User: Password:
|
|
Subscribe / Log in / New account

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 29, 2012 0:33 UTC (Sun) by skybrian (subscriber, #365)
In reply to: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired) by Kit
Parent article: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Well they also have a Chrome app and Android client - assuming you have a secure way to download it and verify the install. But then you also should verify Chrome, and your OS...


(Log in to post comments)

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 29, 2012 2:44 UTC (Sun) by Kit (guest, #55925) [Link]

I've not really looked at Cryptocat in a few months (not since the last time there was a lot of buzz about it), but back then, the Chrome 'app' wasn't entirely self contained, and was still grabbing a number of resources from remote sites (I don't believe any were javascript files, but still more than enough to do tracking and potentially other nasty things).

Also, Chrome apps will automatically update themselves, so even if the current version is totally safe, there's no guarantee that it won't update itself 5 minutes later with a version that forwards all your messages to nsa.gov (or evilblackhats.biz). Alternatively, if you manage to disable the auto update, you could end up stuck using a version with known security issues (hardly an ideal situation, either! but that's more so an issue with Chrome's model and sensitive data).

Even ignoring that avenue of attack, the users are still stuck with the classic problem of having to verify the other party's key via some trusted channel. Sadly, Cryptocat doesn't even bother to inform the users of this fact, so most users will probably not even realize they need to take such steps, and will just blindly assume the other party is the person they assume it is (and couldn't POSSIBLY be someone performing a MITM attack). To me, it was non-obvious that you could even retrieve the other party's key by clicking their name.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds