
Anonyfish – Chat Anonymously With Another Secret User - hornbaker
https://anonyfish.com/
======
homakov
CSRF

[http://homakov.github.io/#{"url":"https://anonyfish.com/api/...](http://homakov.github.io/#{"url":"https://anonyfish.com/api/threadNew/","autosubmit":false,"target":"_top","data":"message=wer&threadid=703","method":"POST"})

also why not it snap-chat style and remove messages after 10 s?

~~~
angersock
I'd rather they fix the part where they don't sort displayed messages by time
sent...it's kind of hard to follow conversations.

------
boklm
> Messages are encrypted using AES and BLOWFISH ciphers on the way into the
> database.

Using a key that is stored in the same database ? How is that useful ?

> IPs and logs aren't stored.

Except when they decide they want to keep logs.

------
jabgrabdthrow
My crypto knowledge is not really up to snuff but doesn't this not use any
real end-to-end crypto when it easily could? SSL, AES, and blowfish could all
be MITM'd, right?

~~~
spikels
I'm not sure how much better you can do with a webapp. Either you trust them
to encrypt your messages on the server or you trust them to send you
JavaScript that does the encryption in the browser. Either way you need to
trust the app provider. SSL should ensure it is not MITMed before it gets to
their server.

~~~
Deestan
> or you trust them to send you JavaScript that does the encryption in the
> browser

I don't _need_ to give trust in that case, as I could verify the encryption
myself.

~~~
DerpDerpDerp
I doubt that most users of a service are in any position to audit complex
crypto code.

~~~
Deestan
That doesn't really matter, because they don't need to. All it takes is one
crypto-savvy person taking an interest and finding a fault, then posting about
it.

Even if they do actively _cheat_ and provide some obscure not-really crypto to
give an impression of security, they need to put in an effort, whereas with
serverside encryption they could cheat for free. There is also a constant risk
of some techie discovering their lack of security.

Anyway, it doesn't matter if you consider auditable security imperfect.
Auditable security is objectively _more trustworthy_ than non-auditable
security.

------
slashdotaccount
The site uses Google APIs. I'd rather prefer Google not knowing every time I
want to chat _anonymously_.

------
geuis
UX needs work. Literally have no idea what's happening after I "log in".
Description sounds like chat roulette bu the reality is being unable to talk
to anyone.

------
Yetanfou
Another fish-name gone. For those in need of a name for their next product, I
asked my corporate name generator oracle (written in bash, no less!) to cough
up a few:

UnsteadyWhale WorthwhileMonkey WealthyLizard VerifiableMonkey PerkyWeasel
DarlingCow Wide-eyedFrog FrighteningHippo OddMoose ReasonableWhale
GrubbyDonkey

Just imagine your next website, showing nothing but a large screen-blanketing
image of carefree happy coffee consumers, a pulsating 'scroll down' button and
your GrubbyDonkey logo. The VC's will be chomping at the doorhandle, trust me.

------
natch
Why not add the Stanford Javascript Crypto Library to this, to address the
concern mentioned by jabgrabdthrow?

[https://github.com/bitwiseshiftleft/sjcl](https://github.com/bitwiseshiftleft/sjcl)

I'm not saying that's going to plug all holes but maybe it can be one piece.

~~~
spikels
At least today you still have to trust the JavaScript the server sends you.

I have heard talk in the past about adding code signing to browsers. Combined
with open-source code and a security audit this could potentially offer
something approaching the security of a traditional application.

------
thrush
Made a handle: mistersanfrancisco

Honestly, don't really understand the use case here. What is the benefit that
something like HN doesn't already provide? Everyone on HN knows my handle is
thrush, so can comment at me, or dm me using any contact info I've provided.
On anonyfish, I can't even use the service unless I have someone in mind. In
fact, the only names I have to contact are the ones provided in this thread,
and it's a pretty short list.

    
    
      - angersock
      - CaptainBananaPants
    

EDIT:

Omegle ([http://www.omegle.com/](http://www.omegle.com/)) seems way better.
Allows anonymity (or so it claims), can match people based on interests, and
can even match people in the same university based on their .edu email
address.

------
angersock
503.

:(

Edit:

Back as me, angersock. Message me if you're feeling like a chat now in the wee
hours of the morning.

EDIT2:

Man, I really wish we could have this update in real time... :|

EDIT3:

So far, two people with racist names, one person quoting batman. I'm not
impressed so far with the level of discourse.

EDIT4:

Alright, we seem to be doing better.

------
arcameron
If you found this headline interesting, you'll probably enjoy
[https://chat.echoplex.us/](https://chat.echoplex.us/)

------
onuryavuz
Idea : Chat anonymously with another HN user

------
grigio
try also Geospot which is geolocalized neaby chat.
[http://geospot.meteor.com](http://geospot.meteor.com)

------
brahma1337
Talk to me. I'm 'CaptainBananaPants'

------
hooda
how is it supposed to work as I don't know the username of any anonymous user
:) sorry but i didn't understand this..

~~~
angersock
Check the thread for people mentioning their handles. :)

------
jdipierro
Anonymous... but you have to register? What?

------
officialjunk
it lets you create a password with only one character. can the password can be
updated?

------
codecondo
"Annoyfish" is what I read it as, it's probably not very far off.

~~~
coherentpony
In what way? Something you don't like? How should it be improved?

------
dorfsmay
omegle with persistant usernames?

