

Cryptic, encrypted online storage - drchoc
http://www.kickstarter.com/projects/cryptic-io/cryptic-encrypted-online-storage

======
bradleyjg
From the "For our technical readers" paragraph, it's unclear what cryptography
model you are going for. On the one hand you say that the private key (albeit
password protected) is sent to the server after it is generated, but on the
other you say that only public key and encrypted data are sent to the server.
Is the model fundamentally the same as Lavabit's, which was so devastatingly
critiqued a few weeks ago by Moxie Marlinspike? [1]

Separately, how do you deal with the fundamental weakness of browser based
security?[2] You say that the software will be open source, but will there be
any mechanism to verify that the served javascript libraries on any particular
visit match the sources on github? Will there be any minimization /
compilation that would make such verification difficult or impossible to
accomplish?

[1] [http://www.thoughtcrime.org/blog/lavabit-
critique/](http://www.thoughtcrime.org/blog/lavabit-critique/)

[2] see e.g. [http://www.matasano.com/articles/javascript-
cryptography/](http://www.matasano.com/articles/javascript-cryptography/)

~~~
orthecreedence
> When you go to Cryptic all files that you receive will be received over SSL.
> This is to ensure that you’re getting the correct code, and not a version
> compromised by some attacker.

This is the Lavabit way, I believe. However, it could be solved using a
browser extension.

~~~
drchoc
Cryptic will have a browser extension that will automatically verify the
received code against a signed hash (also easily verifiable) on the open
source repo. It is fundamentally different than Lavabit since everything that
interacts with raw data is open source and verifiable. Someone is going to
notice if the website is tampered with.

------
orthecreedence
You guys really might want to release a browser extension (and/or native apps)
instead of a website. You're going to have a serious uphill battle convincing
anyone in the security community that your webapp is secure against tampering.
Even with code signing/verification.

Also, open-source it now! I've been in the process of launching something
similar (think, client-side encrypted Evernote/Pinterest geared towards
programmers/creatives/collaboration) and a lot of the great feedback I've
gotten is from people checking out the source. Most of the people who care
about the crypto aspects these days are the ones with 1s and 0s running
through their heads, at least a good portion. They're going to want to see
code.

Best of luck on the kickstarter!

~~~
marcopolo
Thanks! It's been open sourced since conception, here's the repo:
[https://github.com/cryptic-io/web](https://github.com/cryptic-io/web). We
choose a website because it has the smallest barrier of entry. We are planning
on releasing a browser extension that would verify the code on the website
against the open source repo to prevent tampering. We are planning on making a
native app in the future as well.

------
mediocregopher
Hey everyone! One of the Cryptic founders here. We'll be around to answer any
questions anyone may have, so let us know what you think!

~~~
stopthemadness
I'm a happy user of Tarsnap. Why should I consider this solution? Also
(playing devil's advocate for a moment) what's the best reason you can give
for me to just keep using Tarsnap?

~~~
mediocregopher
I've never personally used tarsnap so take everything I say with a grain of
salt here. But Cryptic offers a much easier experience for the average user,
being that it's entirely in-browser and not cli-based. We also give users the
ability to share their files with others through the browser, which I don't
think is as straightforward with tarsnap.

To play the devil's advocate, if you're already a happy user of tarsnap then
you (like me, in fact) are probably quite comfortable on the command-line, and
may even prefer it. As of right now Cryptic doesn't have a command-line
utility, although building one is definitely on our radar! But until then you
may find it more comfortable. Thanks for checking us out though!

------
jaryd
In this case, does client side encryption mean that it's happening in the
user's browser?

~~~
marcopolo
Yes! It's using the excellent Stanford Javascript Crypto Library. Source here:
[https://github.com/cryptic-io/web](https://github.com/cryptic-io/web)

------
tmikaeld
Two things that are not very clear:

1\. The kickstarter is for an upcoming cloud version of Cryptic?

2\. Parts are open source (Eclipse), but not intended for self-hosting?

~~~
drchoc
Sorry about that, let me try to clear things up: Cryptic itself is a online
file storage, so there is really only the cloud version of Cryptic (for now).

1\. The kickstarter is to fund development and servers for the online file
storage + web app.

2\. Anything client side will be open sourced, and can be self-hosted. You
could host the Cryptic site right now locally, and use a local version to
interface with cryptic servers.

~~~
tmikaeld
But the Cryptic site is always involved, right?

So the storage is always provided by you, and that is what the client pay for
in GB increments?

~~~
drchoc
Correct

