadata is whitelisted and bounded by
_sanitizeMessageMetaon send and receive. - AAD/replay protection, the SAS verification gate and receive-side DOMPurify sanitization are unchanged.
Tests
- Added
tests/secure-chat-features.test.mjs. Full suite: 17 files, all passing.
Live at https://securebit-chat.fly.dev/
v4.8.13 — Message integrity & transport hardening
Security review follow-up. The end-to-end cryptography (ECDH, AES-GCM, PBKDF2, SAS bound to DTLS fingerprints, anti-replay) was verified sound; these changes fix availability/integrity defects on the send path and tighten transport headers and logging.
Fixed
- Outgoing messages were silently rejected by an over-broad keyword blocklist in
_validateInputData. Plain words such as "constructor", "global", "document.", "prototype", or the literal text "javascript:" causedsendSecureMessageto throw, so legitimate messages never reached the peer. The blocklist added no real protection — XSS is enforced at the rendering boundary by the receive-side DOMPurify pass and bysanitizeMessage()before encryption — and was removed. _sanitizeInputStringcollapsed all whitespace, destroying multi-line messages and code snippets. Newlines, tabs and indentation are now preserved; only control characters are stripped.- AAD validation failures no longer log the raw AAD (which carried
sessionIdandkeyFingerprint); only its length is logged.
Security
- Added
Strict-Transport-Security(2-year, includeSubDomains, preload) to nginx and .htaccess. - Added a restrictive
Permissions-Policy(camera kept for in-page QR scanning; microphone, geolocation, payment, usb and sensors denied).
Tests
- Added
tests/outgoing-message-integrity.test.mjs(16 suites total, all passing).
Housekeeping
- Synchronized the version string (4.8.13) across package.json, package-lock.json, manifest.json, index.html, meta.json, README, SECURITY_DISCLAIMER, the site header and the in-app init banner.
v4.8.11 — File transfer reliability fix
Fixes file transfers that silently failed to reach the peer, and relaxes the overly strict file-type check that rejected legitimate files.
Fixed
- File chunks are now sized so the on-the-wire message stays under the 64 KB SCTP message-size limit enforced by WebRTC. Previously each 64 KB chunk became a ~87 KB encrypted+Base64 message that exceeded this limit, so the consent handshake succeeded but no data was ever delivered — most visibly on Safari and cross-browser connections whose SDP omits
a=max-message-size. The send chunk size is now 16 KB (~22 KB on the wire); inbound chunks up to 64 KB are still accepted for backward compatibility.
Changed
- File-type validation is now driven by the extension allow-list, with the (client-supplied, easily spoofed) MIME type treated as an advisory signal. Files with a missing MIME type or a cross-OS MIME variant (e.g.
application/x-zip-compressedfor.zip,image/jpgfor.jpg) are no longer rejected. Blocked executable/script extensions, a blatantly foreign MIME on a safe extension, and per-type size limits are still enforced.
v4.8.12 — Chat notification & file-transfer UI fixes
Fixes duplicated chat output and a layout overflow in the message list.
Fixed
- Received file announced once, not many times. The per-transfer lock used a single
ifcheck, so when 3+ chunk operations queued on the same file they ran concurrently and broke assembly atomicity. The lock now serializes correctly and file assembly is idempotent —File receivedshows exactly once per file. - No more duplicated connection-setup system messages (e.g. "Both parties confirmed!" and "Secure connection successfully established").
handleVerificationBothConfirmednow bails out if both confirmations were already recorded, so the message and the verified transition fire only once. - DTLS fingerprint wraps inside the chat bubble. The message text column is a flex child with default
min-width:auto, so the long unbroken fingerprint overflowed; addedmin-w-0so it wraps. - Site header, init banner, and manifest now report the current version.
SecureBit.chat v4.8.10 — User-configurable STUN/TURN servers
Adds optional, advanced control over WebRTC connectivity for power and privacy-focused users. Public servers remain the zero-config default.
Added
- Advanced network settings panel — reachable from the header gear icon and the connection-creation screen — where users can supply their own STUN/TURN servers instead of the bundled public defaults.
- Allowlist-based validation of user input: only
stun:/stuns:/turn:/turns:URLs with valid hosts are accepted;javascript:,data:,http(s):,ws(s):, control characters, and oversized input are rejected before anything reachesRTCPeerConnection. - Optional on-device persistence, encrypted at rest with a non-extractable AES-GCM device key in IndexedDB, with an explicit save prompt and a "Forget saved" action.
- "Test servers" button that gathers ICE candidates against the entered configuration and reports STUN/TURN reachability.
- Privacy guidance in the panel: a TURN relay sees peer IPs and traffic timing (never message contents), so only a trusted or self-hosted relay improves privacy.
Changed
- Relay-only privacy mode now lives in the advanced settings panel; the standalone relay-only toggle was removed from the start screen to declutter the initial view.
- Server selection priority: user custom servers > operator override (
config/ice-servers.js) > built-in public defaults.
Full changelog: https://github.com/SecureBitChat/securebit-chat/blob/main/CHANGELOG.md
SecureBit.chat v4.8.9 — Security Hardening Patch
This release closes a vulnerable dependency, removes committed TURN credentials, and tightens production logging.
Security
- DOMPurify upgrade — bumped from 3.4.4 to a patched release, resolving a high-severity XSS advisory (GHSA-87xg-pxx2-7hvx) in the incoming-message sanitizer.
- esbuild upgrade — cleared a high-severity advisory in the build toolchain.
npm auditnow reports 0 vulnerabilities. - TURN credentials removed from Git —
config/ice-servers.jsis no longer tracked; useconfig/ice-servers.example.jsas a template. Operators must rotate any previously committed credentials. - Production logger hardening — removed temporary debug branches so the logger no longer prints error context or info/debug payloads, only an opaque error code.
Documentation & Versioning
- Updated the supported-release table in
SECURITY.mdto the v4.8.x line. - Synchronized the version string across the header, manifest, README, and in-app initialization message.
Full changelog: https://github.com/SecureBitChat/securebit-chat/blob/main/CHANGELOG.md

