serverless · peer-to-peer · censorship-resistant
Murmur is a peer-to-peer video app built on Warren — a serverless stack where discovery is opaque, content is encrypted end to end, and there is no center to shut down. Any device can be a peer; the feed lives on the devices watching it — iOS today, more platforms next.
the premise
Every feed you scroll runs through someone's server. That server is a single throat to choke — one court order, outage, or blocklist away from silence.
No step touches a server owned by us. Each is a Warren primitive doing one job; the order is the whole pipeline.
A channel is a private swarm gated by a pre-shared key (PSK). Everyone with the key sees the same feed; to anyone without it, the channel doesn't appear to exist.
Members announce under a topic derived from hash(psk, epoch) — opaque, and it rotates every epoch. There is no stable identifier for a censor to enumerate or block.
Peers hole-punch a direct UDP path through their NATs over a single socket. No relay sits in the data path.
The clip is sealed under a random per-clip key, split into chunks, and named by the hash of its ciphertext. A signed, append-only feed records the post; the key is wrapped to channel members.
Viewers verify each chunk against the signed hash, then re-announce the blob. A clip gets faster and harder to kill the more it's watched — the swarm is the infrastructure.
Murmur is just one app on Warren — a serverless peer-to-peer stack: DHT hole-punching, signed append-only feeds, content-addressed blobs, and verified multi-source swarm sync. Warren moves the encrypted bytes between peers; Murmur is the part that decides they're short videos.
Explore the Warren stack, the threat model, and how it compares to IPFS, iroh & Holepunch →
Warren treats opacity to a censor as the first requirement, not a feature bolted on later. Five properties do the work.
The discovery topic is hash(psk, epoch) — meaningless without the key and different every epoch. There's no fixed handle to add to a blocklist.
Your node id (where you are) is independent from your content id (who published). Watching and hosting don't link back to a single stable name.
Membership refreshes on a clock, so the swarm heals through churn without a registry anyone could subpoena or snapshot.
Blobs are named by the hash of their ciphertext under a random key — so a censor holding a banned clip can't compute its id to hunt other hosts. Content-addressing, minus the fingerprint.
Optional volunteer blind mirrors reseed encrypted bytes they can't read. Nothing is required, nothing is central — availability without infrastructure.
A serverless design pays for its properties — stated plainly, not buried. The first two are limits of the mobile client, not the network: a desktop or always-on peer sidesteps them.
Two mobile peers on cellular often can't punch. Carrier-grade symmetric NAT plus no relay means two phones on mobile data frequently can't connect directly. Wi-Fi / LAN, desktops, and any always-reachable peer are unaffected; volunteer mirrors cover the gaps.
Mobile OSes suspend backgrounded apps. A phone announces and serves only while the app is foregrounded. Desktop and always-on peers have no such limit; on mobile, background re-announce and mirrors cover availability.
No obfuscated transport yet. Discovery is blinded and identities decoupled, but a censor doing deep packet inspection can still see that you're speaking a P2P protocol — just not what, or with whom. A pluggable obfuscated transport is future work.