I love these sorts of projects, but I don't trust them as a rule. If I can't independently verify the security myself, I don't use them. What sort of symetric key encryption does it use? What cypher? What hash algorithm? Does it provide perfect forward secrecy? Does it anonymize the sender in some way? What data is logged? Etc.
The good thing about symmetric key encryption in the browser is easy enough to check. You just need to make sure that messages/images are encrypted before being sent to the server, and that the password is never sent to the server. Also ChatStep uses sjcl so the crypto isn't homemade like CryptoCat.
Sure, I can verify that things aren't being sent in plaintext, and I can verify that they're using sjcl, but I can't verify most of the other things I mentioned. How do I know they're using sjcl right and not introducing some vulnerability (yes, I know I can dig through their JavaScript, but that's a plain in the ass)? I'm not saying I think they've got any problems; I'm just saying, be careful.
These sorts of tools, while convenient, are dangerous without a proper understanding of what you're doing. User beware.