Sounds like a trust on first use scheme so that you get a public key from the distributor, and use that to verify the application bundle on subsequent use. I actually do like this because it solves for a paranoia I have with password managers, in that they can claim all they want that decryption happens clientside but they're serving me a JavaScript bundle and how am I supposed to believe that isn't changed on the fly via supply chain attack? So at least this adds a step that the application code that is delivered from the server must be signed by the author.
Edit: client is source-available (nonfree), I actually hadn't come across npm verify, so thanks for that
Exactly! And just to clarify, the `verify` script is a Cyph feature that I added to allow comparing a local reproducible build against the production build, not a general npm feature. Running `npm run verify` in any random JS project won't do anything unless the project happens to have a script configured with that name.
IMHO their claim is invalidated by appeal to patents. Patents are a sure fire way to ensure that even the most clever of cryptographic constructions is never used in the real world.
Open is better than closed. Non-patented encumbered is better that encumbered.
I was intrigued by the claim that they are secure by virtue of their patented tech, so I looked up the patent
https://patents.google.com/patent/US9906369B2
Sounds like a trust on first use scheme so that you get a public key from the distributor, and use that to verify the application bundle on subsequent use. I actually do like this because it solves for a paranoia I have with password managers, in that they can claim all they want that decryption happens clientside but they're serving me a JavaScript bundle and how am I supposed to believe that isn't changed on the fly via supply chain attack? So at least this adds a step that the application code that is delivered from the server must be signed by the author.
Edit: client is source-available (nonfree), I actually hadn't come across npm verify, so thanks for that
https://github.com/cyph/cyph?tab=License-1-ov-file
Exactly! And just to clarify, the `verify` script is a Cyph feature that I added to allow comparing a local reproducible build against the production build, not a general npm feature. Running `npm run verify` in any random JS project won't do anything unless the project happens to have a script configured with that name.
How is this any different than the other 1,000 "encrypted chat" solutions?
This has been used by doctors and is not free - this is how I found it.
My doctor can barely use a mouse let alone comment on surveillance technology
https://www.cyph.com/pricing
[dead]
“Cyph is the only encryption app that is secure to use in a web browser, thanks to our patented WebSign technology.”
Run, don’t walk away from vendors making these claims.
Maybe their claim is a bit more valid than those of other systems with equally bold claims [0].
[0]: https://www.cyph.com/websign
IMHO their claim is invalidated by appeal to patents. Patents are a sure fire way to ensure that even the most clever of cryptographic constructions is never used in the real world.
Open is better than closed. Non-patented encumbered is better that encumbered.
It may be valid against closed source apps, but I don't see how it can be more secure than build-and-self-host OSS apps for private messaging.