Oh boy, Yet Another "Secure" Web-Based Encrypted Communication Application(TM)!
Initial thoughts after a quick look:
I see mention of code/libraries that are being used, but no link to the source code.
I don't normally bother pointing them out (such as here in the comments), but the numerous spelling and grammatical errors don't exactly instill confidence.
Liam -- what are your (or your "co-programmers") qualifications? Why should the "community" trust/have faith in your cryptographic and/or programming skills?
Ironically enough, "the hammer that breaks PRISM" apparently doesn't even use SSL/TLS (click link above to the web site then click on "App").
> Privacy - because it matters
> Anonymity - because you are worth it
> Security - because you need it
I fail to see where TribalContact provides any of these.
Yes, indeed, it is another encrypted web based communication app. I personally, am not aware of any others, thought I do not doubt that some might exist. There are a number of apps out there, but websites that offer mil-spec encryption? I have never seen any.
There are, in fact, no libraries being used, and while we do mention credit to those who developed code or algorithms, all code is in-line, and therefore viewable from the browser. (At present leaflet is included but, as soon as we have integrated the latest version, it will be in-lined)
In our opinion, it is this ability for a competent technical person to confirm the absence of back-doors, and it is this that offers protection against surveillance.
We do not use SSL as there is absolutely no point. We know that it is NOT secure against government snooping. As the encryption offered by TribalContact is double layer we feel that to use SSL is simply a waste. If we know it is broken, why bother using it?
I am sorry that you seem to have found a number of spelling mistakes, but I do wonder if maybe this is because this is written in British English rather than American English. Neither I nor MS Word have found any errors. If you can identify any errors I would be most appreciative if you could point them out, and I will correct them.
I think that I have been quite clear that I do not expect nor require trust from the community. The source code is viewable, and before trust can be established verification should be completed. Perhaps it sounds rude, but it is not for me to prove that I am trust worthy, that, after all, is a fools errand. Only by the community verifying that what I say is true can that trust be gained.
I still feel that the combination of perfect forward security, ephemeral keys, and double layer encryption offers the claimed privacy, anonymity and security.
One final point that I think has been overlooked, is that TribalContact is designed to be a simple, zero install, easy to use solution to the problem of wall-to-wall surveillance. Most other encryption apps are so hard to install, configure and use that people such as Glenn Greenwald are not able to reliably use them. TribalContact was designed from the ground-up to be usable by anyone, and as such offers significant utility above any other encryption application I have ever used.
I hope that these comments answer some of your questions.
I am very grateful for your feedback, and am always more than prepared to answer any questions. If you have anything else that you would like to discuss please feel free to contact me, or add a new comment on hacker news.
2 comments
[ 2.5 ms ] story [ 13.3 ms ] threadInitial thoughts after a quick look:
I see mention of code/libraries that are being used, but no link to the source code.
I don't normally bother pointing them out (such as here in the comments), but the numerous spelling and grammatical errors don't exactly instill confidence.
Liam -- what are your (or your "co-programmers") qualifications? Why should the "community" trust/have faith in your cryptographic and/or programming skills?
Ironically enough, "the hammer that breaks PRISM" apparently doesn't even use SSL/TLS (click link above to the web site then click on "App").
> Privacy - because it matters
> Anonymity - because you are worth it
> Security - because you need it
I fail to see where TribalContact provides any of these.
sigh
There are, in fact, no libraries being used, and while we do mention credit to those who developed code or algorithms, all code is in-line, and therefore viewable from the browser. (At present leaflet is included but, as soon as we have integrated the latest version, it will be in-lined)
In our opinion, it is this ability for a competent technical person to confirm the absence of back-doors, and it is this that offers protection against surveillance.
We do not use SSL as there is absolutely no point. We know that it is NOT secure against government snooping. As the encryption offered by TribalContact is double layer we feel that to use SSL is simply a waste. If we know it is broken, why bother using it?
I am sorry that you seem to have found a number of spelling mistakes, but I do wonder if maybe this is because this is written in British English rather than American English. Neither I nor MS Word have found any errors. If you can identify any errors I would be most appreciative if you could point them out, and I will correct them.
I think that I have been quite clear that I do not expect nor require trust from the community. The source code is viewable, and before trust can be established verification should be completed. Perhaps it sounds rude, but it is not for me to prove that I am trust worthy, that, after all, is a fools errand. Only by the community verifying that what I say is true can that trust be gained.
I still feel that the combination of perfect forward security, ephemeral keys, and double layer encryption offers the claimed privacy, anonymity and security.
One final point that I think has been overlooked, is that TribalContact is designed to be a simple, zero install, easy to use solution to the problem of wall-to-wall surveillance. Most other encryption apps are so hard to install, configure and use that people such as Glenn Greenwald are not able to reliably use them. TribalContact was designed from the ground-up to be usable by anyone, and as such offers significant utility above any other encryption application I have ever used.
I hope that these comments answer some of your questions.
I am very grateful for your feedback, and am always more than prepared to answer any questions. If you have anything else that you would like to discuss please feel free to contact me, or add a new comment on hacker news.
Liam Carton liam.l.carton@gamil.com