Our commitment to absolute security

At Skiff, we're committed to providing a security-first and trusted platform for your work, writing, and ideas. This trust is built on transparency, communication, and openness.

No documents, document titles, messages, and any other sensitive information is ever processed, stored, or even seen in plaintext by our servers. This is achieved using end-to-end encryption, as well as additional safeguards, including robust authentication methods, out-of-band key verification, and two-step authentication.

Encryption Protocols

Public-key authenticated encryption allows us to securely and privately share access to documents in our security model. Each user is issued a long-term public signing key and a medium to long term public key for encryption. We use Curve25519 and xsalsa20-poly1305 for asymmetric public-key authenticated encryption and secret-key authenticated encryption.

Both algorithms ensure both confidentiality and authenticity of encrypted data (via AEAD envelopes).

Our authenticated encryption with associated data (AEAD) envelopes library allows us to embed additional information in the output of encryption functions. While the nacl family of envelope functions (e.g. secretbox) only support encryption-related metadata (e.g. nonces), our library is more extensible. We currently use our AEAD library at Skiff to validate data versions and types.

Our AEAD library is open sourced here.

Secure real-time collaboration

Real-time collaboration among shared users on a document is end-to-end encrypted using the document’s session key. On Skiff, collaboration is fully decentralized and performed using a CRDT, which allows each collaborator to maintain an in-browser copy of the document and perform change resolution as live document updates are received from other users (who may be distributed around the 🌎).

Public Key Verification

Private communication requires trust in mechanisms to receive and verify other users’ public keys. Skiff allows other users to view and verify other users’ public signing keys through a user interface for “verification phrases” - an encoding of another user’s signing public key.

Security Audits

Skiff's most recent security audit was completed in February 2021; we have regular audits of the platform planned as we design and release additional features.

Outreach, Questions, and Reporting

If you'd like to know more about how our service operates, please see our whitepaper. If you have other questions, or concerns, please reach out to us at help@skiff.org. If you've found a bug or want to report a security issue, please contact us at security@skiff.org. Finally, if you have issue with a particular user or document, please report it from within the application dashboard.