Cryptocat

From Wikipedia, the free encyclopedia - View original article

Cryptocat
Cryptocat logo.png
Cryptocat chat interface.
Developer(s)Cryptocat team
Initial release19 May 2011 (2011-05-19)
Stable release2.1.22 / April 4, 2014; 1 day ago (2014-04-04)
Written inJavaScript, Objective-C
Operating systemCross-platform
Available inEnglish, Arabic, Bulgarian, Burmese, Chinese, Danish, Dutch, Farsi, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Tibetan
TypeSecure communication
LicenseAffero General Public License
Websitecrypto.cat
 
Jump to: navigation, search
Cryptocat
Cryptocat logo.png
Cryptocat chat interface.
Developer(s)Cryptocat team
Initial release19 May 2011 (2011-05-19)
Stable release2.1.22 / April 4, 2014; 1 day ago (2014-04-04)
Written inJavaScript, Objective-C
Operating systemCross-platform
Available inEnglish, Arabic, Bulgarian, Burmese, Chinese, Danish, Dutch, Farsi, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Tibetan
TypeSecure communication
LicenseAffero General Public License
Websitecrypto.cat

Cryptocat is an open source web and mobile application intended to allow secure, encrypted online chatting.[1][2] Cryptocat encrypts chats on the client side, only trusting the server with data that is already encrypted. Cryptocat is offered as an app for Mac OS X or as a browser extension for Google Chrome,[3] Mozilla Firefox, Apple Safari, Opera and as a mobile app for iPhone.

Cryptocat's stated goal is to make encrypted communications more accessible to average users.[4][5] The chat software aims to strike a balance between security and usability -- offering more privacy than services such as Google Talk or Internet Relay Chat, while maintaining a higher level of accessibility than Pidgin.[6]

How it works[edit]

Cryptocat uses the Off-the-Record Messaging (OTR) protocol for encrypted private messaging. Since Cryptocat generates new key pairs for every chat, it implements a form of perfect forward secrecy.[7] Cryptocat also may be used in conjunction with Tor in order to anonymize the client's network traffic. The project also plans to create an embedded version for use with Raspberry Pi devices for use by non-profits.[8][9] As of July 2013, a Commotion-compatible version was in development.

In 2013 Cryptocat's network migrated to Bahnhof, a Swedish webhost housed in mountainous Cold War nuclear bunker which has also hosted WikiLeaks and The Pirate Bay.[10]

Security concerns[edit]

In 2012, following concerns about the security of SSL as a whole, Cryptocat's SSL certificate was pinned in Google Chrome and Chromium. [11]

In June 2013, security researcher Steve Thomas pointed out a security bug that could be used to decrypt any group chat message that had taken place using Cryptocat between September 2012 and April 19th 2013.[12][13] Private messages were not affected, and the bug had been resolved a month prior. After Thomas's research was released, Cryptocat issued a security advisory and requested that all users ensure that they had upgraded.[14] Since 2011, a warning regarding the experimental nature of the project has been in place on the website's front page and within the software itself. The Cryptocat blog posted a warning, informing users that group conversations they had using the software in the past may have been compromised.[15] Despite this, the main Cryptocat website does not warn users about the risk they face from the potential compromise of their past communications.

Some versions of Cryptocat have been questioned for utilizing the browser to encrypt messages,[16] which some researchers feel is less secure than the desktop environment.[17][18][19] More recent versions have relied on browser-native random number generation[20] which is considered more secure.[by whom?]

Publicity[edit]

Cryptocat developer Nadim Kobeissi claims that he was detained and questioned at the U.S. border by the DHS in June 2012 about its censorship resistance. He tweeted about the incident afterwards, resulting in media coverage and a spike in the popularity of Cryptocat.[21][22]

See also[edit]

References[edit]

  1. ^ Dachis, Adam (9 August 2011). "Cryptocat Creates an Encrypted, Disposable Chatroom on Any Computer with a Web Browser". Lifehacker. Retrieved 8 April 2012. 
  2. ^ Giovannetti, Justin (4 February 2012). "Encrypted messages: chatting safely with Cryptocat". OpenFile. Retrieved 8 April 2012. 
  3. ^ "Cryptocat on the Chrome Web Store". Chrome.google.com. Retrieved 2012-07-28. 
  4. ^ Greenberg, Andy (27 May 2011). "Crypto.cat Aims To Offer Super-Simple Encrypted Messaging". Forbes. Retrieved 8 April 2012. 
  5. ^ Curtis, Christopher (17 February 2012). "Free encryption software Cryptocat protects right to privacy: inventor". Montréal Gazette. Archived from the original on February 19, 2012. Retrieved 8 April 2012. 
  6. ^ "Using His Software Skills With Freedom, Not a Big Payout, in Mind". New York Times. April 18, 2012. 
  7. ^ Cryptocat Multiparty Protocol Specification Retrieved 2013-12-28
  8. ^ Knowles, Jamillah (3 March 2012). "Raspberry Pi network plan for online free-speech role". BBC News. Retrieved 8 April 2012. 
  9. ^ Kirk, Jeremy (14 March 2012). "Cryptocat Aims for Easy-to-use Encrypted IM Chat". PCWorld. Retrieved 8 April 2012. 
  10. ^ Nadim Kobeissi. "Cryptocat Network Now in Swedish Nuclear Bunker". Retrieved 2013-02-09. 
  11. ^ Google. "Google Chromium source code commits". Retrieved 2013-09-09. 
  12. ^ Steve Thomas. "DecryptoCat". Retrieved 2013-07-10. 
  13. ^ Cryptocat Development Blog. "New Critical Vulnerability in Cryptocat: Details". Retrieved 2013-07-07. 
  14. ^ Cryptocat Development Blog. "New Critical Vulnerability in Cryptocat: Details". Retrieved 2013-07-07. 
  15. ^ Cryptocat Development Blog. "New Critical Vulnerability in Cryptocat: Details". Retrieved 2013-07-07. 
  16. ^ "JavaScript crypto in the browser is pointless and insecure."
  17. ^ Matasano Security – Matasano Web Security Assessments for Enterprises
  18. ^ Thoughts on Critiques of JavaScript Cryptography | Nadim Kobeissi
  19. ^ HOPE 9: Why Browser Cryptography Is Bad & How We Can Make It Great on Vimeo
  20. ^ "Mozilla Developer Network – window.crypto.getRandomValues"
  21. ^ Jon Matonis (2012-04-18). "Detaining Developer At US Border Increases Cryptocat Popularity". Forbes. Retrieved 2012-07-28. 
  22. ^ "Developer's detention spikes interest in Montreal's Cryptocat". Itbusiness.ca. 2012-06-08. Retrieved 2012-07-28. 

External links[edit]