Cryptocat 'encrypted' group chats may have been crackable for 7 months

Filed Under: Cryptography, Data loss, Featured, Privacy

CryptocatCryptocat is a free, open-source project aimed at providing secure, encrypted online chat.

On Thursday, the project urged users to update after a security researcher pointed out a vulnerability that may have left group chats easier to crack for the past seven months.

The bug has to do with the way key pairs were generated for Cryptocat’s group chat.

Security expert Steve Thomas, who discovered the hole, wrote on his blog that any users of Cryptocat between 17 October 2011 and 15 June 2013 should assume that their messages were compromised, as well as those of whomever they were talking to.

Cryptocat, for its part, says that the hole was open from versions 2.0 up until (and not including the latest, fixed version) 2.0.42. That period covers seven months, Cryptocat says.

Cryptocat creator and developer Nadim Kobeissi on Friday took to a live stream, broadcast from the SIGINT show in Germany, to address questions about the security hole from audience members and Twitter.

During his 70-minute discussion, Kobeissi owned up to mistakes, including having hired code auditors rather than cryptographers.

But while he made mistakes, the level of anger he's getting is "psychologically abusive," he said.

The level of anger may well have much to do with a false sense of security some have placed in Cryptocat, particularly during the Arab spring, when activists lives were imperiled by their communications.

The search for secure, encrypted communications has persisted, of course, up until the present day.

As it is, it seems as though a day hasn't gone by since early June in which we haven't been presented with yet another revelation about pervasive surveillance by the US's National Security Agency.

But Kobeissi has long warned that Cryptocat is no panacea for surveillance.

Rather, it's a fledgling project that should be used with caution and in conjunction with tools such as Tor.

On Friday, he reiterated that message, saying that Cryptocat isn't a cure for PRISM-like surveillance.

In fact, he said, users may feel an unwarranted sense of security if they believe that it's uncrackable.

From the get-go, Kobeissi has taken great pains to add a dollop of reality to the public's understandable enthusiasm for a free, encrypted web chat service.

Cat on computer. Image courtesy of ShutterstockIn the past, he's said that it would be a tragedy if people were to put themselves in harm's way by using Cryptocat without a realistic idea of the level of protection it provides.

That message of warning, unfortunately, proved prescient, in light of this recent security hole.

May the communications of those who used Cryptocat in its vulnerable versions stay safely undeciphered. May any activists who used the service stay safe from persecution.

For those who choose to continue using Cryptocat, take Kobeissi's message to heart: This is a fledgling project.

Mistakes have been made.

Consider yourself warned, and again, as always, read the fine print when using such a tool.

Images of cat on computer courtesy of Shutterstock.

, , , , , , ,

You might like

One Response to Cryptocat 'encrypted' group chats may have been crackable for 7 months

  1. dubstepcat · 481 days ago

    i wonder how many of these open source programs like truecrypt and such are actually tested my independent security people

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.