- aes256 > blowfish
- proven and cryptography implementations (like pgp/ssl) > own handmade implementation
- using the right tool for what it`s made > using something twisted
- the current implementation provides encryption, but no kind of authentication (an active man-in-the-middle attacker could store messages and send them later)
Just from what I read, I am not an expert.
That`s why I am about to suggesting to change the implementation off the tcl functions cbc_encrypt and cbc_decrypt.
- ssl has a lot of good cipher and is very well proven and used a lot but would be kinda overkill and only good for active sessions and not offline chats
- pgp is also not very user friendly, you have to learn to create a public and a private key and to give everyone your public key but still seams to be the most secure solution for chats if someone might be offline and the messages stored on a server
- otr looks also very interesting, although it`s not old and proven like pgp it can be very user friendly (users just have to check if a hash is ok over a pre-secure channel)
Just thoughts, discussion, no offence at all. What do you think?