An implementation of the double ratchet in Javascript:
https://github.com/rongarret/ratchet-js
based on an earlier implementation I did in Common Lisp:
https://github.com/rongarret/tweetnacl/blob/master/ratchet.l...
The new “gold standard” here for anyone who’s interested is now an IETF standard.
This article sort of addresses a question that I have had for a long time. I always wondered why it was called a "double" ratchet. There is only one hash ratchet. The triple Diffie-Hellman isn't anything like a ratchet. From the article it seems that the 3DH is called a ratchet anyway.
It's easy to get thrown off by the fact that it uses Diffie-Hellman in two places: 3DH for the original key exchange, but then also as part of the continuing key stream. There is only one hash ratchet, but occasionally each party will generate another DH keypair, ratcheting the key stream forward [1].
The hash ratchet protects new messages, but if the hash key is compromised at one point in time, an attacker can derive all future message keys indefinitely. The DH ratchet defeats that by generating a new key. If the attacker can't get that key, they lose the chain, making the protocol self healing against point-in-time key compromises.
[1] https://signal.org/docs/specifications/doubleratchet/#diffie...
That's the reason that the hash ratchet has never seemed all that valuable to me. I mean, yeah, it is kind of cool that each and every message is in a sense forward secret, but as you point out it isn't a very good form of forward secrecy. Most would be happy with dumping the keys after a chat session or when it actually matters, when the corresponding archived messages are deleted.