[wmluke]

Currently, the trending HN commentry is focused on this name, and as much I like a good naming debate, I feel it is distracting from more "significant" concerns, such as...

How does the app handle encryption? Has there been a security review?How are keys handled? How are conversations persisted in the app? Does it use iCloud? Etc...

[biokoda]

> How does the app handle encryption? Has there been a security review?

It's built on Electron, React and Redux. There is no security as it is a fundamentally insecure environment.

[mwcampbell]

It's fashionable around here to criticize that tech stack, but do you have anything to back up that claim?

[biokoda]

Running a large list of dependencies controlled by someone else. Stores data on disk unencrypted. Stores code that gets executed, on disk in text form unencrypted and unsigned. Executes code while running directly from a website (github).

All in all an order of magnitude less security then a native app to put it mildly.

http://blog.scottlogic.com/2016/03/09/As-It-Stands-Electron-...

[Taek]

Security is very hard. You need carefully constructed apps with carefully chosen dependencies, and generally you want the number of lines of code to be very small.

Anything webkit based is going to lose on all of those points almost immediately. Anything nodejs based is also going to lose on all of those points, because nodejs has a culture of massive dependency stacks run by whomever. Javascript in general is a pretty insecure language, unless you are using explicit subsets but even then javascript has a horrible reputation for security.

Something is better than nothing. I'd rather people use Telegram (pretty well known for terrible crypto) than people use nothing at all. Same with Felony. I'd rather people use bad crypto than no crypto.

But in general it would seem likely that anything built on a webstack has a low chance of passing a security audit. The cultures surrounding the webstack technologies prioritize shipping product and doing cool things over shipping bug-free or secure code. It's one of the reasons that the webstack is so popular. It's easy, and if you ship something buggy it's generally not too bad to go back and fix it later, especially for something like a webpage, because your users will get your updates immediately.

[danjoc]

Besides NPMgate?

http://incolumitas.com/2016/06/08/typosquatting-package-mana...

https://github.com/npm/npm/pull/4016

http://blog.npmjs.org/post/141702881055/package-install-scri...

[tmalsburg2]

Unfortunately, these endless tangents are becoming increasingly common on HN. I guess these are people who want to show off how smart they are but really don't have anything interesting to say about the topic at hand, so they go for the low-hanging fruits like spelling, layout, titles, and so on.

[cyphar]

Calling a "user friendly" encryption program "felony" feels like an attack on encryption. Yes it will evoke a reaction, because if the author didn't do it deliberately to sabotage the PR of the crypto community then they need to be made aware of their mistake.

Of course, there are other concerns (why PGP and not Axolotl or OTR, how on earth does "your key is your username" work without causing other CAP-like issues, etc). But I'm not going to spend any time trying to improve a project that is working against encryption for everyone.

[unimpressive]

The name is an actual show stopper, and the author is being intransigent about changing it so it's only natural for it to be the lions share of the discussion.

[GavinMcG]

I don't think that's it. Sure, the name is low-hanging fruit, but it's important low-hanging fruit.

Criticizing a name is hardly something that "shows off" smarts. Dismissing everyone for having nothing interesting to say, on the other hand...

[tmalsburg2]

A comment about the name is ok, but an endless discussion about it hardly.