Bit of an odd intro: I'm a carpenter, 42 years at the bench. I'm the type who can't stand making the same thing everyone else makes, so I've always chased the technical side too - CNC, laser cutting, and lately building software to run my machines.
At some point I wanted to send my own designs to people without them leaking anywhere, and I went down the rabbit hole of how messaging actually works. What got me was realising how much of the "free" stuff is paid for with our privacy. That annoyed me enough that I decided to build my own messenger, mostly to learn. It grew from something simple into a real thing. I called it Sherlock.
Two things I cared about: proper encryption, and NOT tying it to a phone number - I built a different system for that.
I'm not going to pretend I reinvented cryptography. I'm a woodworker who got obsessed. So I'd rather hear it straight from people who actually know this stuff:
- How much does the "no phone number" approach really buy you if I get the rest wrong?
- For a small independent project, what's the bar before any of you would even consider trusting it - open source, audit, something else?
Genuinely here for the criticism, not the pats on the back.
Ha - the avatar's fair game, I'll give you that. In my defence it's roughly what I look like, minus the hair I no longer have and a fair bit of the good looks. Says the guy whose own avatar is a little creature, mind you. :)
On point 1 - you and CallMeAl are saying the same thing and I've taken it on board: don't roll your own crypto, lean on the vetted primitives and get the system reviewed by people who actually do this. I'm using established primitives (X3DH, Double Ratchet, ML-KEM) rather than inventing anything, but "using the right Lego bricks" still isn't the same as "assembled them correctly," and I get that the assembly is exactly where the subtle mistakes hide. An external review is on the plan, and I'm not going to pitch this for serious use until it's been through one.
On point 2 - you actually answered your own question in a way I agree with. The no-install web route IS the differentiator I'm betting on. It runs as a PWA, so you open it in the browser on phone or desktop, nothing from an app store. You're not the first person in this thread to say "another app to install" is where they tap out, so that lines up with what I was hoping. Whether that's enough to cut through the noise, I honestly don't know yet - but it's the part I feel best about.