This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)
Posted Jul 29, 2012 2:44 UTC (Sun) by Kit (guest, #55925)
Also, Chrome apps will automatically update themselves, so even if the current version is totally safe, there's no guarantee that it won't update itself 5 minutes later with a version that forwards all your messages to nsa.gov (or evilblackhats.biz). Alternatively, if you manage to disable the auto update, you could end up stuck using a version with known security issues (hardly an ideal situation, either! but that's more so an issue with Chrome's model and sensitive data).
Even ignoring that avenue of attack, the users are still stuck with the classic problem of having to verify the other party's key via some trusted channel. Sadly, Cryptocat doesn't even bother to inform the users of this fact, so most users will probably not even realize they need to take such steps, and will just blindly assume the other party is the person they assume it is (and couldn't POSSIBLY be someone performing a MITM attack). To me, it was non-obvious that you could even retrieve the other party's key by clicking their name.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds