My crypto knowledge is not really up to snuff but doesn't this not use any real end-to-end crypto when it easily could? SSL, AES, and blowfish could all be MITM'd, right?
I'm not sure how much better you can do with a webapp. Either you trust them to encrypt your messages on the server or you trust them to send you JavaScript that does the encryption in the browser. Either way you need to trust the app provider. SSL should ensure it is not MITMed before it gets to their server.
That doesn't really matter, because they don't need to. All it takes is one crypto-savvy person taking an interest and finding a fault, then posting about it.
Even if they do actively cheat and provide some obscure not-really crypto to give an impression of security, they need to put in an effort, whereas with serverside encryption they could cheat for free. There is also a constant risk of some techie discovering their lack of security.
Anyway, it doesn't matter if you consider auditable security imperfect. Auditable security is objectively more trustworthy than non-auditable security.
At least today you still have to trust the JavaScript the server sends you.
I have heard talk in the past about adding code signing to browsers. Combined with open-source code and a security audit this could potentially offer something approaching the security of a traditional application.
UX needs work. Literally have no idea what's happening after I "log in". Description sounds like chat roulette bu the reality is being unable to talk to anyone.
Honestly, don't really understand the use case here. What is the benefit that something like HN doesn't already provide? Everyone on HN knows my handle is thrush, so can comment at me, or dm me using any contact info I've provided. On anonyfish, I can't even use the service unless I have someone in mind. In fact, the only names I have to contact are the ones provided in this thread, and it's a pretty short list.
- angersock
- CaptainBananaPants
EDIT:
Omegle (http://www.omegle.com/) seems way better. Allows anonymity (or so it claims), can match people based on interests, and can even match people in the same university based on their .edu email address.
Another fish-name gone. For those in need of a name for their next product, I asked my corporate name generator oracle (written in bash, no less!) to cough up a few:
Just imagine your next website, showing nothing but a large screen-blanketing image of carefree happy coffee consumers, a pulsating 'scroll down' button and your GrubbyDonkey logo. The VC's will be chomping at the doorhandle, trust me.
29 comments
[ 3.5 ms ] story [ 69.0 ms ] threadI don't need to give trust in that case, as I could verify the encryption myself.
Even if they do actively cheat and provide some obscure not-really crypto to give an impression of security, they need to put in an effort, whereas with serverside encryption they could cheat for free. There is also a constant risk of some techie discovering their lack of security.
Anyway, it doesn't matter if you consider auditable security imperfect. Auditable security is objectively more trustworthy than non-auditable security.
https://github.com/bitwiseshiftleft/sjcl
I'm not saying that's going to plug all holes but maybe it can be one piece.
I have heard talk in the past about adding code signing to browsers. Combined with open-source code and a security audit this could potentially offer something approaching the security of a traditional application.
:(
Edit:
Back as me, angersock. Message me if you're feeling like a chat now in the wee hours of the morning.
EDIT2:
Man, I really wish we could have this update in real time... :|
EDIT3:
So far, two people with racist names, one person quoting batman. I'm not impressed so far with the level of discourse.
EDIT4:
Alright, we seem to be doing better.
http://homakov.github.io/#{"url":"https://anonyfish.com/api/...
also why not it snap-chat style and remove messages after 10 s?
Using a key that is stored in the same database ? How is that useful ?
> IPs and logs aren't stored.
Except when they decide they want to keep logs.
Honestly, don't really understand the use case here. What is the benefit that something like HN doesn't already provide? Everyone on HN knows my handle is thrush, so can comment at me, or dm me using any contact info I've provided. On anonyfish, I can't even use the service unless I have someone in mind. In fact, the only names I have to contact are the ones provided in this thread, and it's a pretty short list.
EDIT:Omegle (http://www.omegle.com/) seems way better. Allows anonymity (or so it claims), can match people based on interests, and can even match people in the same university based on their .edu email address.
UnsteadyWhale WorthwhileMonkey WealthyLizard VerifiableMonkey PerkyWeasel DarlingCow Wide-eyedFrog FrighteningHippo OddMoose ReasonableWhale GrubbyDonkey
Just imagine your next website, showing nothing but a large screen-blanketing image of carefree happy coffee consumers, a pulsating 'scroll down' button and your GrubbyDonkey logo. The VC's will be chomping at the doorhandle, trust me.