summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-10-14 19:15:17 +0200
committerGitHub <noreply@github.com>2025-10-14 19:15:17 +0200
commitd6796a43bc3803e3c018155f207ca7b2e2890c51 (patch)
tree0ca47558a8220ee9887f3d4ad5bee23978b693e6
parentbff410004124d15c259de6964351f68a24d2c8b0 (diff)
downloadnofuture-go-memguard-d6796a43bc3803e3c018155f207ca7b2e2890c51.tar.gz
nofuture-go-memguard-d6796a43bc3803e3c018155f207ca7b2e2890c51.tar.xz
nofuture-go-memguard-d6796a43bc3803e3c018155f207ca7b2e2890c51.zip
Update README.html
-rw-r--r--README.html784
1 files changed, 784 insertions, 0 deletions
diff --git a/README.html b/README.html
index 8b13789..9e91bd4 100644
--- a/README.html
+++ b/README.html
@@ -1 +1,785 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <title>NoFuture-Memguard-PQ - Ephemeral Post-Quantum Text Encryption</title>
+ <style>
+ body {
+ font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Arial, sans-serif;
+ margin: 40px;
+ background-color: #f4f4f4;
+ color: #333;
+ line-height: 1.6;
+ }
+ .container {
+ max-width: 1000px;
+ margin: auto;
+ background: white;
+ padding: 40px;
+ border-radius: 8px;
+ box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
+ }
+ h1 {
+ color: #0056b3;
+ border-bottom: 3px solid #0056b3;
+ padding-bottom: 10px;
+ }
+ h2 {
+ color: #0056b3;
+ margin-top: 30px;
+ border-left: 4px solid #0056b3;
+ padding-left: 15px;
+ }
+ h3 {
+ color: #764ba2;
+ margin-top: 20px;
+ }
+ pre {
+ background: #272822;
+ color: #f8f8f2;
+ padding: 15px;
+ border-radius: 5px;
+ overflow-x: auto;
+ font-size: 14px;
+ }
+ code {
+ background: #f4f4f4;
+ padding: 2px 6px;
+ border-radius: 3px;
+ font-family: 'Courier New', monospace;
+ }
+ pre code {
+ background: transparent;
+ padding: 0;
+ }
+ .warning-box {
+ background: #fff3cd;
+ border-left: 5px solid #ffc107;
+ padding: 15px;
+ margin: 20px 0;
+ border-radius: 5px;
+ }
+ .security-box {
+ background: #d4edda;
+ border-left: 5px solid #28a745;
+ padding: 15px;
+ margin: 20px 0;
+ border-radius: 5px;
+ }
+ .danger-box {
+ background: #f8d7da;
+ border-left: 5px solid #dc3545;
+ padding: 15px;
+ margin: 20px 0;
+ border-radius: 5px;
+ }
+ table {
+ width: 100%;
+ border-collapse: collapse;
+ margin-top: 15px;
+ margin-bottom: 20px;
+ }
+ th, td {
+ border: 1px solid #ddd;
+ padding: 12px;
+ text-align: left;
+ }
+ th {
+ background-color: #0056b3;
+ color: white;
+ font-weight: 600;
+ }
+ tr:nth-child(even) {
+ background-color: #f9f9f9;
+ }
+ ul, ol {
+ margin-left: 20px;
+ margin-bottom: 15px;
+ }
+ li {
+ margin-bottom: 8px;
+ }
+ .badge {
+ display: inline-block;
+ padding: 3px 8px;
+ border-radius: 12px;
+ font-size: 0.85em;
+ font-weight: 600;
+ margin-left: 8px;
+ }
+ .badge-critical {
+ background: #28a745;
+ color: white;
+ }
+ .badge-high {
+ background: #17a2b8;
+ color: white;
+ }
+ .lang-switch {
+ text-align: right;
+ margin-bottom: 20px;
+ }
+ button {
+ padding: 8px 16px;
+ margin: 5px;
+ cursor: pointer;
+ border: none;
+ border-radius: 5px;
+ font-weight: 600;
+ }
+ .it {
+ background: #0056b3;
+ color: white;
+ }
+ .en {
+ background: #28a745;
+ color: white;
+ }
+ .hidden {
+ display: none;
+ }
+ a {
+ color: #0056b3;
+ text-decoration: none;
+ }
+ a:hover {
+ text-decoration: underline;
+ }
+ </style>
+</head>
+<body>
+<div class="container">
+ <div class="lang-switch">
+ <button class="it" onclick="toggleLang('it')">🇮🇹 ITA</button>
+ <button class="en" onclick="toggleLang('en')">🇬🇧 ENG</button>
+ </div>
+
+ <!-- ENGLISH CONTENT -->
+ <div id="content-en">
+ <h1>🔐 NoFuture-Memguard-PQ</h1>
+ <p style="font-size: 1.2em; color: #666; font-style: italic;">Ephemeral Post-Quantum Text Encryption Plugin for Mainstream Chats</p>
+ <p><strong>Version 0.5.0</strong> | Built with love and defiance | Privacy is a human right, not a feature</p>
+
+ <div class="security-box">
+ <strong>🛡️ Core Security Philosophy:</strong> NoFuture-Memguard-PQ is a <strong>detached external encryption plugin</strong> designed to work alongside mainstream chat applications (WhatsApp Web, Telegram, Signal, etc.) without ever being part of them. This architectural isolation is the foundation of its security.
