Secure communications

[mjallday]

Occasionally we need to ask customers to provide sensitive information via the dashboard to handle additional underwriting or to follow up with disputes.

Rather than resorting to phone, email, or getting them familiar with public key crypto we should provide a system where they can securely communicate with Balanced.

This could leverage the messaging work happening as part of #463

• Is this tied to email (user) or marketplace?

[coderanger]

Prior art https://otr.cypherpunks.ca/

[podsports]

Is there an enhancement/add-on to ZenDesk that might provide this? Seems the natural place, as many needs for private information will originate through the support channel. I see that you can communicate on the site itself over HTTPS, but that leaves it pretty insecure if its just in the body of the message from that point forward.

[mjallday]

A quick look didn't yield anything from Zendesk

https://support.zendesk.com/entries/192446-Ticket-or-attachment-encryption-once-resolved-for-PCI-DSS-compliance https://support.zendesk.com/entries/20030946-allow-for-pci-compliance-on-selected-custom-fields

You're right tho, ideally there would be a single, unified way for customers to communicate with Balanced.

[coderanger]

Just to echo meatspace convo: A JS implementation of OTR (or possibly even PGP) is an option, but likely IE<11 wouldn't be supported due to lack of a good RNG.

[tarunc]

2 projects that have JS OTR/Encrypted Convos:

• https://github.com/arlolra/otr
• https://github.com/cryptocat/cryptocat