Hey everyone!

First, some tech news. Then, a bit of personal news 😮

Let's dive in!

Signal Protocol open-source encryption protocol

The Double Ratchet algorithm powering billions of encrypted messages across WhatsApp, Google Messages, and beyond represents one of the most significant nonprofit technology contributions to global digital privacy.

The Signal Protocol, developed by the nonprofit Signal Foundation, has become the de facto standard for secure messaging across the internet. What started as a privacy-focused project by cryptographers Moxie Marlinspike (initially a pseudonym) and Trevor Perrin has evolved into the encryption backbone protecting conversations for over a billion people worldwide.

The Signal Protocol's reach extends far beyond the Signal messenger app itself. Major technology companies have integrated this nonprofit-developed encryption standard into their platforms:

WhatsApp was the first major adopter, implementing Signal Protocol in late 2014 for Android-to-Android messages before rolling it out to all billion-plus users by 2016. This integration represented what Marlinspike called "the largest deployment of end-to-end encryption".

Google Messages now uses Signal Protocol by default for RCS conversations between users, protecting messages with end-to-end encryption automatically. This represents hundreds of millions of additional users benefiting from Signal's encryption technology.

Facebook Messenger offers Signal Protocol through its "Secret Conversations" feature, though unlike WhatsApp, this remains opt-in rather than default. Users must manually enable the feature to benefit from end-to-end encryption.

Formerly, Microsoft Skype introduced "Private Conversations" in 2018, utilizing Signal Protocol for encrypted audio calls and messaging. Like Facebook Messenger, this feature requires users to opt in rather than being enabled by default.

At the heart of Signal Protocol lies the Double Ratchet Algorithm, a sophisticated key management system that provides both forward secrecy and post-compromise security. The algorithm gets its name from combining two distinct "ratcheting" mechanisms that work together to protect conversations.

The first component is the symmetric-key ratchet, which generates a unique message key for every single message sent or received. This chain of keys operates like a ratchet tool—it can only move forward, never backward. Each message triggers a "ratchet step" that derives a new chain key and message key from the previous state.

Even if an attacker compromises a device and obtains the current encryption keys, they cannot use those keys to decrypt previously sent messages. Every time you send a message, your key is updated.

The second component addresses a critical vulnerability in the symmetric ratchet alone. If an attacker steals the chain keys, they could potentially decrypt all future messages. The Diffie-Hellman (DH) ratchet solves this through a "ping-pong" exchange of new public keys with each message round.

Each party generates new DH key pairs, and when a new public key is received from the other party, both sides perform a DH ratchet step that completely refreshes their encryption keys. This way, even if keys are stolen, the next exchange of messages will lock the attacker out again.

The Signal Protocol employs state-of-the-art cryptographic primitives: Curve25519 for elliptic curve operations, AES-256 for symmetric encryption, and HMAC-SHA256 for message authentication. These components combine to provide multiple security guarantees including confidentiality, integrity, authentication, forward secrecy, and backward secrecy.

Recent updates have even added quantum resistance through the PQXDH protocol. This ensures Signal Protocol remains secure even against future quantum computer attacks.

The widespread adoption of Signal Protocol represents a remarkable success story for nonprofit technology development. A small team of privacy-focused cryptographers created an encryption system now protecting billions of conversations across multiple platforms.

However, this success also highlights important limitations. While Signal and WhatsApp implement Signal Protocol by default, others like Facebook Messenger offer it only as an opt-in feature. This means many users remain unprotected simply because they're unaware these privacy options exist.

The Signal Foundation continues advancing the state of private communications, recently introducing metadata encryption technologies that protect not just message content but also information about who communicates with whom. Their commitment to open source development ensures these innovations benefit the entire ecosystem rather than just Signal's own users.

If you want to learn more about the history of the protocol, check out the following X thread:

Launch your own vibe-coding platform powered by Cloudflare

Cloudflare recently announced the VibeSDK, an open-source and MIT licensed platform built on Cloudflare Workers that allows anyone to build their own vibe coding platform.

