[liberationtech] TribalContact - request for review (Encrypted web based communication app)

[Liam Carton]

Hi,



This is a request for anyone who would be interested in reviewing the
encryption code inside TribalContact. We would appreciate any feedback from
the community on what we have developed. Any insights, comments, or
criticisms are more than welcome. And we will do our best to address any
issues found in a timely, open and honest manner.



I am not too sure what information to put up here, so if I am not following
a protocol or standard method then please forgive my ignorance of those
policies.



The source code for the client can be download from the TribalContact
website (http://www.tribalcontact.com/app/TribalContact.htm). The page can
be saved using any modern desktop browser.



The source code for the server code (a single JSP file) can be downloaded
from http://www.tribalcontact.com/app/core.txt (Note that this is a copy of
the JSP file, as at present we have yet to find an open, verifiable way to
allow end users to access the actual JSP file.



I would suggest that anyone interested in looking at the code reads a
little about the choices made in the FAQ, and in the technology section.
(This is not yet complete, but it does have the basics on the technology
chosen).



I guess that it would be appropriate to give a quick overview of what we
have developed:



TribalContact is a Rich Internet Application. The client code is all
written in JS. We are aware of the many arguments that claim that doing
cryptology in a web site is a very bad idea.  However, it is our
contention, that when done correctly, this is the only way to produce a
verifiable application.



Please note, that unlike cryptocat, TribalContact is written purely in
JavaScript. There are no plug-ins, and no native code. The entire source
code for the client is contained in one single file, and there are no
includes. This means, that once that single file is verified the entire
client app can now be trusted. Clearly we recommend saving this file
offline, and using the locally stored version to avoid injection attacks
(though this may be rather difficult on smart-phones).



If anyone has any questions or comments, then please feel free to contact
me at liam.l.carton at gmail.com.



One final note. If anyone is interested in using the software, it is live
and the core features are all functioning correctly (as far as we are aware
:-) So, please feel free to use it. If you are not convinced of the
integrity of the encryption then feel free to treat it as an untested beta
product. All bug reports are appreciated, and we action everything as
quickly as we can.



Thanks to everyone for your help in this matter.



Liam Carton

TribalContact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140114/66633357/attachment.html>