By Jon Matonis
Monday, July 30, 2012
Announced over the weekend, encrypted chat service Cryptocat will soon be accessible only by downloading a local browser extension for Mozilla Firefox and Google Chrome. Beta release date for version 2 is currently set for August 18th.
This major revision highlights an important and ongoing debate in the market for secure privacy-related software applications. Should convenient usability for a broad non-techie demographic trump
increased tech-savvy security in a world of imperfect and varying
threat models? Responding to feedback from the security and cryptography
communities, developer Nadim Kobeissi justifies the modifications from
web-based app to installed client in the Cryptocat blog,
understand that pushing this change strongly lowers immediate
accessibility to those who don’t have the Chrome or Firefox extension
installed, but we do believe that the security benefits outweigh the
accessibility disadvantages in this case. Installing a Chrome or Firefox
extension is a one-minute process in most cases and affords the user
protection against a variety of threats.”
This is a
positive step especially if the original extension download is from a
known, trusted source and/or verified against a strong cryptographic hash function.
But herein lies the heart of the problem, because the entire web
security architecture rests upon the integrity of the embedded SSL certificate authority (CA)
system. The existing presumption, correct or not, is that original
downloads occur in a relatively safer network environment than recurring
usage. Today, there is no total solution — only the striking of a
satisfactory balance. At the far end of the security spectrum, end users
ideally would verify original download against hashes that were
published or distributed in offline fashion. But does that introduce too
much complexity for the average web surfer? What good are cryptography
and security tools if they’re not used?
Since the temporary detainment of Kobeissi
at the U.S. border in June of this year, the Cryptocat application has
been more publicly visible. With this increased scrutiny comes a renewed
focus on overall security as Cryptocat continues to move beyond
The Cryptocat Project has always stated that,
with its encrypted instant messaging, it does not protect you against
hardware or software keyloggers and that it does not anonymize you by
default. Although they do offer a Tor hidden service at xdtfje3c46d2dnjd.onion for anonymization.
have also cautioned chat users about potential threats to the web-based
or the service provider acting maliciously or subject to jurisdictional
court order. This existing vulnerability was the driving factor behind
the above modifications as browser-based crypto is not seen as
sufficient protection from determined State-level actors.
The Cryptocat 2 beta release will deploy transparently as an XMPP client with Off-the-Record Messaging
(OTR) encryption protocol requiring username and password at log in
(although it’s not clear yet if XMPP account will be retained on
server). According to Kobeissi, “We understand that the requirement of a
username and password destroys the capacity to use Cryptocat to set up
instant chat rooms, but we also believe that standardizing Cryptocat
into an XMPP client is worth it.” The industry standard OTR protocol was
chosen for its security and interoperability with other XMPP clients,
such as Pidgin and Adium.
Privacy advocates should welcome these
fundamental enhancements. I also applaud the fact that Cryptocat drives
the effort for the first working multi-party OTR specification and that they are developing native Cryptocat applications for mobile, including iOS, Android, and BlackBerry.
AT THE INTERSECTION OF FREE BANKING, CRYPTOGRAPHY, AND DIGITAL CURRENCY
Please Help Support BeforeitsNews by trying our Natural Health Products below!
Order by Phone at 888-809-8385 or online at https://mitocopper.com M - F 9am to 5pm EST
Order by Phone at 888-388-7003 or online at https://www.herbanomic.com M - F 9am to 5pm EST
Order by Phone at 888-388-7003 or online at https://www.herbanomics.com M - F 9am to 5pm EST
Humic & Fulvic Trace Minerals Complex - Nature's most important supplement! Vivid Dreams again!
HNEX HydroNano EXtracellular Water - Improve immune system health and reduce inflammation
Ultimate Clinical Potency Curcumin - Natural pain relief, reduce inflammation and so much more.
pathogens and gives you more
energy. (See Blood Video)
Oxy Powder - Natural Colon Cleanser! Cleans out toxic buildup with oxygen!
Nascent Iodine - Promotes detoxification, mental focus and thyroid health.
Smart Meter Cover - Reduces Smart Meter radiation by 96%! (See Video)
Immusist Beverage Concentrate - Proprietary blend, formulated to reduce inflammation while hydrating and oxygenating the cells.