

Show HN: EphChat – Ephemeral, Anonymous, Encrypted Realtime Chat - bmmayer1
https://ephchat.com

======
aaronbasssett
Really? I wouldn't trust this with any form of secure communication.

[https://ephchat.com/?room=%3C/title%3E%3Cimg%20src=%22http:/...](https://ephchat.com/?room=%3C/title%3E%3Cimg%20src=%22http://i.imgur.com/FdxVfli.png%22%20/%3E%3C/head%3E)

~~~
corobo
works in chat message too, just got redirected to example.com and someone's
embedding an audio file using their username so I'm guessing there's just no
sanitization anywhere

------
seagrass
1\. Open ephchat.

2\. Click change name.

3\. Paste the following contents and hit enter.

    
    
      <img src="#" onerror="javascript:void(function(setVal,sendClick,text){setVal.value=text;sendClick.click();}(document.querySelector('#chatText'),document.querySelector('#chatButton'),'hello'))"/>hi

~~~
bmmayer1
This has been fixed. Thanks!

~~~
seagrass
Nice!

------
pjc50
Judging by the other comments, this is a good example of all the ways _not_ to
build such a system.

------
sarciszewski
Where is the server source code? I'm not seeing where messages are
stored/transmitted to clients?

Also
[https://github.com/bmmayer/ephchat/issues/2](https://github.com/bmmayer/ephchat/issues/2)

~~~
system_32
You criticized about the random code generation function. Could you explain
why it is bad? Though I code, I am no expert and would really like to know.

~~~
sarciszewski
This is the offending code:
[https://github.com/bmmayer/ephchat/blob/ec375c7974ea825f887f...](https://github.com/bmmayer/ephchat/blob/ec375c7974ea825f887ff4ca1cca2349018a187e/php/functions.php#L4-L20)

This is the proper way to do it (h/t @tptacek):
[http://sockpuppet.org/blog/2014/02/25/safely-generate-
random...](http://sockpuppet.org/blog/2014/02/25/safely-generate-random-
numbers/)

mt_srand() + rand() is just hilarious. The md5(uniquid()) thing is a common
randomness anti-pattern in PHP projects that needs to die in a fire.

In PHP, a very brief example of the code to achieve the proper way of
generating randomness looks like the snippet I posted in the issue.

------
qeorge
This is misleading - it uses Firebase for the server! How can the OP claim
that the server is not storing messages if the OP doesn't control the server?

I have no reason to trust that Firebase isn't storing the messages. Why should
I?

------
mpgarate
Reminds me of a little encrypted chat app I made with a friend a few weeks
ago. Ours is intended for two-way communication:
[http://cifrachat.herokuapp.com/](http://cifrachat.herokuapp.com/)

------
arcameron
For something a bit better, check out
[https://chat.echoplex.us](https://chat.echoplex.us) Or description at
[https://echoplex.us](https://echoplex.us)

------
nullc
uhh. trivial HTML injection, "trust us" security model. lame.

------
joeyspn
This is not secure at all. I expected some kind of XMPP-OTR stuff...

------
asdad
Is firebase even open source? How is this anonymous? Does anyone know what
data firebase collects from its users?

------
alvyHere
The text I type to the room is cached locally.

