In the age of common data leaks, we want our conversations to be secure. We focused on one of the most popular chat platforms in the world, Facebook Messenger.
What it does
Using a chrome extension, users can send and receive encrypted messages using PGP. While Facebook is starting to roll out encryption on the mobile version of messenger, we wanted to bring encryption to everyone using messenger.com right now.
How we built it
Our extension hooks into the React components of the page. We monitor incoming and outgoing messages so we can react (haha) accordingly. We also provide uploads and lookups for user's public keys. We used OpenPGP.js for key creation and encryption/decryption and python flask for our keyserver.
Challenges we ran into
There are wayyy to many to list, but there were two main issues.
Hooking into a page using React is really really hard. The HTML is constantly changing, and injecting is also really really hard since Chrome extensions are sandboxed (double injection is the answer!).
Messenger.com has a set list of urls that can make cross-origin requests, and surprise surprise our website is not on that list. We had to send messages to our extension from messenger.com, which in turn acted as a middle man to communicate with our injected script.
Accomplishments that we're proud of
What we learned
This was our first encounter with chrome extensions and React.
What's next for Encrypted Messenger
We'd love to make it easier to upload and verify PGP keys.