[anologwintermut]

It's worse that that. It uses a questionable javascript crypt library (written by a former twitter dev, not a cryptographer) and a fixed IV derived from the password which is re-used for each message. This is oh I read the wikipedia article on AES level cryptography deployed against people who would have written the Wikipedia entry if not for that fact that what they know is probably not public.

Better idea: Just make a plugin that uses OTR[0]. Don't try to roll your own crypto, especially when you are up against people who know what they are doing. [0] http://www.cypherpunks.ca/otr/

[ryan-c]

There are 64 bits of randomness (however, they come from Math.random which is not so good...).

The encrypted text produced by this has a distinct signature - all message will contain "U2FsdG". Here's how we break this if you're Google/can force Google to do stuff:

1) Detect messages containing that OpenSSL 'magic number'

2) If detected, push something like this:

    // Should check to see if GibberishAES exists to avoid errors if it doesn't...
    // Grab target function as a string
    var keycode = '' + GibberishAES.openSSLKey;
    // Inject something evil
    keycode = keycode.replace('key = result.slice(0, 4 * Nk);','key = result.slice(0, 4 * Nk); for (var pos = 1; pos < 4 * Nk; pos++) { result[pos] = 0; };');
    keycode = 'EvilGibberish = {}; EvilGibberish.openSSLKey = ' + keycode;
    // Execute the modified code to generate the new object
    eval(keycode);
    // Replace the 'good' keygen routine with the 'evil' one
    GibberishAES.openSSLKey = EvilGibberish.openSSLKey;

This will zero all but the first 32 bits of the AES key, allowing easy brute forcing.

Note that this is based on something I wrote for a CTF, and I haven't tested it specifically against GibberishAES, but the technique works.

[mdp]

It's definitely a questionable javascript library, I wrote it back in 2008 after reading the wikipedia article :)

It was designed to interop with OpenSSL's default command line AES crypto, which has some weak points, mostly around the IV selection.

That being said, the biggest weakness will always be that it's running in the browser and open to injection attacks.

But while I think there's definitely better crypto chat solutions out there, it's nice to see people taking an interest in the subject. And let's not kid ourselves, the vast majority of NSA data collection is probably less about sophisticated encryption attacks, and more about the clever application of political/police powers.