[CJefferson]

subrosa can choose at any time to send you javascript which will send your password back to them. You have no way of checking for this (well, except reading all the javascript, every time you log in)

[phibit]

Ah yes, that makes sense, thanks!

[technomancy]

Except it's a GPL'd web application, so you're free to run your own server.

[schoen]

Sure, but if you run your own server, then the site's claim that there was "no download or install needed" doesn't apply to you.

If you don't run your own server, the site's claim that "nobody, not even us, can read or listen into your conversations" doesn't apply to you.

There's nobody to whom both claims apply at the same time!

[technomancy]

If you run your own server, you can make trusted calls from machines that don't have any client software set up, as can others using your server. Seems straightforward enough. It's clear the "no install" claims are about the client.

[schoen]

I read the claims on their home page as referring to the use case where someone starts using it immediately. (The benefit that they mention on the home page from open source is third-party auditability; the home page doesn't even mention the ability to create your own instance!)

The developers might well be thinking along the lines that you describe, but I don't think that a visitor to the site is likely to understand the threats that way.

Edit: Looking at https://subrosa.io/security I think it's even more clear that they're making these claims for their own hosted instance of their software -- and that's what people here are most skeptical of.

[acveilleux]

You can use github or you can run a private gitorious install (assume here function parity.) Most people will choose github because that's where the people are.

Subrosa's value proposition is more as a meeting place then as a "secure" chat software.