Comments (10)
dustball
commented on June 29, 2024
2
I mean a simple phonecall solves the shared key problem.
…On Mon, Dec 26, 2016 at 8:14 PM Brian Klug ***@***.***> wrote:
Yes, you need a way to get the key to them in advance.
This is not difficult for the use cases I imagine.
Most people don't understand PGP or public key crypto.
Requiring a shared secret helps ensure that Bob is who Alice thinks Bob is.
On Mon, Dec 26, 2016 at 8:12 PM Scott King ***@***.***>
wrote:
Ok, level with me for a second.
So when I send someone a room link (
https://secretchat.site/room/0ae9e4deba26021986ffd99636da6601f6393631 for
"elephant" ) they still need to type in the room name to get in.
So you need to let them know the room name in advance.
Which, would mean that you need to let them know it in a secure fashion.
Like OTR, PGP, Signal, or something else.
Which, kind of defeats the point of the site.
Or am I missing something?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHjUrpsooBR3hwIPYwY5uhqWK6StKcWks5rMJAagaJpZM4LWAzz>
.
from secretchat.site.
skifree-snowmonster
commented on June 29, 2024
2
This is redundant and pointless. Sha1 is broken and has been for some time. Use sha256 if you plan on basing your room name privacy model around hashes. Also, consider salting them or setting the HMAC with a password users need to know for entry instead.
Example:
Channel name: I_love_elephants
HMAC: anyonehereisallowed
Link becomes: https://secretchat.site/room/33aa9dcfc7beaded440572febdbe793123991cd85529120a9bdb31388f2b7547
from secretchat.site.
dustball
commented on June 29, 2024
1
Yes, you need a way to get the key to them in advance.
This is not difficult for the use cases I imagine.
Most people don't understand PGP or public key crypto.
Requiring a shared secret helps ensure that Bob is who Alice thinks Bob is.
…On Mon, Dec 26, 2016 at 8:12 PM Scott King ***@***.***> wrote:
Ok, level with me for a second.
So when I send someone a room link (
https://secretchat.site/room/0ae9e4deba26021986ffd99636da6601f6393631 for
"elephant" ) they still need to type in the room name to get in.
So you need to let them know the room name in advance.
Which, would mean that you need to let them know it in a secure fashion.
Like OTR, PGP, Signal, or something else.
Which, kind of defeats the point of the site.
Or am I missing something?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHjUrpsooBR3hwIPYwY5uhqWK6StKcWks5rMJAagaJpZM4LWAzz>
.
from secretchat.site.
skifree-snowmonster
commented on June 29, 2024
1
The link example was based on an implementation having used sha256 with an HMAC. Since your site doesn't, of course the link doesn't work.
from secretchat.site.
dustball
commented on June 29, 2024
Okay, two things to keep separate.
1) All encryption is done using the password entered on room.php. That is
the key (quite literally) to encryption and decryption. This answers #2 of
your questiom, in that the user does choose the enc/dec key.
2) The password is ALSO used as a convenience for creating a distinct room
URL. This is for convenience. It provides a way to make sure they entered
they password correctly, that is all. Otherwise if you decrypt with the
wrong password, it just comes at as garbled. So yes #1 is correct, but
purely again as convenience. Also addresses #3 directly.
Hope that helps.
…-B
On Mon, Dec 26, 2016 at 7:56 PM Scott King ***@***.***> wrote:
Couple issues.
1. You're using input for the room and just wrapping it in a sha1
function.
2. What exactly are you using to "encrypt" conversations, and why do
users not have access to their own keys ( and preferably, can generate
their own )?
3. Why does "password" need to equal the sha1 hashed room name? What's
password even for?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#4>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHjUtwr8I0XGL_xkn5ze3OY6ssw52Mfks5rMIxQgaJpZM4LWAzz>
.
from secretchat.site.
Lvl4Sword
commented on June 29, 2024
There are multiple issues with your approach.
You are giving a sha1 hash of the room which anyone paying attention to the connection could attempt to bruteforce.
You're also not even adding a random salt to the room sha1.
You shouldn't be using sha1 ( https://www.schneier.com/blog/archives/2005/02/sha1_broken.html ) - THIS DATES BACK TO 2005. IT'S BEEN BROKEN FOR MORE THAN A DECADE!
Take a look at https://passlib.readthedocs.io/en/stable/ and https://docs.python.org/2/library/hashlib.html
OTR encrypted chats, and Signal have Perfect Forward Secrecy. Thus both would be much better than your site.
from secretchat.site.
dustball
commented on June 29, 2024
Sn0wmonster - I get a 404 when trying your link. The hash is too long.
Thank you, regardless. I will upgrade to sha256.
…On Mon, Dec 26, 2016 at 8:30 PM Scott King ***@***.***> wrote:
There are multiple issues with your approach.
You are giving a sha1 hash of the room which anyone paying attention to
the connection could attempt to bruteforce.
You're also not even adding a random salt to the room sha1.
You shouldn't be using sha1.
Take a look at https://passlib.readthedocs.io/en/stable/ and
https://docs.python.org/2/library/hashlib.html
OTR encrypted chats, and Signal have Perfect Forward Secrecy. Thus both
would be much better than your site.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHjUoAzZvttARe-CQAY4PzDpEMBn33qks5rMJRagaJpZM4LWAzz>
.
from secretchat.site.
denkweise9
commented on June 29, 2024
Sir, not to kick you down, but the fact I was able to access a 'secret' conversation by entering the 'elephant' room without needing any programming experience shows the level of security that this site uses.
Anyone can take a SHA1 hash and reverse it without being told the name.
This URL does just that, https://hashkiller.co.uk/sha1-decrypter.aspx <------------- "Tested elephant"
The fact that this hash (which is just the name of the room anyways) is used to 'encrypt' anything is scary. How is this secure if a script kiddie can get access so easily?
Saying that "Most people don't understand PGP.." does not make your software any more secure. Nor does it debunk any thesis that your software is insecure.
Pidign, Hexchat, etc are clients that take care of GPG,PGP, etc for you so you don't need to understand them anyways.
It doesn't require advanced technical skills to use Signal or OTR. Seriously
And no, "a simple phone call" is not going to fix the problem.
If someone were experienced with multiple languages, such as JavaScript, Java, Python, PHP, etc.
I would have no doubt that they would be able to create havoc or serious damage.
Please take time to research more into the security aspect of something if you are serious about 'security'.
from secretchat.site.
dustball
commented on June 29, 2024
So you used a weak key and are surprised that you can find a matching hash.
Anyway, I already said sha256 sounds like a good idea, as well as salts.
Patches welcome, or you can continue throwing stones if that is all you want to do.
from secretchat.site.
dustball
commented on June 29, 2024
Commit f867ab8 resolves this issue.
from secretchat.site.
Related Issues (7)
- PHP code is off HOT 4
- No Cloudflare? HOT 6
- Errors are inconsistent HOT 5
- Use of cryptographically insecure PRNG HOT 1
- Remove Google analytics HOT 2
- Remove third party CDN libraries and dependencies HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secretchat.site.