+ </div>
+
+ <h2>📌 What is NoFuture-Memguard-PQ?</h2>
+ <p>NoFuture-Memguard-PQ is a browser-based encryption tool that acts as an <strong>external cryptographic plugin</strong> for any instant messaging platform. You use it in one browser tab while your mainstream chat runs in another tab. Messages are encrypted locally in your browser, and only the ciphertext is transmitted through the untrusted mainstream channel.</p>
+
+ <p><strong>Key Concept:</strong> Your plaintext and cryptographic keys <strong>never enter the mainstream chat application</strong>. The chat platform only sees encrypted data it cannot decrypt.</p>
+
+ <h2>🎯 Why "Detached" Architecture is Critical for Security</h2>
+
+ <h3>The Problem with Integrated Plugins</h3>
+ <p>If NoFuture-Memguard-PQ were an official plugin integrated into WhatsApp, Telegram, or any mainstream platform, it would <strong>not be trustworthy</strong> because:</p>
+ <ul>
+ <li>The platform provider could access your encryption keys</li>
+ <li>Server-side backdoors could be mandated by governments (ChatControl, EARN IT Act, etc.)</li>
+ <li>Platform updates could silently compromise encryption</li>
+ <li>Your private keys would be within the platform's security perimeter</li>
+ </ul>
+
+ <h3>The Solution: Complete Isolation</h3>
+ <p>NoFuture-Memguard-PQ is <strong>completely separate</strong> from mainstream chat platforms:</p>
+
+ <table>
+ <thead>
+ <tr>
+ <th>Component</th>
+ <th>Where It Lives</th>
+ <th>Who Controls It</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><strong>Your private keys</strong></td>
+ <td>NoFuture tab (protected RAM)</td>
+ <td>You (not the chat platform)</td>
+ </tr>
+ <tr>
+ <td><strong>Plaintext messages</strong></td>
+ <td>NoFuture tab (protected RAM)</td>
+ <td>You (not the chat platform)</td>
+ </tr>
+ <tr>
+ <td><strong>Encryption/Decryption</strong></td>
+ <td>NoFuture tab (client-side)</td>
+ <td>You (not the chat platform)</td>
+ </tr>
+ <tr>
+ <td><strong>Ciphertext only</strong></td>
+ <td>Mainstream chat tab</td>
+ <td>Chat platform (but it's useless to them)</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <div class="security-box">
+ <strong>🔒 Security Guarantee:</strong> Because NoFuture-Memguard-PQ is detached, mainstream chat platforms have <strong>zero access</strong> to your keys or plaintext. Even if WhatsApp, Telegram, or Signal were completely compromised, your encrypted conversations remain secure. The ciphertext stored in their servers is mathematically impossible to decrypt without your session keys—which are destroyed after the session ends.
