

ChatStep - Online Group Chat with Symmetric Key Encryption - gsundeep
https://chatstep.com/#RestoreTheFourth

======
SamWhited
I love these sorts of projects, but I don't trust them as a rule. If I can't
independently verify the security myself, I don't use them. What sort of
symetric key encryption does it use? What cypher? What hash algorithm? Does it
provide perfect forward secrecy? Does it anonymize the sender in some way?
What data is logged? Etc.

~~~
nealb
The good thing about symmetric key encryption in the browser is easy enough to
check. You just need to make sure that messages/images are encrypted before
being sent to the server, and that the password is never sent to the server.
Also ChatStep uses sjcl so the crypto isn't homemade like CryptoCat.

~~~
SamWhited
Sure, I can verify that things aren't being sent in plaintext, and I can
verify that they're using sjcl, but I can't verify most of the other things I
mentioned. How do I know they're using sjcl right and not introducing some
vulnerability (yes, I know I can dig through their JavaScript, but that's a
plain in the ass)? I'm not saying I think they've got any problems; I'm just
saying, be careful.

These sorts of tools, while convenient, are dangerous without a proper
understanding of what you're doing. User beware.

~~~
ams6110
And are you going to verify every message? Because the JS can be changed
without you ever realizing it.

------
m-app
By the way, wasn't Cryptocat shot down initially for its "host-based security"
[1]? Why didn't ChatStep learn from that?

[1]:
[http://www.wired.com/threatlevel/2012/08/wired_opinion_patri...](http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/)

------
dylz
How do I self host this? I would like to use something like this but only if
it's self hosted.

~~~
antocv
Exactly, otherwise there is no point really.

~~~
m-app
Why not? In this case the server doesn't have to be trusted, only the client
implementation.

~~~
ams6110
But you are downloading the client implementation from the server.

