1. 2
  1.  

  2. 4

    The only thing I see regarding the crypto in use is a mention of AES-256, with no mention of mode. Even if we assume CBC mode, that only covers confidentiality. There’s no mention of how they provide integrity or authenticity.

    1. 1

      It is CBC mode. The key used to encrypt messages is constructed at the client side along with a room secret key (set by the user). These keys never leave your browser. There is no way we can know these keys. You can easily verify this with firebug or similar tools …

      1. 4

        Even if we assume CBC mode, that only covers confidentiality. There’s no mention of how they provide integrity or authenticity.

        There’s no security documentation, and no way to audit the code.

    2. 4

      You shouldn’t use this. Many security researchers warn that javascript crypto shouldn’t be trusted. Also, since the code isn’t open source, you have no real way be sure the code is secure.

      1. 2

        I respect Matasano security. When it comes to cryptography we can have endless debates and everybody could be right in their own way. We use AES (from the CryptoJS library) which is pretty much open. Where we innovate is in the key delivery mechanism. Unfortunately we may not open source this any time soon. You can easily verify that the encryption keys never your browser.

      2. 3

        A first submission by a user named teslaim with the profile of “www.tesla.im Encrypted Messaging for Teams.” to a site named tesla.im… I’m all for showcasing your project but this seems a bit excessive, no?

        1. 0

          Yes, being a startup makes you do ‘bad things’ like this … hope you understand. I promise to keep posting other good stuff as well.

        2. 1

          This is not tox.im