+ </div>
+
+ <h2>🧠 Multi-Layer Security Architecture</h2>
+ <p>The security of NoFuture-Memguard-PQ is based on <strong>defense in depth</strong>, with multiple independent protection layers working simultaneously:</p>
+
+ <h3>1. Memguard: The Foundation<span class="badge badge-critical">MOST CRITICAL</span></h3>
+ <p><a href="https://github.com/awnumar/memguard">Memguard</a> is a Go library for handling sensitive data in memory. It is the <strong>primary security mechanism</strong> protecting both your cryptographic keys and plaintext messages.</p>
+
+ <h4>What Memguard Protects:</h4>
+ <ul>
+ <li><strong>Private keys</strong> (Curve25519 for NaCl box)</li>
+ <li><strong>Public keys</strong></li>
+ <li><strong>Shared secrets</strong> (derived from key exchange)</li>
+ <li><strong>Plaintext messages</strong> (before encryption / after decryption)</li>
+ <li><strong>Session nonces</strong></li>
+ </ul>
+
+ <h4>How Memguard Works:</h4>
+ <table>
+ <thead>
+ <tr>
+ <th>Attack Vector</th>
+ <th>Memguard Protection</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>Memory dumps (even by root)</td>
+ <td>Data stored in encrypted memory pages outside the Go heap</td>
+ </tr>
+ <tr>
+ <td>Swap file analysis</td>
+ <td><code>mlock()</code> system call prevents swapping to disk</td>
+ </tr>
+ <tr>
+ <td>Debugger attachment (gdb, lldb)</td>
+ <td>Memory is encrypted in RAM; debugger sees only ciphertext</td>
+ </tr>
+ <tr>
+ <td>Core dumps on crash</td>
+ <td>Automatic purge on crash via <code>memguard.CatchInterrupt()</code></td>
+ </tr>
+ <tr>
+ <td>Garbage collector inspection</td>
+ <td>Sensitive buffers are off-heap, invisible to GC</td>
+ </tr>
+ <tr>
+ <td>Cold boot attacks</td>
+ <td>Memory wiped on process exit; no residual data</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <div class="danger-box">
+ <strong>🔥 Critical Security Feature:</strong> Not even the server administrator with root access can dump your keys or plaintext from RAM. Memguard's kernel-level memory protection makes sensitive data <strong>forensically unrecoverable</strong> even with physical access to the server's RAM.
+ </div>
+
+ <h3>2. Post-Quantum Cryptography<span class="badge badge-high">HIGH PRIORITY</span></h3>
+ <p>While memguard protects data in memory, post-quantum cryptography protects data in transit and at rest against future quantum computer attacks.</p>
+
+ <h4>Current Implementation (v0.5.0):</h4>
+ <ul>
+ <li><strong>Key Exchange:</strong> NaCl box (Curve25519 + XSalsa20-Poly1305)</li>
+ <li><strong>Symmetric Encryption:</strong> XChaCha20-Poly1305 (AEAD)</li>
+ </ul>
+
+ <div class="warning-box">
+ <strong>⚠️ Roadmap:</strong> Future versions will integrate true post-quantum algorithms:
+ <ul>
+ <li><strong>Kyber1024-90s</strong> for key encapsulation (KEM)</li>
+ <li><strong>Dilithium5-AES</strong> for digital signatures (authentication)</li>
+ </ul>
+ These are NIST-standardized post-quantum cryptography algorithms designed to resist attacks from quantum computers.
+ </div>
+
+ <h3>3. Additional Security Layers</h3>
+
+ <table>
+ <thead>
+ <tr>
+ <th>Layer</th>
+ <th>Purpose</th>
+ <th>Protection Against</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><strong>Detached Architecture</strong></td>
+ <td>Isolation from mainstream platforms</td>
+ <td>Backdoors, ChatControl, platform compromise</td>
+ </tr>
+ <tr>
+ <td><strong>Authenticated Encryption (AEAD)</strong></td>
+ <td>XChaCha20-Poly1305</td>
+ <td>Tampering, bit-flipping, MITM attacks</td>
+ </tr>
+ <tr>
+ <td><strong>Session Isolation</strong></td>
+ <td>Unique keys per session</td>
+ <td>Cross-session attacks, replay attacks</td>
+ </tr>
+ <tr>
+ <td><strong>Rate Limiting</strong></td>
+ <td>60 requests/minute per IP</td>
+ <td>Brute force, DoS attacks</td>
+ </tr>
+ <tr>
+ <td><strong>Request Size Limits</strong></td>
+ <td>Max 1MB per request</td>
+ <td>Memory exhaustion, DoS</td>
+ </tr>
+ <tr>
+ <td><strong>Session Timeout</strong></td>
+ <td>24 hours max lifetime</td>
+ <td>Abandoned sessions, stale keys</td>
+ </tr>
+ <tr>
+ <td><strong>Total Key Destruction</strong></td>
+ <td>Secure wipe on session end</td>
+ <td>Forensic recovery, future access</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2>🔑 How It Works: 5-Phase Workflow</h2>
+
+ <div style="background: #f8f9fa; padding: 20px; border-radius: 8px; margin: 20px 0;">
+ <p style="font-size: 1.1em;"><strong>Usage Scenario:</strong> Alice wants to send a secure message to Bob using WhatsApp Web (or any chat platform).</p>
+ </div>
+
+ <h3>Phase 1: Session Creation</h3>
+ <p><strong>Alice</strong> opens NoFuture-Memguard-PQ in a browser tab and clicks "Start New Session".</p>
+ <pre><code>// What happens under the hood:
+1. Generate Curve25519 key pair (32-byte private + public keys)
+2. Generate random 24-byte nonce
+3. Create Session ID = SHA256(publicKey + nonce)
+4. Store all keys in memguard.LockedBuffer (encrypted RAM)
+5. Return Session ID to Alice</code></pre>
+
+ <h3>Phase 2: Session ID Exchange</h3>
+ <p><strong>Alice</strong> copies her Session ID and sends it to <strong>Bob</strong> via WhatsApp Web.</p>
+ <div class="warning-box">
+ <strong>Note:</strong> The Session ID is <strong>not sensitive</strong>. It's a cryptographic descriptor containing only public information. It can be transmitted over any channel, even unencrypted.
