Encryption is vulnerable

[cypherbits]

We changed some time ago the message encryption to use the new, safer and faster AES GCM with libsodium.

But we are reusing the IV/Nonce for the same Key. AES GCM is vulnerable in this cases.
Nonces should be generated for each new message and stored with the message for decryption (a new DB column).

Exploiting this is not that easy, so we should review our threat model and decide or not to change it or maybe just put a warning on the readme...

Got any references to the lines in the files?

[cypherbits]

@zach83 don't understand your question. Everything we encrypt on this chat is done wrong.

Right, so could you show me where on the file everything is getting encrypted?

[DanWin]

That is correct, thanks for pointing it out. Also the encryption in AES GCM with libsodium is not always available. If I for example enable the encryption on a raspberry pi, it will result in a fatal error, because the CPU doesn't provide hardware accelerated AES, which libsodium considers mandatory for security reasons. (see https://www.php.net/manual/en/function.sodium-crypto-aead-aes256gcm-is-available.php)
I'd suggest to switch to the more secure ChaCha20-Poly1305, which is also provided by libsodium and always available. Along with that, we can introduce a per message IV.

[cypherbits]

Should we support both, make a config value? hardware accelerated AES is a lot faster.