My crypto knowledge is not really up to snuff but doesn't this not use any real end-to-end crypto when it easily could? SSL, AES, and blowfish could all be MITM'd, right?
I'm not sure how much better you can do with a webapp. Either you trust them to encrypt your messages on the server or you trust them to send you JavaScript that does the encryption in the browser. Either way you need to trust the app provider. SSL should ensure it is not MITMed before it gets to their server.
That doesn't really matter, because they don't need to. All it takes is one crypto-savvy person taking an interest and finding a fault, then posting about it.
Even if they do actively cheat and provide some obscure not-really crypto to give an impression of security, they need to put in an effort, whereas with serverside encryption they could cheat for free. There is also a constant risk of some techie discovering their lack of security.
Anyway, it doesn't matter if you consider auditable security imperfect. Auditable security is objectively more trustworthy than non-auditable security.
UX needs work. Literally have no idea what's happening after I "log in". Description sounds like chat roulette bu the reality is being unable to talk to anyone.
Another fish-name gone. For those in need of a name for their next product, I asked my corporate name generator oracle (written in bash, no less!) to cough up a few:
Just imagine your next website, showing nothing but a large screen-blanketing image of carefree happy coffee consumers, a pulsating 'scroll down' button and your GrubbyDonkey logo. The VC's will be chomping at the doorhandle, trust me.
At least today you still have to trust the JavaScript the server sends you.
I have heard talk in the past about adding code signing to browsers. Combined with open-source code and a security audit this could potentially offer something approaching the security of a traditional application.
Honestly, don't really understand the use case here. What is the benefit that something like HN doesn't already provide? Everyone on HN knows my handle is thrush, so can comment at me, or dm me using any contact info I've provided. On anonyfish, I can't even use the service unless I have someone in mind. In fact, the only names I have to contact are the ones provided in this thread, and it's a pretty short list.
- angersock
- CaptainBananaPants
EDIT:
Omegle (http://www.omegle.com/) seems way better. Allows anonymity (or so it claims), can match people based on interests, and can even match people in the same university based on their .edu email address.
http://homakov.github.io/#{"url":"https://anonyfish.com/api/...
also why not it snap-chat style and remove messages after 10 s?