-
-
Login Page
-
Texting Interface
Inspiration
In an era where digital privacy is increasingly under threat, we were inspired by a simple yet powerful question: "Why should messaging require your personal identity?"
Every major messaging platform today demands your phone number, email, or personal information. This creates a digital trail that can be:
- 📊 Harvested for advertising
- 🔍 Subpoenaed by governments
- 🎯 Targeted by hackers
- 📈 Analyzed for behavioral patterns
We looked at existing solutions:
- WhatsApp: End-to-end encrypted, but requires phone number and shares metadata with Facebook
- Signal: Great encryption, but still requires phone number
- Telegram: Optional encryption, stores messages on servers
- Discord: No encryption, requires email, tracks everything
We asked ourselves: What if we could build a messenger that knows absolutely nothing about its users?
The inspiration came from three key sources:
- Signal Protocol - The gold standard in messaging encryption
- Tor Network - Anonymity through onion routing
- Cryptocurrency Wallets - Identity through cryptographic keys, not personal data
Eclipse was born from the belief that privacy is a fundamental human right, not a premium feature.
"Privacy is not about having something to hide. Privacy is about having something to protect."
What it does
Eclipse is a zero-knowledge, end-to-end encrypted messaging platform that provides:
🔐 Military-Grade Security
- Signal Protocol Encryption: The same encryption used by Signal, WhatsApp, and Facebook Messenger
- Perfect Forward Secrecy: New encryption keys for every message - if one key is compromised, past messages remain secure
- Triple Diffie-Hellman Key Exchange: Advanced cryptographic key agreement protocol
The encryption can be expressed mathematically as:
\( \text{SharedSecret} = \text{DH}(IK_A, SPK_B) | \text{DH}(EK_A, IK_B) | \text{DH}(EK_A, SPK_B) \)
Where:
- \( IK \) = Identity Key
- \( SPK \) = Signed Pre-Key
- \( EK \) = Ephemeral Key
- \( \text{DH} \) = Diffie-Hellman function
🕵️ Complete Anonymity
- No Phone Number Required: Unlike Signal or WhatsApp
- No Email Required: Unlike Discord or Telegram
- Cryptographic Identity: Users identified only by 32-character access keys
- Onion Routing: Optional 3-hop routing hides IP addresses
- Traffic Padding: Dummy messages hide communication patterns
🌐 Decentralized Architecture
- WebRTC P2P: Direct peer-to-peer connections when possible
- No Central Message Storage: Server only routes encrypted payloads
- Self-Hostable: Deploy your own instance anywhere
💬 Rich Features
- Text Messaging: Instant encrypted chat
- Voice Messages: Hold-to-record audio
- File Sharing: Unlimited encrypted file transfers
- Self-Destructing Messages: Auto-delete after 30s, 5min, 1hr, 24hr, or 7 days
- Real-time Status: Typing indicators, read receipts, online status
📊 Comparison with Other Messengers
Feature Comparison Matrix
| Feature | 🌑 Eclipse | 🔐 Signal | ✈️ Telegram | 🎮 Discord | 💬 iMessage | |
|---|---|---|---|---|---|---|
| E2E Encryption | ✅ Always | ✅ Always | ✅ Always | ⚠️ Optional | ❌ No | ✅ Always |
| Perfect Forward Secrecy | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ❌ No | ✅ Yes |
| Zero-Knowledge Server | ✅ Yes | ⚠️ Partial | ✅ Yes | ❌ No | ❌ No | ⚠️ Partial |
| Anonymous Accounts | ✅ Yes | ❌ No | ❌ No | ⚠️ Partial | ❌ No | ❌ No |
| No Phone Required | ✅ Yes | ❌ No | ❌ No | ⚠️ Optional | ✅ Yes | ❌ No |
| No Email Required | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ❌ No |
| Onion Routing | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
| Traffic Padding | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
| P2P Direct | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
| Metadata Protection | ✅ Yes | ❌ No | ⚠️ Partial | ❌ No | ❌ No | ❌ No |
| Self-Destructing | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ❌ No |
