Cryptocat

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Cryptocat
Cryptocat logo.png
Cryptocat chat interface.
Screenshot of Cryptocat 2.1.5
Original author(s) Nadim Kobeissi
Developer(s) Cryptocat contributors [1]
Initial release 19 May 2011 (2011-05-19)
Stable release 2.2.2 / June 12, 2014; 42 days ago (2014-06-12)
Written in JavaScript, Objective-C
Operating system Cross-platform
Available in English, Arabic, Bulgarian, Burmese, Catalan, Chinese, Danish, Dutch, Farsi, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Tibetan
Type Secure communication
License Affero General Public License
Website crypto.cat

Cryptocat is an open source web and mobile application intended to allow secure, encrypted online chatting.[2][3] Cryptocat uses end-to-end encryption and encrypts chats on the client side, only trusting the server with data that is already encrypted. Cryptocat is offered as an app for Mac OS X or as a browser extension for Google Chrome,[4] Mozilla Firefox, Apple Safari, Opera and as a mobile app for iPhone.

Cryptocat's stated goal is to make encrypted communications more accessible to average users.[5][6] The chat software aims to strike a balance between security and usability—offering more privacy than services such as Google Talk or Internet Relay Chat, while maintaining a higher level of accessibility than Pidgin.[7] In June 2013, Cryptocat was used by journalist Glenn Greenwald while in Hong Kong to meet NSA whistleblower Edward Snowden for the first time, after other encryption software failed to work.[8] In November 2013, Cryptocat was banned in Iran, shortly after the election of Iran's new president Hassan Rouhani who had promised more open Internet laws.[9]

Cryptocat is developed by the Cryptocat team and is released under the GPLv3 license. In June 2014, Cryptocat was ranked first in a three-month study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group.[10]

Features[edit]

Cryptocat allows any desktop with a modern web browser to quickly set up an end-to-end encrypted chat environment. The browser's accessibility is frequently touted by the project as the reason why it chose the platform.[11] Cryptocat is currently compatible with Google Chrome,[4] Mozilla Firefox, Apple Safari, Opera and also offers an application for iOS devices.

Cryptocat uses the Off-the-Record Messaging (OTR) protocol for encrypted private messaging, allowing two parties to chat in private. Cryptocat also uses its own group messaging protocol to allow for group instant messaging conversations. Since Cryptocat generates new key pairs for every chat, it implements a form of perfect forward secrecy.[12] Cryptocat also offers encrypted file and photo sharing, allowing users to send documents and photos to each other using end-to-end encryption.

Cryptocat also may be used in conjunction with Tor in order to anonymize the client's network traffic. The project also plans to create an embedded version for use with Raspberry Pi devices for use by non-profits.[13][14] As of July 2013, a Commotion-compatible version was in development.

Since 2013, Cryptocat has offered the ability to connect to Facebook Messenger to initiate encrypted chatting with other Cryptocat users.[15] The feature was meant to help offer an alternative to the regular Cryptocat chat model which does not offer long-term contact lists:

Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list. As a compliment to Cryptocat’s ephemeral group chat feature, Encrypted Facebook Chat lets you view which of your friends are online and allows you to immediately set up encrypted chat with them. Users will still be able chat with non-Cryptocat users from within Cryptocat — although those conversations will not be encrypted.

— Cryptocat, Cryptocat, Now with Encrypted Facebook Chat, [16]

Architecture[edit]

Encryption[edit]

Cryptocat uses the Off-the-Record Messaging (OTR) protocol for encrypted private messaging, allowing two parties to chat in private. For group messaging, Cryptocat uses a group chat protocol deploying Curve25519, AES-256, and HMAC-SHA512, all industry standards for cryptography applications. All messages sent in Cryptocat, including group chat messages and file transfers, are end-to-end encrypted, which means that they can only be read by the intended recipients and not by the network during transit. Cryptocat provides cryptographic properties of confidentiality, integrity, authentication and forward secrecy for all conversations, and also provides deniability for file transfers and private OTR chats.

In 2014, Cryptocat made improvements to user authentication, making it easier for users to authenticate and preventing MITM attacks.[17] The improvements came after an audit by iSec Partners criticized the previous authentication model as insufficient.

Network[edit]

Cryptocat's network relies on a XMPP BOSH configuration, which only relays encrypted messages and does not store any data, according to the project's privacy policy.[18] The project uses ejabberd and nginx in order to provide the XMPP-BOSH relay. In addition to the Cryptocat client's end-to-end encryption protocols, client-server communication is protected by TLS/SSL.

Cryptocat also publishes its server configuration files and instructions for others to set up their own servers for the Cryptocat client to connect to.[19]

In 2013 Cryptocat's network migrated to Bahnhof, a Swedish webhost housed in mountainous Cold War nuclear bunker which has also hosted WikiLeaks and The Pirate Bay.[20]

Security concerns[edit]

Some versions of Cryptocat have been questioned for utilizing the browser to encrypt messages,[21] which some researchers feel is less secure than the desktop environment.[22][23][24] More recent versions have relied on browser-native random number generation[25] which is considered more secure.[by whom?]

