
Show HN: QOTR –  Go off-the record, quickly - crodjer
https://qotr.herokuapp.com/
======
102030485868
`AES-CBC` is used if no mode is specified (none currently specified: see [1]).
Relevant forge documentation. [2]

Currently the README file states that `AES-CES` is being used.

[1]
[https://github.com/crodjer/qotr/blob/master/app/models/chann...](https://github.com/crodjer/qotr/blob/master/app/models/channel.js#L105)
[2]
[https://github.com/digitalbazaar/forge/blob/e14eb1e17fbabcc8...](https://github.com/digitalbazaar/forge/blob/e14eb1e17fbabcc817065c992aa7a0a07330f397/js/aes.js#L44)

~~~
crodjer
Thanks for pointing that out. Updated the document.

------
kodablah
I am confused by your use of "OTR". Based on [1] this doesn't seem to be an
OTR implementation as those concerned with encryption might define "off-the-
record", correct? I think the term may be confusing.

1 -
[https://github.com/crodjer/qotr/blob/master/FLOW.rst](https://github.com/crodjer/qotr/blob/master/FLOW.rst)

~~~
crodjer
I understand the name is confusing. I was a long way into naming everything
about the project QOTR before I realised that OTR is best used if the protocol
is implemented, instead of taking it as general concept.

I plan to re-write the application (at least the front-end, which does all the
encryption stuff) based on the reviews and if people think that it is actually
an idea worth pursuing. May change the name as well.

~~~
crodjer
Updated this as a notice on the project README.

~~~
zz1
Good choice: I can second this opinion, since I was too under the impression
that OTR was used.

------
wyager
Haven't we already established that crypto served over the internet is not a
good idea (because a malicious actor can own the server and provide bad JS)?

Also, does this actually use the OTR protocol?

~~~
crodjer
No, it doesn't actually use the OTR protocol. The application actually follows
this flow: [https://github.com/crodjer/qotr/blob/master/FLOW.rst#how-
qot...](https://github.com/crodjer/qotr/blob/master/FLOW.rst#how-qotr-works)

I understand the name is confusing. I was a long way into naming everything
about the project QOTR before I realised that OTR is best used if the protocol
is implemented, instead of taking it as general concept.

I plan to re-write the application (at least the front-end, which does all the
encryption stuff) based on the reviews and if people think that it is actually
an idea worth pursuing.

------
crodjer
Turned the service off for now. Will be working on the issues raised at
various forums:
[https://github.com/crodjer/qotr/](https://github.com/crodjer/qotr/)

------
anonbanker
This is an idea worth pursuing. There is a market for this, and I know I will
use it often (especially if nobody else does!).

