Read the story here. Advertise at Before It's News here.
Profile image
By The Monetary Future (Reporter)
Contributor profile | More stories
Story Views
Last hour:
Last 24 hours:

Cryptocat Increases Security In Move Away From JavaScript Web Delivery

% of readers think this story is Fact. Add your two cents.

By Jon Matonis
Monday, July 30, 2012

Announced over the weekend, encrypted chat service Cryptocat will soon be accessible only by downloading a local browser extension for Mozilla Firefox and Google Chrome. Beta release date for version 2 is currently set for August 18th.

This major revision highlights an important and ongoing debate in the market for secure privacy-related software applications. Should convenient usability for a broad non-techie demographic trump
increased tech-savvy security in a world of imperfect and varying
threat models? Responding to feedback from the security and cryptography
communities, developer Nadim Kobeissi justifies the modifications from
web-based app to installed client in the Cryptocat blog,

understand that pushing this change strongly lowers immediate
accessibility to those who don’t have the Chrome or Firefox extension
installed, but we do believe that the security benefits outweigh the
accessibility disadvantages in this case. Installing a Chrome or Firefox
extension is a one-minute process in most cases and affords the user
protection against a variety of threats.”

This is a
positive step especially if the original extension download is from a
known, trusted source and/or verified against a strong cryptographic hash function.
But herein lies the heart of the problem, because the entire web
security architecture rests upon the integrity of the embedded SSL certificate authority (CA)
system. The existing presumption, correct or not, is that original
downloads occur in a relatively safer network environment than recurring
usage. Today, there is no total solution — only the striking of a
satisfactory balance. At the far end of the security spectrum, end users
ideally would verify original download against hashes that were
published or distributed in offline fashion. But does that introduce too
much complexity for the average web surfer? What good are cryptography
and security tools if they’re not used?

Since the temporary detainment of Kobeissi
at the U.S. border in June of this year, the Cryptocat application has
been more publicly visible. With this increased scrutiny comes a renewed
focus on overall security as Cryptocat continues to move beyond
experimental phase.

The Cryptocat Project has always stated that,
with its encrypted instant messaging, it does not protect you against
hardware or software keyloggers and that it does not anonymize you by
default. Although they do offer a Tor hidden service at xdtfje3c46d2dnjd.onion for anonymization.

have also cautioned chat users about potential threats to the web-based
version. Also, client-side JavaScript encryption has its limitations since it would still be susceptible to a server-side code poisoning attack executed either through a man-in-the-middle attack
or the service provider acting maliciously or subject to jurisdictional
court order. This existing vulnerability was the driving factor behind
the above modifications as browser-based crypto is not seen as
sufficient protection from determined State-level actors.

The Cryptocat 2 beta release will deploy transparently as an XMPP client with Off-the-Record Messaging
(OTR) encryption protocol requiring username and password at log in
(although it’s not clear yet if XMPP account will be retained on
server). According to Kobeissi, “We understand that the requirement of a
username and password destroys the capacity to use Cryptocat to set up
instant chat rooms, but we also believe that standardizing Cryptocat
into an XMPP client is worth it.” The industry standard OTR protocol was
chosen for its security and  interoperability with other XMPP clients,
such as Pidgin and Adium.

Privacy advocates should welcome these
fundamental enhancements. I also applaud the fact that Cryptocat drives
the effort for the first working multi-party OTR specification and that they are developing native Cryptocat applications for mobile, including iOS, Android, and BlackBerry.

[Note: Many writers have associated Javascript cryptography to refer to 'browser Javascript' by default. Please see ]



Before It’s News® is a community of individuals who report on what’s going on around them, from all around the world.

Anyone can join.
Anyone can contribute.
Anyone can become informed about their world.

"United We Stand" Click Here To Create Your Personal Citizen Journalist Account Today, Be Sure To Invite Your Friends.

Please Help Support BeforeitsNews by trying our Natural Health Products below!

Order by Phone at 888-809-8385 or online at M - F 9am to 5pm EST

Order by Phone at 888-388-7003 or online at M - F 9am to 5pm EST

Order by Phone at 888-388-7003 or online at M - F 9am to 5pm EST

Humic & Fulvic Trace Minerals Complex - Nature's most important supplement! Vivid Dreams again!

HNEX HydroNano EXtracellular Water - Improve immune system health and reduce inflammation

Ultimate Clinical Potency Curcumin - Natural pain relief, reduce inflammation and so much more.

MitoCopper - Bioavailable Copper destroys pathogens and gives you more energy. (See Blood Video)
Oxy Powder - Natural Colon Cleanser!  Cleans out toxic buildup with oxygen! 
Nascent Iodine - Promotes detoxification, mental focus and thyroid health.
Smart Meter Cover -  Reduces Smart Meter radiation by 96%!  (See Video)

Immusist Beverage Concentrate - Proprietary blend, formulated to reduce inflammation while hydrating and oxygenating the cells.

Report abuse


    Your Comments
    Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

    Load more ...




    Email this story
    Email this story

    If you really want to ban this commenter, please write down the reason:

    If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.