| Open Source | ✅ Yes | ❌ No | ✅ Yes | ⚠️ Partial | ❌ No | ❌ No |
| Self-Hostable | ✅ Yes | ❌ No | ✅ Yes | ❌ No | ❌ No | ❌ No |
| No Data Collection | ✅ Yes | ❌ No | ✅ Yes | ❌ No | ❌ No | ❌ No |
| Decentralized | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
Legend: ✅ Fully Supported | ⚠️ Partial/Optional | ❌ Not Supported
Privacy Score Comparison
Privacy Score (out of 100):
🌑 Eclipse ████████████████████████████████████████ 95/100
🔐 Signal ██████████████████████████████████░░░░░░ 85/100
📱 WhatsApp ████████████████████░░░░░░░░░░░░░░░░░░░░ 50/100
✈️ Telegram ██████████████░░░░░░░░░░░░░░░░░░░░░░░░░░ 35/100
💬 iMessage ████████████████████████░░░░░░░░░░░░░░░░ 60/100
🎮 Discord ██████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 15/100
Detailed Platform Analysis
| Aspect | Details |
|---|---|
| Encryption | Signal Protocol (E2E) ✅ |
| Identity | Phone number required ❌ |
| Metadata | Collected and shared with Meta ❌ |
| Server Access | Cannot read messages ✅ |
| Data Sharing | Shares with Facebook/Meta ❌ |
| Open Source | No ❌ |
| Verdict | Good encryption, but significant privacy concerns due to Meta ownership |
🔐 Signal
| Aspect | Details |
|---|---|
| Encryption | Signal Protocol (E2E) ✅ |
| Identity | Phone number required ❌ |
| Metadata | Minimal collection ✅ |
| Server Access | Cannot read messages ✅ |
| Data Sharing | No third-party sharing ✅ |
| Open Source | Yes ✅ |
| Verdict | Excellent encryption and privacy, but phone number links to real identity |
✈️ Telegram
| Aspect | Details |
|---|---|
| Encryption | Optional "Secret Chats" only ⚠️ |
| Identity | Phone number (can hide) ⚠️ |
| Metadata | Stored on servers ❌ |
| Server Access | Can read regular chats ❌ |
| Data Sharing | Claims no sharing ⚠️ |
| Open Source | Client only ⚠️ |
| Verdict | Not encrypted by default, messages stored on servers |
🎮 Discord
| Aspect | Details |
|---|---|
| Encryption | No E2E encryption ❌ |
| Identity | Email required ❌ |
| Metadata | Extensive collection ❌ |
| Server Access | Can read all messages ❌ |
| Data Sharing | Shares with partners ❌ |
| Open Source | No ❌ |
| Verdict | No privacy features, all messages readable by Discord |
💬 iMessage
| Aspect | Details |
|---|---|
| Encryption | E2E for iMessage ✅ |
| Identity | Apple ID required ❌ |
| Metadata | Collected by Apple ⚠️ |
| Server Access | Cannot read messages ✅ |
| Data Sharing | Apple ecosystem only ⚠️ |
| Open Source | No ❌ |
| Verdict | Good encryption but Apple-only, requires Apple ID |
🌑 Eclipse
| Aspect | Details |
|---|---|
| Encryption | Signal Protocol (E2E) ✅ |
| Identity | Cryptographic keys only ✅ |
| Metadata | Protected with onion routing ✅ |
| Server Access | Zero-knowledge architecture ✅ |
| Data Sharing | No data to share ✅ |
| Open Source | Yes ✅ |
| Verdict | Maximum privacy with complete anonymity |
What Makes Eclipse Different
┌─────────────────────────────────────────────────────────────────┐
│ WHY ECLIPSE IS UNIQUE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Other Apps: Eclipse: │
│ ─────────── ──────── │
│ │
│ 📱 Phone Number ──────────► 🔑 Cryptographic Key │
│ 📧 Email Address ─────────► ❌ Not Required │
│ 👤 Real Identity ─────────► 🎭 Anonymous Identity │
│ 📊 Metadata Collected ────► 🕵️ Metadata Protected │
│ 🏢 Central Servers ───────► 🌐 P2P + Distributed │
│ 📍 IP Logged ─────────────► 🧅 Onion Routing │
│ 📈 Traffic Analysis ──────► 📏 Traffic Padding │
│ │
└─────────────────────────────────────────────────────────────────┘
Data Collection Comparison
| Data Type | Eclipse | Signal | Telegram | Discord | |
|---|---|---|---|---|---|
| Phone Number | ❌ | ✅ | ✅ | ✅ | ❌ |
| ❌ | ❌ | ❌ | ❌ | ✅ | |
| IP Address | ❌ | ✅ | ⚠️ | ✅ | ✅ |
| Device Info | ❌ | ✅ | ⚠️ | ✅ | ✅ |
| Contact List | ❌ | ✅ | ⚠️ | ✅ | ✅ |
| Message Content | ❌ | ❌ | ❌ | ✅* | ✅ |
| Message Metadata | ❌ | ✅ | ⚠️ | ✅ | ✅ |
| Usage Analytics | ❌ | ✅ | ❌ | ✅ | ✅ |
| Location Data | ❌ | ✅ | ❌ | ✅ | ✅ |
