Yalfoosh Kyrne But the user could hypothetically read their old messages if they reverted to an old password, right?
Kyrne Yalfoosh that's correct. This scenario is only if they forget their old password, if they change it while logged in the messages and keys and theoretically be decrypted and then re encrypted. This won't be a feature at launch.
Yalfoosh Kyrne Oooof, this could potentially be a DDoS gateway. I guess when the feature comes we should limit the frequency of password changes, then.
Kyrne Yalfoosh not really, since the client only knows the password (in theory) all the encryption and changes are done on client side then sent to the server. The only thing the server would do on password change is update 2 or 3 rows on the MySQL table.
Yalfoosh Kyrne Ahh, I was under the impression that you decrypt and encrypt all the messages, my bad.