+ </div>
+
+ <h3>Phase 3: Pairing (Key Agreement)</h3>
+ <p><strong>Bob</strong> also starts a session and gets his own Session ID. Both Alice and Bob paste each other's Session IDs into NoFuture-Memguard-PQ and click "Pair Sessions".</p>
+ <pre><code>// What happens under the hood:
+1. Alice's browser fetches Bob's public key via Session ID
+2. Compute shared secret using NaCl box precomputation:
+ sharedSecret = box.Precompute(myPrivateKey, theirPublicKey)
+3. Store sharedSecret in memguard.LockedBuffer
+4. Sessions are now synchronized</code></pre>
+
+ <p><strong>No manual key exchange needed.</strong> The shared secret is derived automatically using Diffie-Hellman key exchange (Curve25519).</p>
+
+ <h3>Phase 4: Encrypted Communication</h3>
+
+ <h4>Alice encrypts a message:</h4>
+ <ol>
+ <li>Alice types plaintext in NoFuture-Memguard-PQ: <code>"Meet me at 3pm"</code></li>
+ <li>Plaintext is stored in <code>memguard.LockedBuffer</code> (protected RAM)</li>
+ <li>Encrypted using XChaCha20-Poly1305 with the shared secret</li>
+ <li>Alice copies the ciphertext and pastes it into WhatsApp Web</li>
+ <li>Plaintext buffer is immediately destroyed after encryption</li>
+ </ol>
+
+ <h4>Bob decrypts the message:</h4>
+ <ol>
+ <li>Bob receives the ciphertext via WhatsApp Web</li>
+ <li>Bob copies the ciphertext and pastes it into NoFuture-Memguard-PQ</li>
+ <li>Decrypted using the shared secret (authenticated encryption verifies integrity)</li>
+ <li>Plaintext is displayed in a <code>memguard.LockedBuffer</code></li>
+ <li>After reading, Bob can destroy the plaintext manually</li>
+ </ol>
+
+ <div class="security-box">
+ <strong>🔒 What WhatsApp sees:</strong> Only meaningless hexadecimal strings. Even if WhatsApp's servers are compromised, the ciphertext is mathematically useless without the session keys—which exist only in Alice and Bob's browsers, protected by memguard, and destroyed after the session ends.
+ </div>
+
+ <h3>Phase 5: Session Termination (Total Destruction)</h3>
+ <p>When Alice or Bob clicks "End Session":</p>
+ <pre><code>// What happens under the hood:
+1. session.PrivateKey.Destroy() // Secure wipe
+2. session.PublicKey.Destroy() // Secure wipe
+3. session.SharedSecret.Destroy() // Secure wipe
+4. session.Nonce.Destroy() // Secure wipe
+5. Delete session from server memory
+6. memguard.Purge() on process exit</code></pre>
+
+ <div class="danger-box">
+ <strong>🔥 No Future Access:</strong> Once the session ends, the cryptographic keys are <strong>irreversibly destroyed</strong>. Even if an attacker obtains the ciphertext from WhatsApp's servers years later, it is <strong>permanently unreadable</strong>. This is the meaning of "ephemeral" encryption.
+ </div>
+
+ <p style="text-align: center; font-size: 1.3em; font-weight: bold; margin: 30px 0; padding: 20px; background: #d4edda; border-radius: 8px;">
+ One conversation. One key. One chance to read. No future access.
