What do you mean by transcript? If you mean the messages that were shared - the answer is no, server sees no messages at all as message exchange is peer to peer via WebRTC. As soon as session is over(eg. When all clients disconnect) - message history is lost for good. Brute force attacks are theoretically possible for sessions in progress(though hard due to alphanumeric 6 character PIN and server throttling), so I'll introduce "safe session" as suggested by some of the commenter by introducing "waiting rooms" so the newly connected clients have to be approved. I'd definitely leave the current workflow as is as its frictionless and works for some of my usecases(quick link or log sharing, etc)
doomrobo|9 months ago
Even if you assume the PIN is uniformly random (you should not assume this), it is only log2((10+26)^6) ~ 31 bits of entropy. This does not satisfy standard notions of secure channel establishment.
nenaoki|9 months ago