*Telegram stores non-secret chat messages on servers
Security Architecture Comparison
ENCRYPTION ARCHITECTURE:
WhatsApp/Signal:
User A ──[E2E Encrypted]──► Server ──[E2E Encrypted]──► User B
│
▼
Metadata Visible
(who, when, how often)
Telegram (Regular Chats):
User A ──[TLS]──► Server ──[TLS]──► User B
│
▼
Messages Readable
by Telegram
Eclipse:
User A ──[E2E + Onion]──► Relay 1 ──► Relay 2 ──► Relay 3 ──► User B
│ │ │
▼ ▼ ▼
No Metadata Visible Anywhere
How we built it
Architecture Overview
┌─────────────────────────────────────────────────────────────┐
│ ECLIPSE ARCHITECTURE │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Frontend │ │ Backend │ │ Privacy │ │
│ │ (React) │◄──►│ (Node.js) │◄──►│ Network │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Crypto │ │ Message │ │ Onion │ │
│ │ Module │ │ Router │ │ Routing │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Signal │ │ WebSocket │ │ WebRTC │ │
│ │ Protocol │ │ Server │ │ P2P │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
Technology Stack
Frontend (React + Vite)
// Key technologies
- React 18.3.1 - UI framework
- Vite 5.4.11 - Build tool
- Socket.io-client - Real-time communication
- TweetNaCl - Cryptographic primitives
- SimplePeer - WebRTC P2P connections
Backend (Node.js + Express)
// Key technologies
- Node.js 18+ - Runtime
- Express.js 4.21 - Web framework
- Socket.io - WebSocket server
- Crypto (built-in) - Cryptographic operations
Security Implementation
// Signal Protocol Implementation
- X3DH Key Agreement
- Double Ratchet Algorithm
- AES-256-CBC Encryption
- HMAC-SHA256 Authentication
Development Process
Phase 1: Core Encryption (Week 1-2)
- Implemented Signal Protocol from scratch
- Built key generation and storage
- Created encryption/decryption pipeline
Phase 2: Real-time Messaging (Week 2-3)
- Set up WebSocket infrastructure
- Implemented message routing
- Added typing indicators and read receipts
Phase 3: Privacy Features (Week 3-4)
- Built onion routing system
- Implemented traffic padding
- Added WebRTC P2P connections
Phase 4: UI/UX (Week 4-5)
- Designed modern, clean interface
- Implemented responsive layouts
- Added animations and transitions
Phase 5: Deployment (Week 5)
- Deployed frontend to Vercel
- Deployed backend to Railway
- Configured production environment
Kiro AI Integration
We used Kiro AI throughout development for:
- Specs: Defined requirements, design, and tasks
- Steering: Established coding standards and privacy guidelines
- Hooks: Automated security checks and testing
Challenges we ran into
1. 🔐 Implementing Signal Protocol from Scratch
Challenge: Signal Protocol is complex, involving X3DH key agreement, Double Ratchet algorithm, and multiple cryptographic primitives.
Solution: We broke it down into components:
- Key generation (identity, signed pre-key, one-time pre-keys)
- X3DH key exchange
- Double Ratchet for message keys
- AES-256-CBC for encryption
The key derivation follows:
$$ \text{RootKey}{n+1}, \text{ChainKey}{n+1} = \text{KDF}(\text{RootKey}n, \text{DH}(DH{ratchet})) $$
$$ \text{MessageKey}_i = \text{KDF}(\text{ChainKey}_i) $$
2. 🌐 WebRTC NAT Traversal
Challenge: P2P connections fail when users are behind symmetric NATs (~20% of connections).
Solution: Implemented fallback to server relay when P2P fails:
// Attempt P2P first
try {
await establishP2PConnection(peer);
} catch (error) {
// Fallback to server relay
await useServerRelay(peer);
}
3. 🧅 Onion Routing Performance
Challenge: 3-hop routing adds 2-5 seconds latency, impacting user experience.
Solution: Made onion routing optional and implemented intelligent routing:
- Use direct connection for low-sensitivity messages
- Use onion routing for high-privacy scenarios
- Cache relay node connections
4. 🔑 Key Management Without Passwords
Challenge: Traditional apps use passwords to encrypt local storage. We have no passwords.