+ </p>
+
+ <h2>🛡️ Defense Against Local Attacks</h2>
+
+ <h3>🖱️ Virtual Keyboard (Anti-Keylogger)</h3>
+ <p>NoFuture-Memguard-PQ includes an optional on-screen virtual keyboard with a randomized layout to protect against local keyloggers and spyware.</p>
+
+ <table>
+ <thead>
+ <tr>
+ <th>Threat</th>
+ <th>Virtual Keyboard Protection</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>Hardware keyloggers</td>
+ <td>No physical keyboard events generated</td>
+ </tr>
+ <tr>
+ <td>Software keyloggers (reading <code>/dev/input</code>)</td>
+ <td>Mouse clicks only; no keystroke events</td>
+ </tr>
+ <tr>
+ <td>Screen recording malware</td>
+ <td>Randomized layout changes each session (partial mitigation)</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2>🚀 Installation & Usage</h2>
+
+ <h3>Prerequisites</h3>
+ <pre><code>- Go 1.21 or later
+- Linux/macOS/Windows (memguard works on all platforms)</code></pre>
+
+ <h3>Installation</h3>
+ <pre><code>git clone https://github.com/yourusername/nofuture-memguard-pq.git
+cd nofuture-memguard-pq
+go mod download
+go build -o nofuture main.go</code></pre>
+
+ <h3>Running the Server</h3>
+ <pre><code>./nofuture</code></pre>
+ <p>Server starts on <code>http://localhost:8080</code></p>
+
+ <div class="warning-box">
+ <strong>⚠️ Production Deployment:</strong>
+ <ul>
+ <li>Use a reverse proxy (nginx, Caddy) with HTTPS/TLS certificates</li>
+ <li>Configure CORS to allow only your domain</li>
+ <li>Run behind a firewall with rate limiting</li>
+ <li>Never expose the Go server directly to the internet without TLS</li>
+ </ul>
+ </div>
+
+ <h3>Usage Example</h3>
+ <ol>
+ <li>Open <code>http://localhost:8080</code> in one browser tab</li>
+ <li>Open WhatsApp Web (or Telegram, Signal, etc.) in another tab</li>
+ <li>Click "Start New Session" in NoFuture-Memguard-PQ</li>
+ <li>Share your Session ID with your contact via the chat app</li>
+ <li>Receive their Session ID and click "Pair Sessions"</li>
+ <li>Type your message, click "Encrypt", copy the ciphertext</li>
+ <li>Paste the ciphertext into the mainstream chat and send</li>
+ <li>Receive ciphertext from your contact, paste into NoFuture-Memguard-PQ, click "Decrypt"</li>
+ <li>When done, click "End Session" to destroy all keys</li>
+ </ol>
+
+ <h2>📊 Security Comparison</h2>
+
+ <table>
+ <thead>
+ <tr>
+ <th>Feature</th>
+ <th>WhatsApp E2EE</th>
+ <th>Signal</th>
+ <th>NoFuture-Memguard-PQ</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><strong>Keys stored by provider</strong></td>
+ <td>Backup keys (optional)</td>
+ <td>No</td>
+ <td>❌ Never (detached)</td>
+ </tr>
+ <tr>
+ <td><strong>Memory protection</strong></td>
+ <td>Standard heap</td>
+ <td>Standard heap</td>
+ <td>✅ Memguard (encrypted RAM)</td>
+ </tr>
+ <tr>
+ <td><strong>Resistant to root access</strong></td>
+ <td>No</td>
+ <td>No</td>
+ <td>✅ Yes (mlock + encrypted buffers)</td>
+ </tr>
+ <tr>
+ <td><strong>ChatControl/backdoor risk</strong></td>
+ <td>Possible (integrated)</td>
+ <td>Possible (integrated)</td>
+ <td>❌ Impossible (detached)</td>
+ </tr>
+ <tr>
+ <td><strong>Post-quantum ready</strong></td>
+ <td>No (ECDH)</td>
+ <td>No (X25519)</td>
+ <td>🔄 Roadmap (Kyber/Dilithium)</td>
+ </tr>
+ <tr>
+ <td><strong>Forward secrecy</strong></td>
+ <td>Yes (Double Ratchet)</td>
+ <td>Yes (Double Ratchet)</td>
+ <td>⚠️ Per-session only (v0.5)</td>
+ </tr>
+ <tr>
+ <td><strong>Metadata protection</strong></td>
+ <td>No</td>
+ <td>Partial (sealed sender)</td>
+ <td>✅ Yes (mainstream sees only ciphertext)</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2>⚠️ Current Limitations (v0.5.0)</h2>
+ <ul>
+ <li><strong>No persistent message history:</strong> This is intentional (ephemeral design)</li>
