Skred protects your privacy and freedom by sending messages and photos directly between devices, without storing any content on a server.
However, to establish a WebRTC connection for real-time communication, a signaling server is needed to initiate and manage the connection between peers. This signaling server creates and manages connections between devices. A contact relation is represented by a pair of twincodes, which are UUIDs (Universally Unique Identifiers) generated when a relation is established. A new pair of twincodes is generated for each relation, even if they belong to the same device.
When a device wants to connect to a peer, it generates an SDP (Session Description Protocol) message to initiate the WebRTC connection. The SDP message is sent to the signaling server along with the peer’s twincode to identify the target device. The server then attempts to wake up the peer device using Google or Apple push notification services. Once the peer device is awake, it connects to the signaling server and retrieves the SDP message.
While both devices exchange their SDP messages via the signaling server, their WebRTC network stacks work to establish a direct connection between them. This connection may include a data channel, an optional audio stream, and an optional video stream.
The signaling server only processes the SDP messages, which are required to establish the peer-to-peer connection, and the twincodes, which appear as random data. The SDP contains sensitive temporary information, such as certificate fingerprints, transport IP addresses and ports (ICE), data stream options, and media stream definitions. To further protect user privacy and ensure that SDP messages are delivered to the correct devices, SDP messages are encrypted using secret keys known only to the two communicating devices.
With this architecture, no one can intercept your messages, photos, videos, or multimedia communications. However, this also means that both devices must be online at the same time to send and receive messages, which may sometimes result in delays.
This architecture, protocols and implementation have been positively audited by 3rd party cybersecurity experts.