[swordswinger12]

In the description of the key exchange mechanism (section 'Conversation Keys' under 'Security') it sounds like they're using one symmetric key for both directions of a two-way channel. If true, this is a pretty serious security flaw. Anyone from Subrosa care to comment?

[acveilleux]

More importantly, one of the party is trusted to come up with the key alone. The other party just has to accept that it's a good key with no other proof then that it was encrypted with their public key. The description is really weak on details.

They keep repeating they've been audited but not naming the auditors.

[orthecreedence]

Not really, from what I understand. Seems they are exchanging a symmetric key via RSA to facilitate two-way encrypted communication. This is pretty standard, browsers do this via TLS.

[ctz]

TLS does not use a single symmetric key for bidirectional comms. It establishes keys per direction.