+ <li><strong>No forward secrecy within a session:</strong> Same shared secret used for all messages in one session</li>
+ <li><strong>No built-in authentication:</strong> You must verify your contact's Session ID out-of-band</li>
+ <li><strong>Requires HTTPS in production:</strong> Use a reverse proxy; don't expose HTTP directly</li>
+ <li><strong>Post-quantum crypto not yet implemented:</strong> Current version uses Curve25519 (classic Diffie-Hellman)</li>
+ </ul>
+
+ <h2>🗺️ Roadmap</h2>
+ <ul>
+ <li>✅ <strong>v0.5.0:</strong> Memguard protection for keys + plaintext, XChaCha20-Poly1305 encryption</li>
+ <li>🔄 <strong>v1.0.0:</strong> Integrate Kyber1024-90s (post-quantum KEM) and Dilithium5-AES (signatures)</li>
+ <li>🔄 <strong>v1.1.0:</strong> Implement per-message ratcheting for forward secrecy</li>
+ <li>🔄 <strong>v1.2.0:</strong> Add QR code Session ID exchange</li>
+ <li>🔄 <strong>v2.0.0:</strong> Browser extension for seamless integration with chat platforms</li>
+ </ul>
+
+ <h2>📜 License</h2>
+ <p>MIT License - Free and open source</p>
+
+ <h2>🤝 Contributing</h2>
+ <p>This project is built with love and defiance. Contributions are welcome. Please:</p>
+ <ul>
+ <li>Report security vulnerabilities privately</li>
+ <li>Follow the existing code style</li>
+ <li>Write tests for new features</li>
+ <li>Update documentation</li>
+ </ul>
+
+ <h2>💬 Support</h2>
+ <p>For questions, feature requests, or security reports, open an issue on GitHub.</p>
+
+ <div style="text-align: center; margin-top: 40px; padding: 30px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; border-radius: 10px;">
+ <h2 style="color: white; border: none;">Privacy is not a feature—it's a human right.</h2>
+ <p style="font-size: 1.1em;">Built with love and defiance against mass surveillance.</p>
+ </div>
+ </div>
+
+ <!-- ITALIAN CONTENT -->
+ <div id="content-it" class="hidden">
+ <h1>🔐 NoFuture-Memguard-PQ</h1>
+ <p style="font-size: 1.2em; color: #666; font-style: italic;">Plugin di Crittografia Effimera Post-Quantum per Chat Mainstream</p>
+ <p><strong>Versione 0.5.0</strong> | Costruito con amore e sfida | La privacy è un diritto umano, non una funzionalità</p>
+
+ <div class="security-box">
+ <strong>🛡️ Filosofia di Sicurezza:</strong> NoFuture-Memguard-PQ è un <strong>plugin di crittografia esterno e distaccato</strong> progettato per funzionare insieme alle applicazioni di chat mainstream (WhatsApp Web, Telegram, Signal, ecc.) senza mai farne parte. Questo isolamento architetturale è la base della sua sicurezza.
+ </div>
+
+ <h2>📌 Cos'è NoFuture-Memguard-PQ?</h2>
+ <p>NoFuture-Memguard-PQ è uno strumento di crittografia basato su browser che agisce come <strong>plugin crittografico esterno</strong> per qualsiasi piattaforma di messaggistica istantanea. Lo usi in una scheda del browser mentre la tua chat mainstream è aperta in un'altra scheda. I messaggi vengono cifrati localmente nel tuo browser e solo il testo cifrato viene trasmesso attraverso il canale mainstream non fidato.</p>
+
+ <p><strong>Concetto Chiave:</strong> Il tuo testo in chiaro e le chiavi crittografiche <strong>non entrano mai nell'applicazione di chat mainstream</strong>. La piattaforma di chat vede solo dati cifrati che non può decifrare.</p>
+
+ <h2>🎯 Perché l'Architettura "Distaccata" è Critica per la Sicurezza</h2>
+
+ <h3>Il Problema dei Plugin Integrati</h3>
+ <p>Se NoFuture-Memguard-PQ fosse un plugin ufficiale integrato in WhatsApp, Telegram o qualsiasi piattaforma mainstream, <strong>non sarebbe affidabile</strong> perché:</p>
+ <ul>
+ <li>Il fornitore della piattaforma potrebbe accedere alle tue chiavi di crittografia</li>
