End-to-end encryption is a marketing buzzword these days. Since services like WhatsApp (owned by Facebook, a company known for being the most hostile to user privacy) hold access to both the public and private keys of their users, they are vulnerable to the problems that E2EE is supposed to fix.
I'd imagine same applies to China with WeChat, I find it difficult to fathom that the most advanced surveillance state's largest communication platform wouldn't have some method of handing over data to the Chinese authorities. The difference between the two is that one app is obedient to western law and the other is obedient to Chinese law, hence why it is being targeted (the same way Huawei has been targeted despite many other technology companies engaging in similar practices they are alleged to be doing).
Hi, to respond to your questions:
We have a mix of public and private servers in Europe. Our platform does not run on top of a blockchain, we leverage on the blockchain using IPFS and Smart Contract for our identity service using the Binance Smart Chain. FortKnoxster is not the average message/calling app, we guarantee the privacy of our users by applying zero knowledge technology in addition to our encryption at transit and at rest. You can find more information about our security on our security page.
Hi there,
It really depends on how you implement it. Web Crypto API is a low-level interface exposing a set of crypto operations and encryption algorithms available in the browser. FortKnoxster's end-to-end encryption is carefully designed considering the entire security system around it, especially the key management.
One of the many good things about Web Crypto API, is that key material can be imported as non-extractable, meaning it will not be exposed and cannot be extracted directly to the client code. Also, because of Web Crypto API's underlying implementation, it performs extremely fast compared to other pure javascript crypto implementations.
SRI is especially good to insure code/script integrity from external scripts or other cross-domain resources. The FortKnoxster Web App does NOT rely on any external scripts or other external cross-domain resources. Also our CSP is strictly configured to only accept code served from the https://web.fortknoxster.com origin over a strictly configured HTTPS & TLS and will block any XSS attempts, should it pass our existing strict user input validation and sanitation checks.
However as an extra layer of protection, we are actually introducing SRI to be required for all our scripts and resources.
Please also check out our related knowledge base articles here:
https://fortknoxster.com/knowledge-base/web-crypto-api-tls-https/
This is what they have to say on this matter on their website :
https://fortknoxster.com/knowledge-base/cross-site-scripting/
>Websites and web applications are vulnerable to XSS attacks typically when
user inputs are not filtered correctly.
>
>FortKnoxster implements several security measures to make sure our users
are protected against any kind of XSS attacks, by making sure user inputs
such as an inbox or chat message are escaped and sanitized before
displaying it, in the receiver’s browser. Furthermore, our web application and
server configurations have been optimized to set the HTTPOnly cookie flag,
X-XSS-Protection, and Content-Security-Policy response headers.
>
>Our research in Content Security Policy (CSP) has resulted in a very strict CSP
configuration, by not allowing any kind of external sources to be loaded
inside the FortKnoxster environment. You can read more about it <strong>here</strong>
​
I just read your whitepaper ( https://fortknoxster.com/FortKnoxster%20Whitepaper.pdf )
It sure looks to me like you are just creating: 1) A key server (which doesn't need blockchain tech at all, and is done quite well by keybase, or many other private / for-pay solutions & 2) A clone of ipfs / filecoin , which is admittedly really great tech, but why would we think that you would do it better than a bunch of folks who have the hard part (ipfs) up and running, and are proven and way out ahead of you on the incentive / monetization part.
I don't know, Maybe you can get some corporate clients because it's "check-box compliant" and lord knows there is a lot of money in that, but this looks to me like something that should be built ON TOP OF other crypto services, and raise funds in a traditional way.
Giving you the benefit of the doubt, you are a normal company that happens to make use of a few cool block chain things. That's great, but doesn't mean that you should have an ICO.