Why would you want to build your own vibe coding platform? Well… I don’t know, but now you can do this more easily than ever!

Cloudflare’s anouncement might also come because of their recent “feud” with Vercel. If Vercel does something, Cloudflare needs to do it too. And Vercel already has their AI SDK, which is an open-source library for building AI applications (even Perplexity uses it).

However, like I said in the last issue, Cloudflare seems to keep having problems. Recently, users have been benchmarking Cloudflare Workers, Cloudflare’s serverless infrastructure with Vercel Fluid Compute, Vercel’s similar offering.

Turns out Cloudflare is up to 3.5x SLOWER than Vercel for some workloads 😯

Turns out that Cloudflare is also ignoring the HTTP Vary header. Remember HTTP Cache? It is a feature built in the HTTP protocol that lets reverse proxies (like Cloudflare) cache content at the edge.

The Vary header is supposed to allow caching different responses depending on different values for other headers, for example Content-Type header. So if a Next.js app returns on an endpoint HTML payload, but can also return RSC Payload (their proprietary format for server side rendering stuff), then reverse proxies should cache them differently.

Turns out Cloudflare doesn’t respect this part of the HTTP specification, while other CDNs do…

OpenAI launched Sora 2 & Alibaba Wan 2.2 Animate

I think you remember 2.5 years ago the Will Smith eats spaghetti AI video. People were saying that we won’t have good enough video generation for at least one more (human) generation. Turns out things are moving faster than the human mind can comprehend.

Alibaba launched Wan Animate, a model that can replace characters in a video with another one almost seamlessly. Check out the examples below:

Then, OpenAI introduced Sora 2, their next gen video generation model. It comes with a new app too, the Sora app, which is similar to TikTok but only for AI generated videos. You can now fry your brain with even more slop 😆 Not sure why we need a social network for AI videos, but we have one now.

OpenAI also wants to pass on liability for generated videos using copyrighted materials to users. And if you get blocked or want to delete your Sora 2 account, your ChatGPT account is deleted as well and you are blocked from registering with the email address again 🫢

TanStack Start is a full-stack React framework built by the team behind popular tools like TanStack Query and TanStack Router, on which it relies on for its routing system. Unlike traditional React applications, TanStack Start provides server-side rendering (SSR), streaming, server functions, API routes, and comprehensive routing capabilities out of the box.

Applications start as single-page apps (SPAs) by default for fast route transitions and rich interactivity, but can progressively opt into SSR and static generation as needed. Built on Vite and Nitro, TanStack Start offers ultra-fast development with hot module replacement and modern tooling.

It is getting more and more popular as an alternative to Next.js. The key difference lies in their architectural approach: Next.js follows a server-first philosophy with file-based routing, built-in SSR/SSG, and React Server Components for minimal client-side JavaScript, while TanStack Start takes a client-first approach, defaulting to SPA behavior with optional SSR and using virtual routing via TanStack Router.

TanStack Start is optimized for interactive applications that need rich client-side experiences with type-safe server functions and seamless data synchronization between server and client. Both are full-stack React frameworks, but Next.js prioritizes performance through pre-rendering while TanStack Start prioritizes developer experience with end-to-end type safety and flexible rendering strategies.

🌟315 stars+ | Monitor websites and see what and when they changed

This tool is a powerful website monitoring application that tracks changes on websites and sends intelligent notifications. It is made by the team behind Firecrawl.

If you stay tuned until the end, I want to announce here thatI'm building Docuyond, an AI-powered customer support widget that reads your documentation and automatically answers customer questions - saving you hours of repetitive support work: https://docuyond.com.
If you run a website and are interested in using such an AI tool please reach out!

I am building it on top of Cloudflare Workers 🙃 (tbh when I started they didn’t have so many negative news) and hopefully all goes well!

I am also trying to #BuildInPublic, so if you are interested in any updates, follow me on X or Linkedin.

Till next time,
Rares.