Subrosa.io - encrypted messaging and calls in the browser, that's actually usable.
December 14, 2014 6:35 AM Subscribe
Subrosa.io - encrypted messaging and calls in the browser, that's actually usable.
There's many encrypted IM apps, but few of them are actually usable. Subrosa is a web app that abstracts away all the cryptographic details*, resulting in an app you can share and use with everyone. It's open source (of course), and supports IMs, voice and video calls, group chats, and more. *: Yes, real end to end encryption, not 'encrypt with keys the mothership knows'.
End to end encryption is very useful for protecting against commercial data mining, mass surveillance programs, and other intrusions. The problem is they're generally not very easy to use. Even if you've got over the hurdle and set a solution up, you need to get the other party to also do the same. This can be quite troublesome -- try explaining the concept of a keyring to a 12 year old, while observe they have no issues using iMessage.
Encryption must be accessible and easy to use, and that's what Subrosa aims to do. Give the link of https://subrosa.io/app/ to someone you want to talk to, and while they create an account their browser generates a RSA keypair in the background, encrypted with their passphrase.
Sure, the execution model of Subrosa running in a web browser has more attack vectors. But it's actually usable, and something that is good enough -- that you can actually use -- is a lot better than something foolproof but impractical to use. That's the design philosophy of Subrosa, and why you shouldn't look at it from an "OMG JS?! GO AWAY" angle.
There's many encrypted IM apps, but few of them are actually usable. Subrosa is a web app that abstracts away all the cryptographic details*, resulting in an app you can share and use with everyone. It's open source (of course), and supports IMs, voice and video calls, group chats, and more. *: Yes, real end to end encryption, not 'encrypt with keys the mothership knows'.
End to end encryption is very useful for protecting against commercial data mining, mass surveillance programs, and other intrusions. The problem is they're generally not very easy to use. Even if you've got over the hurdle and set a solution up, you need to get the other party to also do the same. This can be quite troublesome -- try explaining the concept of a keyring to a 12 year old, while observe they have no issues using iMessage.
Encryption must be accessible and easy to use, and that's what Subrosa aims to do. Give the link of https://subrosa.io/app/ to someone you want to talk to, and while they create an account their browser generates a RSA keypair in the background, encrypted with their passphrase.
Sure, the execution model of Subrosa running in a web browser has more attack vectors. But it's actually usable, and something that is good enough -- that you can actually use -- is a lot better than something foolproof but impractical to use. That's the design philosophy of Subrosa, and why you shouldn't look at it from an "OMG JS?! GO AWAY" angle.
Role: Security reviewer
« Older Peep's Other Place... | Lone Wolf and Parenting... Newer »
- Would it be possible to initiate a chat session without creating an account ? so create a url and share that with someone, to chat even more instantly ?
- From a security/js standpoint, is there a way to "certify" that the js being downloaded to the browser it the one from the application (I'm asking out of interest as it seems a difficult problem to solve, and was wondering if you were approaching it at all)
posted by motdiem2 at 2:39 AM on December 16, 2014