This doesn't look especially safe. In addition to the fact that the crypto is delivered by the server, and so every browser/server transaction is an opportunity for the server to surreptitiously backdoor the crypto operations, the underlying crypto here appears to be CBC+HMAC where the payloads are decrypted before the HMAC is checked.
Firstly, thanks for inspecting the source and offering a suggestion for improvement. The latter point should be a relatively easy fix.
As for your first point, there’s little we can do to prevent TLS or AWS tampering. But we can make it easier to choose e2e encryption in the first place. So we focused on reducing barriers to entry (no signup required, simple URL-based rooms) as well as providing these benefits over alternatives:
- Open source code
- Ephermeral message history (not persisted in a DB)
- Opt-out anonymity
We think these features make Darkwire a good solution for many users seeking secure, private online communication. Having said that, no solution is perfect and we hope to see contributions from the open source community to make it even better.
I am really interested in knowing how you reached your conclusions based on seeing the js file. I am quite new to analysing the source files of a given website using the firefox web console. I tried copying it to a text editor but, man, it was a mess to read. Any pointers as to how I might proceed ?
Without looking deeper into the app ... The WebCrypto standard makes a lot of assumptions in terms of underlying security and is dangerous (if not negligent) without proper security headers (XSS, CSRF, CSP), in place[0]. Since this site positions itself as a security relevant app, mistakes like these are incredibly worrying.
Neat app, but curious why you aren't using WebRTC p2p?
I've always thought something like this using WebRTC + a (simple) way to independently check that no data is being sent elsewhere would be really cool.
Thanks! We actually need the server intermediary to handle storing and locking rooms, and adding and removing members. Also IIRC WebRTC data channel doesn't have great cross browser support.
- WebRTC is great in theory, terrible in practice (doesn't work very well), and still needs a bootstrapping server. So it is better to have a reliable websocket based server as the default/fallback, and WebRTC progressively enhanced.
- Signal and Whatsapp, as others have pointed out, are far from being comfortable as being private (they already know too much, phone number, etc.), and don't have the convenience of a browser based app.
- Yes, this app should be using the Web Crypto API (it is what we switched over to, for our P2P cryptographic user accounts: https://github.com/amark/gun/wiki/auth ) to reduce dependency on the server. You can use the `integrity` attribute to help out with this, but ultimately unless somebody installs it as an Electron app or something, browser based crypto has its limitations.
> - Signal and Whatsapp, as others have pointed out, are far from being comfortable as being private (they already know too much, phone number, etc.), and don't have the convenience of a browser based app.
Whatsapp does have a browser based app. web.whatsapp.com
The name makes it sound dodgy: "dark" reminds me of "dark web" and all the negative connotations. Not great for trustworthiness which is especially important for crypto.
How does it differ from wire.com in terms of privacy? Besides, wouldn't you have to transfer the chatroom name over another chat service since it changes all the time and users have no identity of their own?
Darkwire is more for ephemeral chat rooms, where the name doesn't change as long as the room is occupied. We also don't require sign up, so you can use it instantly and anonymously.
You could give the option to the owner of the room to set a password for anyone wanting to join. And maybe you could use the password to encrypt further communication.
I understand the benefits from instant web chat, but I think it's not too difficult to access the signal protocol through Whatsapp or Signal's desktop app.
Those implementations both require phone numbers and registration through a mobile app (hence lack anonymity) and are useless for many use cases.
I think Matrix (Riot) would be a better choice. It's e2e encrypted like Signal but doesn't have any nonsense reliance on phones or phone numbers. It also has extra features like true multiple device support, a federated protocol and an open server implementation.
tptacek|8 years ago
alanfriedman|8 years ago
As for your first point, there’s little we can do to prevent TLS or AWS tampering. But we can make it easier to choose e2e encryption in the first place. So we focused on reducing barriers to entry (no signup required, simple URL-based rooms) as well as providing these benefits over alternatives:
- Open source code
- Ephermeral message history (not persisted in a DB)
- Opt-out anonymity
We think these features make Darkwire a good solution for many users seeking secure, private online communication. Having said that, no solution is perfect and we hope to see contributions from the open source community to make it even better.
rqs|8 years ago
> the payloads are decrypted before the HMAC is checked
I mean, on ClientA, I can calculate the HMACA of the plain-text, then encrypt the plain-text using KeyA to get MessageA
Then, on ClientB, I decrypt the MessageA using KeyB to get plain-text, and calculate HMACB from the plain-text.
After all that, I can still compare HMACA against HMACB to check if the message is authentic.
So what seems to be the problem here?
pretty_dumn_guy|8 years ago
I am really interested in knowing how you reached your conclusions based on seeing the js file. I am quite new to analysing the source files of a given website using the firefox web console. I tried copying it to a text editor but, man, it was a mess to read. Any pointers as to how I might proceed ?
DyslexicAtheist|8 years ago
https://securityheaders.io/?q=https%3A%2F%2Fdarkwire.io%2FSk...
alanfriedman|8 years ago
Ros2|8 years ago
I've always thought something like this using WebRTC + a (simple) way to independently check that no data is being sent elsewhere would be really cool.
Btw you could declare a content security policy for just your site since you don't load anything off domain https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Good luck!
alanfriedman|8 years ago
Aeolun|8 years ago
marknadal|8 years ago
- WebRTC is great in theory, terrible in practice (doesn't work very well), and still needs a bootstrapping server. So it is better to have a reliable websocket based server as the default/fallback, and WebRTC progressively enhanced.
- Signal and Whatsapp, as others have pointed out, are far from being comfortable as being private (they already know too much, phone number, etc.), and don't have the convenience of a browser based app.
- Yes, this app should be using the Web Crypto API (it is what we switched over to, for our P2P cryptographic user accounts: https://github.com/amark/gun/wiki/auth ) to reduce dependency on the server. You can use the `integrity` attribute to help out with this, but ultimately unless somebody installs it as an Electron app or something, browser based crypto has its limitations.
gurgus|8 years ago
Whatsapp does have a browser based app. web.whatsapp.com
rymate1234|8 years ago
pjmlp|8 years ago
So sad that young generations don't know what an IRC stands for.
sleavey|8 years ago
0xJRS|8 years ago
mxuribe|8 years ago
See: https://matrix.org/docs/guides/faq.html#what-is-matrix
snvzz|8 years ago
nkkollaw|8 years ago
I wonder if the word "dark" makes the name have a negative connotation?
guy98238710|8 years ago
alanfriedman|8 years ago
taosx|8 years ago
free2rhyme214|8 years ago
Veratyr|8 years ago
I think Matrix (Riot) would be a better choice. It's e2e encrypted like Signal but doesn't have any nonsense reliance on phones or phone numbers. It also has extra features like true multiple device support, a federated protocol and an open server implementation.
dominotw|8 years ago
ishansgupta|8 years ago
TehJIDF|8 years ago