User: Password:
|
|
Subscribe / Log in / New account

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 8:48 UTC (Tue) by robert_s (subscriber, #42402)
In reply to: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired) by ekj
Parent article: This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

"I've used crypto-cat for something as simple as chatting with friends in Tunisia and Syria about the situation there"

Please don't.

"Crypto-cat ain't perfect."

Well, it ain't secure.

"But it's very likely good enough that the Syrian government does not routinely store the text of our chats, and it would cost them significant effort to get at those texts."

In that way it's no better than obfuscation then.


(Log in to post comments)

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 10:24 UTC (Tue) by ekj (guest, #1524) [Link]

Your comment isn't particularly helpful. You say neither why it's a bad idea, nor what one should do instead.

crypto-cat *does* suffer from quite a few problems, the biggest one I'm aware of being the need to somehow securely exchange keys, and the fact that you need to trust the folks running the website.

But those vulnerabilities exist in all programs - if I download Pidgin with OTR, I need to trust the folks creating pidgin and running the website I download it from. Yes I know about signatures on packages, but most windows-users don't, and even then you still need to trust the person signing the package.

trade-offs are the rule, not the exception in the real world. It's reasonable to consider crypto-cat more secure than unencrypted chat. With "more secure" in this context, I mean simply: the odds that the government of Syria will read the chat-contents, is lower.

Ease of use *does* have value, and encrypted chat that works with zero installation is useful -- yes you need to securely exchange keys, and that's a problem - but it's primarily a problem if you worry about being the victim of a *targeted* attack, and that's not the issue here, the worry is over passive sweeping passively eavesdropping on everything and grepping for interesting words kind of attack. Against -that- kind of attack, key-exchange is easy.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 15:44 UTC (Tue) by avheimburg (guest, #75272) [Link]

> and the fact that you need to trust the folks running the website

That's the problem: You need not only trust the cryptocat site, you need to trust all the hosts between your PC and the cryptocat site and all the hosts between your chat partner's PC and the site.

It's entirely possible for the any organization that controls internet access to launch a MITM-attack and supply all the poeple in Syria with a "customized" version of cryptocat that sends a copy of everything said to a computer controlled by the government. And there's no easy way for you to check whether you or your chat partner is thusly compromised.

This Cute Chat Site Could Save Your Life And Help Overthrow Your Government (Wired)

Posted Jul 31, 2012 17:06 UTC (Tue) by robert_s (subscriber, #42402) [Link]

"and the fact that you need to trust the folks running the website."

The wired article *itself* (presumably prompted by the cryptocat author) says SSL is "known to be broken". So you _can't_ trust the folks running the website. It's a self contradiction.

Is _some_ security better than none? Perhaps, but probably only when you're dealing with foes less capable & with fewer resources than a nation state. However if a false sense of security encourages someone to be more loose-lipped and candid, then it can be _very_ dangerous.

A slightly half-baked "some security is better than none" attitude may be fine for you, but I suspect _you're_ not the one that's going to get tortured, the person you're talking to in [dictatorship] _is_.

The problem with cryptocat's message is it is *far* less secure than it purports to be.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds