Loom is experimental software. It has not received an independent security audit, cryptographic review, penetration test, or formal protocol analysis.
Loom should not be used for high-risk, sensitive, regulated, or adversarial communications.
No stable security-supported version exists yet.
The current development version is 0.1.x.
| Version | Security support |
|---|---|
| 0.1.x | No stable security support |
Please do not file public issues for suspected vulnerabilities.
Contact the maintainer through:
- GitHub: github.com/sudoaanish
- Website: aanishfarrukh.com
No PGP key is currently published for this project.
When reporting an issue, include:
- Affected version or commit.
- Operating system and environment.
- Steps to reproduce.
- Expected and actual behavior.
- Any proof of concept material that is safe to share privately.
- Whether the issue may expose private keys, message contents, identity tokens, local network metadata, or persistent database contents.
The current implementation:
- Generates a 32-byte local master seed.
- Derives Ed25519 identity keys and X25519 static keys from the master seed.
- Encodes public identity material into Loom tokens.
- Validates Loom token prefix, payload length, version, base32 encoding, and checksum.
- Signs handshake messages with Ed25519.
- Derives shared session material from X25519 Diffie-Hellman outputs using HKDF-SHA256.
- Encrypts chat payloads with ChaCha20-Poly1305 through a Double Ratchet-style session.
- Signs encrypted chat envelopes with Ed25519.
- Persists ratchet state per peer.
These are implementation observations, not security guarantees.
The current implementation has several important limitations:
- No independent security audit.
- Custom cryptographic protocol and custom Double Ratchet-style implementation.
- Local SQLite storage contains the master seed, ratchet state, contacts, and plaintext message history without application-level encryption.
- Tauri Content Security Policy is disabled with
"csp": null. - mDNS advertises local peer presence using a service name derived from the public identity key.
- TCP frame length is accepted from the network and used to allocate a buffer without an explicit maximum in the current implementation.
- No documented key verification ceremony beyond out-of-band token exchange.
- No documented identity revocation, key rotation, or recovery model.
- No documented database migration, backup, or secure deletion model.
- No stable security-supported version or vulnerability response process.
- The UI includes diagnostic console behavior and browser mock fallback behavior.
- The frontend escapes message contents before rendering, but the full webview security posture still needs review.
Changes in these files affect security-sensitive behavior:
crates/loom-core/src/crypto.rscrates/loom-core/src/protocol.rscrates/loom-core/src/network.rscrates/loom-core/src/storage.rscrates/loom-core/src/token.rssrc-tauri/src/main.rssrc-tauri/tauri.conf.jsonsrc/index.htmlsrc/main.js