+ <li>Backdoor lato server potrebbero essere imposte dai governi (ChatControl, EARN IT Act, ecc.)</li>
+ <li>Gli aggiornamenti della piattaforma potrebbero compromettere silenziosamente la crittografia</li>
+ <li>Le tue chiavi private sarebbero all'interno del perimetro di sicurezza della piattaforma</li>
+ </ul>
+
+ <h3>La Soluzione: Isolamento Completo</h3>
+ <p>NoFuture-Memguard-PQ è <strong>completamente separato</strong> dalle piattaforme di chat mainstream:</p>
+
+ <table>
+ <thead>
+ <tr>
+ <th>Componente</th>
+ <th>Dove Si Trova</th>
+ <th>Chi Lo Controlla</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><strong>Chiavi private</strong></td>
+ <td>Tab NoFuture (RAM protetta)</td>
+ <td>Tu (non la piattaforma chat)</td>
+ </tr>
+ <tr>
+ <td><strong>Messaggi in chiaro</strong></td>
+ <td>Tab NoFuture (RAM protetta)</td>
+ <td>Tu (non la piattaforma chat)</td>
+ </tr>
+ <tr>
+ <td><strong>Cifratura/Decifratura</strong></td>
+ <td>Tab NoFuture (client-side)</td>
+ <td>Tu (non la piattaforma chat)</td>
+ </tr>
+ <tr>
+ <td><strong>Solo testo cifrato</strong></td>
+ <td>Tab chat mainstream</td>
+ <td>Piattaforma chat (ma è inutile per loro)</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <div class="security-box">
+ <strong>🔒 Garanzia di Sicurezza:</strong> Poiché NoFuture-Memguard-PQ è distaccato, le piattaforme di chat mainstream hanno <strong>zero accesso</strong> alle tue chiavi o testo in chiaro. Anche se WhatsApp, Telegram o Signal fossero completamente compromessi, le tue conversazioni cifrate rimangono sicure.
+ </div>
+
+ <h2>🧠 Architettura di Sicurezza Multi-Livello</h2>
+
+ <h3>1. Memguard: Il Fondamento<span class="badge badge-critical">PIÙ CRITICO</span></h3>
+ <p><a href="https://github.com/awnumar/memguard">Memguard</a> è una libreria Go per gestire dati sensibili in memoria. È il <strong>meccanismo di sicurezza primario</strong> che protegge sia le chiavi crittografiche che i messaggi in chiaro.</p>
+
+ <h4>Cosa Protegge Memguard:</h4>
+ <ul>
+ <li><strong>Chiavi private</strong> (Curve25519 per NaCl box)</li>
+ <li><strong>Chiavi pubbliche</strong></li>
+ <li><strong>Segreti condivisi</strong> (derivati dallo scambio di chiavi)</li>
+ <li><strong>Messaggi in chiaro</strong> (prima della cifratura / dopo la decifratura)</li>
+ <li><strong>Nonce di sessione</strong></li>
+ </ul>
+
+ <h4>Come Funziona Memguard:</h4>
+ <table>
+ <thead>
+ <tr>
+ <th>Vettore di Attacco</th>
+ <th>Protezione Memguard</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>Dump di memoria (anche da root)</td>
+ <td>Dati memorizzati in pagine di memoria cifrate fuori dall'heap Go</td>
+ </tr>
+ <tr>
+ <td>Analisi file di swap</td>
+ <td>Chiamata di sistema <code>mlock()</code> previene lo swapping su disco</td>
+ </tr>
+ <tr>
+ <td>Collegamento debugger (gdb, lldb)</td>
+ <td>La memoria è cifrata in RAM; il debugger vede solo testo cifrato</td>
+ </tr>
+ <tr>
+ <td>Dump del core in caso di crash</td>
+ <td>Purge automatico al crash tramite <code>memguard.CatchInterrupt()</code></td>
+ </tr>
+ <tr>
+ <td>Ispezione garbage collector</td>
+ <td>I buffer sensibili sono fuori heap, invisibili al GC</td>
+ </tr>
+ <tr>
+ <td>Attacchi cold boot</td>
+ <td>Memoria cancellata all'uscita del processo; nessun dato residuo</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <div class="danger-box">
+ <strong>🔥 Caratteristica di Sicurezza Critica:</strong> Nemmeno l'amministratore del server con accesso root può fare un dump delle tue chiavi o del testo in chiaro dalla RAM. La protezione della memoria a livello kernel di Memguard rende i dati sensibili <strong>forensicamente irrecuperabili</strong> anche con accesso fisico alla RAM del server.
