Security of Cryptpad with insecure SSL

[deleted]

Cryptpad is great for collaborative work AND for security.

A) For collaborative work it's an alternative to Etherpad, especially through the possibility of password protection.

B) For security it's great because the data is stored encrypted, so you can use it in unsecure environments, e.g. use any web space provider.

SSL interception

But what about the data transmitted? Nowadays SSL interception is common in companies, so users think and see a valid SSL connection, but it is not. Users can check the SSL certificate to detect this, but then they can only choose to not use Cryptpad from within company.

So my question is, which data is client encrypted during the transport? I suppose the document data is transported encrypted, but what about:

user name
password
visited URLs (pages, documents)
(metadata, you name it)

Does Cryptpad rely only on SSL for end to end encryption of communication?
So if SSL is intercepted one can sniff the password and everything?
Or is everything/much of the communication end to end encrpyted as well by javascript code, so SSL is allowed to be unsecure?

Mathilde

Hello,

I would like to invite you to read the whitepaper we published a few weeks ago: https://blog.cryptpad.org/2023/02/02/Whitepaper/

Hope this helps!