![]() Note that if any single member of the chat fails to use the chrome browser extension, it’s as though no one is, effectively. This is the heart of the attack: if the server sends you a special applet that spies on you, all your encrypted data is now wide open.” But it also remembers your passphrase, and sends it secretly back to the host. As usual, it does all the encryption and decryption for you, right on your computer. So if the host wants to attack you, all they need to do is send you a special encryption engine that captures your passphrase the next time you use the service. Remember that the host already has your key. If an attacker can get access to your key and your passphrase, all your encrypted data is now accessible to him. Simplified excerpt of the vulnerability from cited by Schneier: Please don’t trust host-based encryption systems with your mission critical information. This is their attempt to overcome this large security flaw. More generally, your security in a host-based encryption system is no better than having no crypto at all.” This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. Unfortunately, these tools are subject to a well-known attack. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. “CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. ![]() ![]() You might want to mention that if you don’t use the chrome extension (or whatever future extensions they offer for other platforms), it might not be very secure. The developers note that it is still an experimental service and that it should be used with that in mind. Here is the rather unorthodox promo video:Ĭryptocat is an easy to use solution which that requires no initial setup, like account creation or public key exchange, to function. I suggest you read the full protocol specification here if you are interested about the technical implementation. Cryptocat now uses the standard XMPP-MUC protocol for multi-user Instant messaging transport.SHA-512 for generating 512-bit message authentication codes, shared secrets and key fingerprints.Curve25519 for Elliptic Curve public key generation.AES-CTR-256 for encryption and decryption.The developers have used the following algorithms and technologies to secure communication between users: Any non leaking VPN or proxy connection should suffice though. The developers suggest TOR to overcome this issue. It also needs to be noted that while chat is encrypted, your IP address is not. While you'd then see the new user in the user list, it may happen that you overlook that at first, or have troubles locating the user if there are lots of users in that chat room. It feels a bit strange that there is no option to password protect a chat room, considering that anyone guessing the name could enter it. Options are available to either chat privately with a select user, or publicly to the whole group of users. You see users who joined it on the right, and the actual messages on the left. The chat room looks like all other chat rooms you may have come across. The service creates an encryption key for you during set up. Instead of having to generate and exchange keys before you can even get started, you simply select the name of a chat room and a user name to connect. Probably the biggest difference to existing secure communication services is the ease of use with which you can get started. CryptocatĬryptocat, available as a browser extension for Firefox, Google Chrome and Safari, may be that alternative. You may use a desktop program for Windows, Mac or Linux instead, or switch to Cryptodog for Chrome which is a fork of the original extension. Note: Cryptocat was discontinued in 2016.
0 Comments
Leave a Reply. |