Sorry guys. The problem was solved by a server restart. I had uploaded the default config.json file from the public Github (https://github.com/AndrewBelt/hack.chat/blob/master/config.j...), realized my error and changed it, but forgot to restart the server.
Regardless of how modern your encryption is, human error will always "fix" that.
The apparent lack of any sort of security practices by the code author should be a signal to the clients of pawnmail [1] that they should find another hosting provider.
It's pretty rational for a proof-of-concept in something as innocuous as chat software to completely ignore security. That doesn't mean the author wouldn't spend time on it for his actual business, the one that generates actual money.
Most people pay attention to the requirements of their specific problem when designing software.
Ehhhh, I don't know... I have lots of proof of concept code that isn't very secure, but have production code that is... Just because a proof of concept isn't crazily secure, doesn't mean that his production stuff is lacking too.
The author doesn't mention hack.chat as a PoC anywhere. Additionally, it's in the same “Projects” section as pawnmail on his website [1]. So yeah, that's not a PoC in my book.