+ </div>
+
+ <h3>2. Crittografia Post-Quantum<span class="badge badge-high">ALTA PRIORITÀ</span></h3>
+ <p>Mentre memguard protegge i dati in memoria, la crittografia post-quantum protegge i dati in transito e a riposo contro futuri attacchi di computer quantistici.</p>
+
+ <h4>Implementazione Attuale (v0.5.0):</h4>
+ <ul>
+ <li><strong>Scambio Chiavi:</strong> NaCl box (Curve25519 + XSalsa20-Poly1305)</li>
+ <li><strong>Cifratura Simmetrica:</strong> XChaCha20-Poly1305 (AEAD)</li>
+ </ul>
+
+ <div class="warning-box">
+ <strong>⚠️ Roadmap:</strong> Le versioni future integreranno veri algoritmi post-quantum:
+ <ul>
+ <li><strong>Kyber1024-90s</strong> per l'incapsulamento delle chiavi (KEM)</li>
+ <li><strong>Dilithium5-AES</strong> per le firme digitali (autenticazione)</li>
+ </ul>
+ </div>
+
+ <h2>🔑 Come Funziona: Flusso in 5 Fasi</h2>
+
+ <h3>Fase 1: Creazione Sessione</h3>
+ <p>L'utente apre NoFuture-Memguard-PQ e clicca "Avvia Nuova Sessione".</p>
+
+ <h3>Fase 2: Scambio Session ID</h3>
+ <p>L'utente copia il suo Session ID e lo invia al contatto tramite WhatsApp Web.</p>
+
+ <h3>Fase 3: Pairing (Accordo Chiavi)</h3>
+ <p>Entrambi gli utenti incollano i Session ID reciproci e cliccano "Associa Sessioni".</p>
+
+ <h3>Fase 4: Comunicazione Cifrata</h3>
+ <p>I messaggi vengono cifrati in NoFuture-Memguard-PQ e il testo cifrato viene copiato nella chat mainstream.</p>
+
+ <h3>Fase 5: Terminazione Sessione (Distruzione Totale)</h3>
+ <p>Quando si clicca "Termina Sessione", tutte le chiavi vengono distrutte in modo sicuro.</p>
+
+ <p style="text-align: center; font-size: 1.3em; font-weight: bold; margin: 30px 0; padding: 20px; background: #d4edda; border-radius: 8px;">
+ Una conversazione. Una chiave. Una possibilità di lettura. Nessun accesso futuro.
+ </p>
+
+ <h2>🛡️ Difesa Contro Attacchi Locali</h2>
+
+ <h3>🖱️ Tastiera Virtuale (Anti-Keylogger)</h3>
+ <p>NoFuture-Memguard-PQ include una tastiera virtuale opzionale su schermo con layout casuale per proteggere contro keylogger e spyware locali.</p>
+
+ <h2>🚀 Installazione e Uso</h2>
+
+ <h3>Prerequisiti</h3>
+ <pre><code>- Go 1.21 o successivo
+- Linux/macOS/Windows</code></pre>
+
+ <h3>Installazione</h3>
+ <pre><code>git clone https://github.com/yourusername/nofuture-memguard-pq.git
+cd nofuture-memguard-pq
+go mod download
+go build -o nofuture main.go</code></pre>
+
+ <h3>Avvio del Server</h3>
+ <pre><code>./nofuture</code></pre>
+
+ <div class="warning-box">
+ <strong>⚠️ Deployment in Produzione:</strong> Usa un reverse proxy (nginx, Caddy) con certificati HTTPS/TLS.
+ </div>
+
+ <h2>⚠️ Limitazioni Attuali (v0.5.0)</h2>
+ <ul>
+ <li>Nessuna cronologia messaggi persistente (design intenzionale)</li>
+ <li>Nessuna forward secrecy all'interno di una sessione</li>
+ <li>Crittografia post-quantum non ancora implementata</li>
+ </ul>
+
+ <div style="text-align: center; margin-top: 40px; padding: 30px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; border-radius: 10px;">
+ <h2 style="color: white; border: none;">La privacy non è una funzionalità—è un diritto umano.</h2>
+ <p style="font-size: 1.1em;">Costruito con amore e sfida contro la sorveglianza di massa.</p>
+ </div>
+ </div>
+</div>
+
+<script>
+ function toggleLang(lang) {
+ document.getElementById("content-it").classList.toggle("hidden", lang !== "it");
+ document.getElementById("content-en").classList.toggle("hidden", lang !== "en");
+ }
+</script>
+</body>
+</html>