High-assurance encrypted messaging over WebSockets.
BlindWire is a minimal, secure messaging protocol designed to minimize attack surface and enforce perfect forward secrecy through extreme session isolation. It is not a "chat app" with accounts; it is a point-to-point secure wire with a strictly enforced failure model.
- Noise_XX Handshake: Curve25519, ChaChaPoly, BLAKE2s for mutual authentication and forward secrecy.
- TLS Certificate Pinning: TOFU-and-Lock model prevents MITM attacks at the transport layer.
- Rate Limiting: Per-IP connection limits and global server caps protect against abuse.
- QR Session Sharing: Scan-to-join via
blindwire://URI scheme. - Hard Failure: Any protocol deviation terminates the session immediately.
- Memory Zeroization: Best-effort burning of secrets and plaintext from RAM.
| Component | Description |
|---|---|
blindwire-cli |
TUI-based messaging client with QR code display. |
blindwire-server |
Binary signaling relay (no JSON, no database). |
blindwire-core |
Protocol state machine, framing, Noise wrapper. |
blindwire-transport |
Async secure transport layer. |
Download pre-built binaries from Releases.
cargo build --releaseBinaries will be in target/release/.
./blindwire-server
# Listening on 0.0.0.0:8080./blindwire-cli --server wss://your-relay.example.com:8080A QR code will be displayed. Share it with your peer.
Note: The QR contains no cryptographic keys, but the session ID is a join capability. Share it only with your intended peer via a secure channel.
# Option 1: Scan QR and use URI
./blindwire-cli --uri "blindwire://relay:8080/SESSION_ID/r"
# Option 2: Manual flags
./blindwire-cli --server wss://relay:8080 --session SESSION_ID --role rAfter the Noise handshake completes, both peers MUST verify the displayed fingerprint via a secondary secure channel (phone call, Signal, in-person). If fingerprints do not match, assume MITM and terminate immediately.
BlindWire protects against:
- Passive Network Adversary: All application data is encrypted with ChaCha20-Poly1305.
- Active MITM: TLS pinning and fingerprint verification block interception.
- Compromised Relay: The server cannot read encrypted payloads. It sees only opaque binary frames.
- Compromised Endpoint: If your OS or terminal is compromised, BlindWire cannot protect you.
- Anonymity: This is not Tor. IP addresses are visible to the network and relay.
- Metadata: Timing, packet sizes, and connection patterns are not hidden.
TERMINATEframes are unauthenticated (DoS possible if Session ID is leaked). Scheduled for v2.1.- Zeroization is best-effort due to OS memory management constraints.
See PROTOCOL_V2.md for the frozen v2.0 wire format.
MIT