|
|
Subscribe / Log in / New account

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 29, 2012 15:48 UTC (Sun) by Kit (guest, #55925)
In reply to: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired) by robert_s
Parent article: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

The only thing Cryptocat provides you is an in-browser chat client. But, due to the nature of an in-browser (http hosted) chat client, it's virtually impossible to verify the components (since each visit could load a new variant of files, or even entirely new files). So the closest thing Cryptocat provides to an advantage, actually compromises security, and instead you shouldn't leverage that advantage (even according to the creator).

Ease of use is how they try to market Cryptocat... but, to actually use Cryptocat securely, it would be no more effort to use any IM client that supports OTR (or similar) instead (a number support it out of the box, with others having plugins).

to post comments

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 29, 2012 16:13 UTC (Sun) by xxiao (guest, #9631) [Link] (3 responses)

OTR is not that easy to use esp you need the peer to set up the same thing.
cryptocat can be really useful when you need chat privately from an internet bar, a kiosk, a computer in hotel,etc

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 30, 2012 4:32 UTC (Mon) by Kit (guest, #55925) [Link]

The few times I've bothered to use OTR, it was incredibly easy to setup (no more difficult than any program). I'd imagine, though, it'd depend hugely on which client you used it with (I'm sure some are absolute nightmares).

> chat privately from an internet bar, a kiosk, a computer in hotel,etc

Exactly who are you wanting privacy from?

If it's the owner (or anyone else that can touch them) of each of those machines, you can simply forget about that to begin with, as a keylogger would easily defeat Cryptocat (and OTR, and everything else that didn't encrypt the data before it entered the computer). For any casual malicious entities on the network (i.e. anyone that can't hijack SSL sessions... so basically anyone that isn't approaching the power of a nation state), then the SSL certificate alone would do a good enough job securing the communication (and many common chat protocols support SSL connections... even IRC!). If you're worried about someone that can hijack SSL sessions, then you're screwed anyways if you're using the website version, which is almost assuredly the version you'd be using on one of those machines.

I'm not really seeing a scenario where Cryptocat actually delivers on the hype.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 30, 2012 8:59 UTC (Mon) by robert_s (subscriber, #42402) [Link] (1 responses)

"cryptocat can be really useful when you need chat privately from an internet bar, a kiosk, a computer in hotel,etc"

When was the last time you were able to set up Tor on a machine in an internet bar, a kiosk, or a computer in hotel?

Because from what I'm hearing, the only time cryptocat is actually secure (any more secure than plain old SSL) is when it's being used through Tor.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 30, 2012 15:35 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Forget that, an internet bar, kiosk or hotel computer probably has a keylogger on it, either installed by the system owner or by nefarious types. It's not safe to type anything personally identifying, login to any of your services, etc. from this kind of terminal.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 7:37 UTC (Tue) by ekj (guest, #1524) [Link] (5 responses)

That's not true. Using crypto-cat is a lot easier than downloading, installing, and configuring a IM-client for OTR-messaging.

I've used crypto-cat for something as simple as chatting with friends in Tunisia and Syria about the situation there, under the circumstances that seems sensible, I don't trust the Syrian government further than I can throw them.

"Go to this website" is a *lot* simpler than "download this IM-client and install it, then sign up for an account *here*, then configure OTR-messaging like *this*, then add me as a "buddy" like *that*, and -then- talk to me."

Crypto-cat ain't perfect. But it's very likely good enough that the Syrian government does not routinely store the text of our chats, and it would cost them significant effort to get at those texts.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 8:48 UTC (Tue) by robert_s (subscriber, #42402) [Link] (3 responses)

"I've used crypto-cat for something as simple as chatting with friends in Tunisia and Syria about the situation there"

Please don't.

"Crypto-cat ain't perfect."

Well, it ain't secure.

"But it's very likely good enough that the Syrian government does not routinely store the text of our chats, and it would cost them significant effort to get at those texts."

In that way it's no better than obfuscation then.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 10:24 UTC (Tue) by ekj (guest, #1524) [Link] (2 responses)

Your comment isn't particularly helpful. You say neither why it's a bad idea, nor what one should do instead.

crypto-cat *does* suffer from quite a few problems, the biggest one I'm aware of being the need to somehow securely exchange keys, and the fact that you need to trust the folks running the website.

But those vulnerabilities exist in all programs - if I download Pidgin with OTR, I need to trust the folks creating pidgin and running the website I download it from. Yes I know about signatures on packages, but most windows-users don't, and even then you still need to trust the person signing the package.

trade-offs are the rule, not the exception in the real world. It's reasonable to consider crypto-cat more secure than unencrypted chat. With "more secure" in this context, I mean simply: the odds that the government of Syria will read the chat-contents, is lower.

Ease of use *does* have value, and encrypted chat that works with zero installation is useful -- yes you need to securely exchange keys, and that's a problem - but it's primarily a problem if you worry about being the victim of a *targeted* attack, and that's not the issue here, the worry is over passive sweeping passively eavesdropping on everything and grepping for interesting words kind of attack. Against -that- kind of attack, key-exchange is easy.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 15:44 UTC (Tue) by avheimburg (guest, #75272) [Link]

> and the fact that you need to trust the folks running the website

That's the problem: You need not only trust the cryptocat site, you need to trust all the hosts between your PC and the cryptocat site and all the hosts between your chat partner's PC and the site.

It's entirely possible for the any organization that controls internet access to launch a MITM-attack and supply all the poeple in Syria with a "customized" version of cryptocat that sends a copy of everything said to a computer controlled by the government. And there's no easy way for you to check whether you or your chat partner is thusly compromised.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 17:06 UTC (Tue) by robert_s (subscriber, #42402) [Link]

"and the fact that you need to trust the folks running the website."

The wired article *itself* (presumably prompted by the cryptocat author) says SSL is "known to be broken". So you _can't_ trust the folks running the website. It's a self contradiction.

Is _some_ security better than none? Perhaps, but probably only when you're dealing with foes less capable & with fewer resources than a nation state. However if a false sense of security encourages someone to be more loose-lipped and candid, then it can be _very_ dangerous.

A slightly half-baked "some security is better than none" attitude may be fine for you, but I suspect _you're_ not the one that's going to get tortured, the person you're talking to in [dictatorship] _is_.

The problem with cryptocat's message is it is *far* less secure than it purports to be.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Aug 3, 2012 15:41 UTC (Fri) by arafel (subscriber, #18557) [Link]

Please, really don't use it with people in bad regimes like that. From looking at http://www.matasano.com/articles/javascript-cryptography/ - a link I'd urge you to read too - an automated injection of a JavaScript script would be all that's required to defeat CryptoCat entirely.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds