I thought Singal’s piece was a refreshing corrective to this mindset.
Forgot cryptocat password software#
Too often, computer/crypto security is discussed in absolute 1/0 terms, a framework encouraged by theoretical research into cryptanalysis and software security, which yields categorizations of “secure/insecure”, without reference to use. For these sorts of purposes, a less impregnable solution can be acceptable, particularly if it is part of a tradeoff that yields greater ease of use for people living under this sort of threat who are not as technically-savvy as Soghoian et al. And, of course, that is the maximalist threat that informs the thinking of people in high-surveillance countries with civil rights issues, as well as cryptosec fundamentalists.īut there is another valid model for other people, along the lines of “my abusive ex-husband/boyfriend is trying to stalk me”. If your model is “the government is out to read your mail”, then no, of course you can’t rely on something like this. Stripping away the irrelevant gender-bias accusations at the beginning of Singal’s piece, I thought he was making a rather nuanced point that has been missed by much of the attending discussion: absent a realistic threat model, there can be no serious discussion of the security of a system like Cryptocat. More generally, your security in a host-based encryption system is no better than having no crypto at all.ĮDITED TO ADD (8/14): As a result of this, CryptoCat is moving to a browser plug-in model. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. Unfortunately, these tools are subject to a well-known attack. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Ryan Singel, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian.Īt this point, I would have considered writing a long essay explaining what’s wrong with the whole concept behind Cryptocat, and echoing my complaints about the dangers of uncritically accepting the security claims of people and companies that write security software, but Patrick Ball did a great job:ĬryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Cryptocat is a web-based encrypted chat application. This means that a lot of what you do online is not within your control, but rather susceptible to governmental or corporate interception.Cryptocat aims to bridge the gap for those who need encrypted communications that are easily accessible.I’m late writing about this one. Big Data providers such as Google and Facebook continue to amass gigantic amounts of personal information without providing any guarantee of privacy, while encryption remains largely inaccessible.
Cryptocat is developed by privacy advocates, for privacy advocates.
Cryptocat is a free, open experiment that aims to provide an open, accessible Instant Messaging environment with a transparent layer of encryption that works right in your browser.Ĭryptocat is a free, open experiment that aims to provide an open, accessible Instant Messaging environment with a transparent layer of encryption that works right in your browser.Cryptocat aims to leverage both the ease of use and accessibility afforded by web applications and the security provided by client-side cryptography to offer group instant messaging, encrypted file sharing, and more.
0 kommentar(er)
