[tptacek]

You say "po-TAY-to", I say "po-TAH-to".

You say "to-MAY-to", I say "no thank you".

You say "supersititious distrust of Javascript", I say "a day job finding, breaking, and fixing the horrible things people try to get away with doing in Javascript". (Or, less charitably: "knowing how Javascript works in browsers.")

Trust me on this one. It's a cool little hack. It's even useful if you get rid of the vanity crypto. But you are asking for someone to write a really mean blog post about you and your actual understanding of how crypto works. That's drama you don't need. Don't bother with the AES stuff.

[nickbw]

If you would like to propose improved crypto code, I would love it. Honestly.

But "javascript is a messy language" is not inherently an attack. You can obfuscate just about any language. Do you actually have an attack in mind based on the fact that it's implemented in the browser?

It's true I don't have a deep understanding of the AES algorithms, and the AES code, as stated in the attribution, isn't even mine. Again, I'd love improved code. But you have yet to make any rational argument that javascript in the browser is inherently unsuited to encryption.

I completely agree that the many attempts to make SSL irrelevant by doing all the encryption in JS (and usually horribly naive JS) are foolish. That's not the point. Bonchat isn't a shopping cart or a mail reader. SSL is for securing communication to the server. Bonchat is an experiment in securing communication against the server. Do you have a better way than client-side encryption?

[SamReidHughes]

Do you actually have an attack in mind based on the fact that it's implemented in the browser?

You, the owner of the server, change the code. That's the attack. There's no way for me to tell my friend Charlie that he can use the service and get secure communication, unless he installs a plugin for his browser to verify that the server has not changed the data it sends the user from the time when I verified the correctness of the code. And if he has to install a plugin to safely use this service, which is now never permitted to change its code, he might as well just install a plugin that has the code, or install a separate application for this purpose.

[tptacek]

You seem intent on evading the point. Most security systems don't depend on me being able to read the code every time I use it.

[nickbw]

Most web security systems don't even give you the option. You sends your data off and you trusts your server. You can't read the code at all because it lives on a box you don't have access to.

Any security system you didn't code yourself does rely on someone you trust having read it at some point.

Is it more secure than some audited local code you compiled months ago and haven't touched and don't have to re-download? No, of course not. Is it more secure than chatting on Facebook? Potentially, yes. The necessary transparency is there.

This is not an innovation in protecting your data from network snoops. In that sense it's no improvement on SSL and it's not trying or claiming to be.

What it does do better than other web apps is protect your conversations from the middleman you can't avoid -- the web server itself.

[tptacek]

Nick. Please. It doesn't do this thing you keep claiming it does, because you left out any mechanism for the client to verify the code the server sends. You keep implying, directly and indirectly, that clients can do this by hand. People keep telling you, no they can't. When I give a specific and unintuitive reason why people can't manually verify your code in a browser, you throw out a smokescreen about how Javascript is a fine language to write things in, which of course has nothing to do with the issue at hand.

(By the way, thing you don't want to hear from the guy offering you super-secure communication system? "You have a superstitious paranoia about Javascript".)

And, as Steve Weis took the time to point out, even if you had invented some new system by which browsers could verify the state of a Javascript interpreter fed by an app that, among other things, had until a few hours ago a bunch of obvious Javascript injection flaws, you still wouldn't have been secure, because you don't really understand how CTR mode works and implemented colliding nonces. (Why did you bother with CTR mode anyways?) You also don't seem to understand the relation between encryption and authentication; not having a MAC would just be an embarassing oversight if you hadn't then argued with Weis about why it wasn't necessary.

The security model behind this application is just a really bad idea, Nick. I know that's tough to hear, since you obviously put some time and effort into it, but you're going to need to zag instead of zig now and come up with something cool about this chat system other than the notion that it's somehow more secure than Campfire or any other https chat.

[nickbw]

Actually I really appreciate Weis' comments, because they're actual concrete problems and implementable solutions. (A bit-flipping attack is not particularly interesting by itself, since the server can inject gibberish any time it wants anyway, unless it can be used to insert meaningful content. But I will be happy to add both a MAC and a better nonce.)

What I don't understand is why you think any unaudited code is secure. There is no mechanism by which code from an unknown source becomes trustworthy without someone reading it, or being able to read it.

Nowhere am I suggesting that understanding the javascript source is quick or easy, but it is in fact possible, which is the difference between encrypting client-to-server vs. client-to-client. Source code you can view is not automatically trustworthy. Of course not. But it is easier to trust than code you will never be allowed to see. Can we at least agree on that much?

As far as trustworthiness, I would say: local code > remote code run on the client > remote code run on the server > closed source. This makes (a theoretically fatal-bug-free) bonchat-like system worse than PGP, but better than Facebook IM.

It sounds like your real complaint is with the "marketing", such as it is. Perhaps I should do a better job labeling it as experimental, or a proof of concept? These would be actual concrete criticisms.

Folks complaining of XSS vulnerabilities seem to be under the mistaken impression that it somehow secures you against the people you're talking to, which is not the problem it's trying to solve. Unescaped HTML chat is vulnerable to XSS, which is why you shouldn't exchange raw HTML with random strangers. You wouldn't open an HTML attachment from a stranger, but you'd open one from your good web developer friend.

(A very fair complaint is that, although XSS is irrelevant to the intended use, I should've anticipated that people would want to test/demo the basic chat features by broadly distributing passwords. This turns it into, essentially, a plain text chat with two URLs you have to enter. Which is useless, but perhaps amusing, so I've added default HTML escaping.)

[tptacek]

Nick, "bit flipping attacks" imply that attackers can make messages say whatever they want to. They do not simply mean attackers can inject "random gibberish".

Furthermore, your nonce problem doesn't mean attackers can inject messages; it means attackers can cryptanalyze messages.

It would be helpful, before trying to implement cryptographic security for other people, for you to spend some time researching cryptography. A great way to do that is to learn how to attack cryptosystems in other applications. Maybe that should be your next project.

Best of luck, Nick.