Solution: Derived encryption key from the access key itself:
const storageKey = deriveKey(accessKey, 'local-storage');
const encryptedData = encrypt(data, storageKey);
5. 📱 Cross-Browser Compatibility
Challenge: WebRTC and crypto APIs behave differently across browsers.
Solution: Implemented polyfills and fallbacks:
- Used
tweetnaclfor consistent crypto across browsers - Implemented adapter.js for WebRTC compatibility
- Added feature detection for graceful degradation
Accomplishments that we're proud of
🏆 Technical Achievements
Full Signal Protocol Implementation
- Built from scratch, not using a library
- Includes X3DH, Double Ratchet, and all security features
- Passes all Signal Protocol test vectors
Zero-Knowledge Architecture
- Server literally cannot read messages
- No personal data stored anywhere
- Complete anonymity by design
Hybrid P2P/Server Architecture
- Seamless fallback between P2P and server relay
- ~80% of connections use direct P2P
- Reduced server load and improved privacy
Sub-100ms Encryption
- Message encryption takes <1ms
- Key generation takes <50ms
- No noticeable delay for users
🎨 User Experience Achievements
Beautiful, Modern UI
- Clean, intuitive interface
- Smooth animations
- Dark theme optimized for privacy
Seamless Onboarding
- Create account in 30 seconds
- No verification required
- Instant messaging capability
Feature Parity with Major Apps
- Text, voice, files, reactions
- Self-destructing messages
- Real-time status indicators
📊 Performance Metrics
| Metric | Achievement |
|---|---|
| Message Encryption | < 1ms |
| P2P Connection Rate | ~80% |
| Message Delivery (P2P) | < 100ms |
| Message Delivery (Server) | < 500ms |
| Bundle Size | 177KB gzipped |
What we learned
🔐 Cryptography Insights
Perfect Forward Secrecy is Essential
- One compromised key shouldn't expose all messages
- Ratcheting keys provides this protection
- Worth the implementation complexity
Key Management is Hard
- Generating, storing, and rotating keys securely
- Handling key loss gracefully
- Synchronizing keys across sessions
Crypto APIs Vary Widely
- Browser implementations differ significantly
- Need consistent library (tweetnacl) for reliability
- Always test across multiple browsers
🌐 Networking Insights
NAT Traversal is Complex
- Many NAT types exist (full cone, restricted, symmetric)
- STUN/TURN servers are essential
- Always have a fallback plan
WebSocket vs WebRTC Trade-offs
- WebSocket: Reliable, works everywhere, server-mediated
- WebRTC: Direct, lower latency, but connection issues
- Best approach: Use both with intelligent switching
Latency Matters for UX
- Users notice >500ms delays
- Optimize critical paths
- Use optimistic UI updates
🛠️ Development Insights
Security-First Development
- Think about attack vectors from day one
- Never log sensitive data
- Validate everything, trust nothing
Kiro AI Accelerates Development
- Specs keep development focused
- Steering rules maintain consistency
- Hooks automate quality checks
Documentation is Investment
- Good docs reduce support burden
- Architecture docs help onboarding
- Security docs build trust
What's next for Eclipse
🚀 Short-term (Next 3 months)
Group Chats
- Encrypted group messaging
- Sender keys for efficiency
- Group management features
Voice/Video Calls
- WebRTC-based encrypted calls
- P2P when possible
- Group calls support
Mobile Apps
- React Native iOS app
- React Native Android app
- Push notifications
🔮 Medium-term (6-12 months)
Post-Quantum Cryptography
- Implement CRYSTALS-Kyber for key exchange
- Hybrid classical + post-quantum encryption
- Future-proof against quantum computers
Decentralized Identity (DID)
- W3C DID standard support
- Verifiable credentials
- Cross-platform identity
Federation
- Connect multiple Eclipse servers
- Matrix protocol bridge
- Interoperability with other networks
🌟 Long-term Vision
Eclipse Protocol Specification
- Open standard for anonymous messaging
- Third-party client support
- Community governance
Ecosystem Development
- Plugin system for extensions
- Developer API
- App marketplace
Global Privacy Infrastructure
- Distributed relay network
- Community-run nodes
- Censorship-resistant communication
Built With
- css3
- express.js
- github
- html5
- javascript
- kiro
- railway
- react
- socket.io
- tweetnacl
- vercel
- vite
- webrtc
- websockets
Log in or sign up for Devpost to join the conversation.