In 2012, following concerns about the security of SSL as a whole, Cryptocat's SSL certificate was pinned in Google Chrome and Chromium.[26]

In June 2013, security researcher Steve Thomas pointed out a security bug that could be used to decrypt any group chat message that had taken place using Cryptocat between September 2012 and April 19, 2013.[27][28] Private messages were not affected, and the bug had been resolved a month prior. After Thomas's research was released, Cryptocat issued a security advisory and requested that all users ensure that they had upgraded.[28] Since 2011, a warning regarding the experimental nature of the project has been in place on the website's front page and within the software itself. The Cryptocat blog posted a warning, informing users that group conversations they had using the software in the past may have been compromised.[28]

Publicity[edit]

Cryptocat developer Nadim Kobeissi claims that he was detained and questioned at the U.S. border by the DHS in June 2012 about its censorship resistance. He tweeted about the incident afterwards, resulting in media coverage and a spike in the popularity of Cryptocat.[29][30]

See also[edit]

References[edit]

  1. ^ Cryptocat. "Cryptocat CONTRIBUTING.md". Retrieved 2014-06-22. 
  2. ^ Dachis, Adam (9 August 2011). "Cryptocat Creates an Encrypted, Disposable Chatroom on Any Computer with a Web Browser". Lifehacker. Retrieved 8 April 2012. 
  3. ^ Giovannetti, Justin (4 February 2012). "Encrypted messages: chatting safely with Cryptocat". OpenFile. Retrieved 8 April 2012. 
  4. ^ a b "Cryptocat on the Chrome Web Store". Chrome.google.com. Retrieved 2012-07-28. 
  5. ^ Greenberg, Andy (27 May 2011). "Crypto.cat Aims To Offer Super-Simple Encrypted Messaging". Forbes. Retrieved 8 April 2012. 
  6. ^ Curtis, Christopher (17 February 2012). "Free encryption software Cryptocat protects right to privacy: inventor". Montréal Gazette. Archived from the original on February 19, 2012. Retrieved 8 April 2012. 
  7. ^ "Using His Software Skills With Freedom, Not a Big Payout, in Mind". New York Times. April 18, 2012. 
  8. ^ Greenwald, Glenn (May 13, 2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books. p. 59. ISBN 978-1627790734. Retrieved 22 June 2014. 
  9. ^ Franceschi-Bicchierai, Lorenzo (21 November 2013). "Iran Blocks Encrypted Chat Service Despite Claims of Internet Freedom". Mashable. Retrieved 22 June 2014. 
  10. ^ Christian Heutger. "Die Ergebnisse unseres großen Messenger-Tests" (in German). Retrieved 2014-06-26. 
  11. ^ Cryptocat. "Documenting and Presenting Vulnerabilities in Cryptocat". Retrieved 2014-06-22. 
  12. ^ Cryptocat Multiparty Protocol Specification Retrieved 2013-12-28
  13. ^ Knowles, Jamillah (3 March 2012). "Raspberry Pi network plan for online free-speech role". BBC News. Retrieved 8 April 2012. 
  14. ^ Kirk, Jeremy (14 March 2012). "Cryptocat Aims for Easy-to-use Encrypted IM Chat". PCWorld. Retrieved 8 April 2012. 
  15. ^ Norton, Quinn (12 May 2014). "Cryptocat Creates an Encrypted, Disposable Chatroom on Any Computer with a Web Browser". The Daily Beast. Retrieved 22 June 2014. 
  16. ^ Cryptocat. "Cryptocat, Now with Encrypted Facebook Chat". Retrieved 2014-06-22. 
  17. ^ Cryptocat. "Recent Audits and Coming Improvements". Retrieved 2014-06-22. 
  18. ^ Cryptocat. "Cryptocat Privacy Policy". Retrieved 2014-06-22. 
  19. ^ Cryptocat. "Server Deployment Instructions". Retrieved 2014-06-22. 
  20. ^ Nadim Kobeissi. "Cryptocat Network Now in Swedish Nuclear Bunker". Retrieved 2013-02-09. 
  21. ^ "JavaScript crypto in the browser is pointless and insecure."
  22. ^ Matasano Security – Matasano Web Security Assessments for Enterprises
  23. ^ Thoughts on Critiques of JavaScript Cryptography | Nadim Kobeissi
  24. ^ HOPE 9: Why Browser Cryptography Is Bad & How We Can Make It Great on Vimeo
  25. ^ "Mozilla Developer Network – window.crypto.getRandomValues"
  26. ^ Google. "Google Chromium source code commits". Retrieved 2013-09-09. 
  27. ^ Steve Thomas. "DecryptoCat". Retrieved 2013-07-10. 
  28. ^ a b c Cryptocat Development Blog. "New Critical Vulnerability in Cryptocat: Details". Retrieved 2013-07-07. 
  29. ^ Jon Matonis (2012-04-18). "Detaining Developer At US Border Increases Cryptocat Popularity". Forbes. Retrieved 2012-07-28. 
  30. ^ "Developer's detention spikes interest in Montreal's Cryptocat". Itbusiness.ca. 2012-06-08. Retrieved 2012-07-28. 

External links[edit]