Cryptocat not working8/15/2023 If your model is “the government is out to read your mail”, then no, of course you can’t rely on something like this. Stripping away the irrelevant gender-bias accusations at the beginning of Singal’s piece, I thought he was making a rather nuanced point that has been missed by much of the attending discussion: absent a realistic threat model, there can be no serious discussion of the security of a system like Cryptocat. More generally, your security in a host-based encryption system is no better than having no crypto at all.ĮDITED TO ADD (8/14): As a result of this, CryptoCat is moving to a browser plug-in model. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. Unfortunately, these tools are subject to a well-known attack. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Ryan Singel, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian.Īt this point, I would have considered writing a long essay explaining what’s wrong with the whole concept behind Cryptocat, and echoing my complaints about the dangers of uncritically accepting the security claims of people and companies that write security software, but Patrick Ball did a great job:ĬryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Cryptocat is a web-based encrypted chat application.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |