1. 2
  1.  

  2. 10

    Over time, we’d variously used PGP, Pidgin OTR, and a number of different encrypted chat services; and never been quite satisfied.

    We knew there had to be a better way, that a future where everyone could have privacy was possible.

    So, we created Cyph.

    No discussion (or links) of which crypto protocols are used, on the front page of any “secure messaging app”, makes me very nervous.

    1. 13

      It’s military-grade!

      1. 6

        Seriously the #2 smell test for me is people talking exclusively about crypto building blocks and not discussing the overall system. I don’t care how strong your ciphers are if you’re running them in CBC mode, it doesn’t matter how many bits your hash is if your message integrity consists of SHA512(message) and that’s it.

        (#1 smell test is cracking challenges as a proof of security! Let’s see if they get there…)

        1. 3

          s/CBC/ECB ?

          1. 1

            If I had a nickel for every time I typed the acronym for “the slow mode” when I really meant to type the acronym for “the scary bad mode”…

            Thanks!

        2. 2

          Isn’t military-grade cryptography, by definition, NSA (or other country equivalent) approved and audited?

          Always wondered why anyone would want to use that specific adjective to describe their secure chat program.

        3. 1

          Right now, the “Military-grade encryption” text on their website is a link to Wikipedia’s page on Off-the-Record Messaging.

        4. 9

          It’s secure all right; when I click on “start new cyph”, nothing happens. By not communicating something, I am indeed keeping it private. Clever!

          1. 7

            How can I trust them if they don’t disclose how it’s done :)?

            1. 5

              That name is … less than ideal.

              1. 3

                Oh, a webapp. So, secure by browser PKI (CAs) and TLS then.

                1. 1

                  You jest, but given the right threat model that could be completely acceptable!

                  “Cyph is a privacy solution designed to protect against WiFi sniffers, your ISP, and local police force.”

                  If I was an activist in a country that isn’t so friendly with the US, a site that doesn’t require much software and would ignore foreign demands for data could possibly be what I need.

                  But Cyph just tells us to trust them. Ho hum. Privacy software that doesn’t disclose a threat model is so pre-Snowden.