At Skiff, we're committed to providing a security-first and trusted platform for your work, writing, and ideas. This trust is built on transparency, communication, and openness.
No documents, document titles, messages, and any other sensitive information is ever processed, stored, or even seen in plaintext by our servers. This is achieved using end-to-end encryption, as well as additional safeguards, including robust authentication methods, out-of-band key verification, and two-step authentication.
Public-key authenticated encryption allows us to securely and privately share access to documents in our security model. Each user is issued a long-term public signing key and a medium to long term public key for encryption. We use Curve25519 and xsalsa20-poly1305 for asymmetric public-key authenticated encryption and secret-key authenticated encryption.
Both algorithms ensure both confidentiality and authenticity of encrypted data (via AEAD envelopes).
Our authenticated encryption with associated data (AEAD) envelopes library allows us to embed additional information in the output of encryption functions. While the nacl family of envelope functions (e.g. secretbox) only support encryption-related metadata (e.g. nonces), our library is more extensible. We currently use our AEAD library at Skiff to validate data versions and types.
Our AEAD library is open sourced here.
Real-time collaboration among shared users on a document is end-to-end encrypted using the document’s session key. On Skiff, collaboration is fully decentralized and performed using a CRDT, which allows each collaborator to maintain an in-browser copy of the document and perform change resolution as live document updates are received from other users (who may be distributed around the 🌎).
Private communication requires trust in mechanisms to receive and verify other users’ public keys. Skiff allows other users to view and verify other users’ public signing keys through a user interface for “verification phrases” - an encoding of another user’s signing public key.
Skiff's most recent security audit was completed in February 2021; we have regular audits of the platform planned as we design and release additional features.
If you'd like to know more about how our service operates, please see our whitepaper. If you have other questions, or concerns, please reach out to us at firstname.lastname@example.org. If you've found a bug or want to report a security issue, please contact us at email@example.com. Finally, if you have issue with a particular user or document, please report it from within the application dashboard.