☁️ Web25.Cloud

Decentralized Web Platform — Hosting · Identity · Messaging

🔐 Welcome back

Choose how you want to continue to signed deploy.

No external wallet required.

Signing happens locally in your browser before deployment.

🔍 Load a Site by Hash

Enter a torrent hash to load any peer-hosted website:

🎯 Just the hash — Web25.Cloud automatically adds the magnet link prefix and trackers.

🐛 Debug Mode

Add &debug=true to any URL for detailed progress logs:

https://web25.cloud?orc=ABC123DEF456...&debug=true

☁️ About Web25.Cloud

Web25.Cloud is a PeerWeb fork focused on local EVM identity, signed static-site deploys, and direct peer-to-peer messaging. Core flows are browser-native and do not require a mandatory MetaMask connection.

🪪 Identity: Local EVM wallet + WebAuthn passkeys

The identity model is local-first and is inspired by mylofi/local-data-lock: EVM key material stays in-browser and WebAuthn passkeys gate unlock/signing sessions.

🔐 Local wallet, no mandatory external wallet extension
🧬 WebAuthn unlock with Face ID / Touch ID / device PIN
⚙️ viem-based EVM address derivation and signing flow
🧹 Session key lifecycle with explicit lock/clear behavior


📦 Publishing: Bundle pipeline + .torrentchain

Static-site deploys run through a bundle pipeline (default: gzip), then attach a signed .torrentchain manifest carrying publisher identity and integrity metadata.

🗜️ Default bundle mode: gzip
🧾 Signed .torrentchain generated at publish time
✍️ Publisher EVM identity embedded in deploy artifact
✅ Identity/integrity checks applied during load


💬 Direct Messenger (p2p-chat inspired, identity-bound)

Messaging UX is inspired by michal-wrzosek/p2p-chat (manual offer/answer), then extended with EVM identity verification and asymmetric crypto.

🧭 Manual host/guest handshake (offer + answer)
🪪 Peer verification from public key to EVM address
🔐 Asymmetric encryption for invites/messages
✍️ Per-message signatures verified on receive
🧊 STUN used: stun:stun.l.google.com:19302


🛡️ Security profile

Web25.Cloud validates signed publisher metadata and sanitizes rendered HTML with DOMPurify at load time. The sanitizer is intentionally configured in a compatibility-oriented profile (more permissive than strict defaults) to support richer static websites.

🧾 Signed-manifest verification before render gates
🧼 DOMPurify sanitization applied to loaded HTML
🧩 Extended tag/attribute/protocol allowance for compatibility
⚖️ Explicit trade-off: broader compatibility vs stricter hardening

📋 What is available now

✅ Signed static-site deploys with publisher identity in .torrentchain
✅ Load-time verification path for identity + bundle integrity
✅ Local EVM identity protected by WebAuthn passkeys
✅ Direct P2P messaging with asymmetric cryptography
✅ Browser-first workflow with no mandatory centralized backend

🛣️ Future goals

🛰️ Own WebTorrent tracker
🧊 Own STUN/TURN infrastructure
🔒 Encrypted static-site content delivery
💱 Decryption-key unlock via atomic-swap payment flow