Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes 83
alphadogg writes "The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations."
The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat's gracious response, overly acerbic and dismissive of the project).
Why not use OTR? (Score:3)
Re: (Score:1)
Hmm... the one that works and isn't written by a bunch of monkeys, or the one that runs inside a web browser... oh such a tough decision.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
+5 +5 +5 +5
you hit the nail on the head. As least some one sees whats happening..
Re: (Score:2)
Nothing overly dismissive there (Score:5, Insightful)
This bug and the history of it point to the cryptocat people being utterly incompetent. It's perfectly possible that they did what they did with the best of intentions and that they reacted as well as they could - that does not change one iota about them being incompetent and that you better don't trust the work of incompetent engineers. It's nice that that civil engineer did not intend to kill anyone and that she helped in rescuing people, but still her incompetence is what caused the bridge to collapse and what makes it reasonable to be suspicious of the other bridges she's responsible for.
Re: (Score:2)
I somewhat suspect that, at this point, they're more competent than you in the matter. They have experience.
It beats sitting on your ass doing nothing.
they might not. after all they named their project so that I thought it's something like netcat with crypto.
it's very web 2.5 though.
Re: (Score:3)
That is not how it works. Designing and implementing crypto correctly requires _understanding_. A test-and-fix approach where somebody else has found the issue, gives you exactly nothing. Experience can help in debugging, but crypto implementation security is not a problem where debugging skills help at all. The problem is that the software fulfills all its functional requirements, i.e. it works. That it can easily be attacked does not cause any crashes or problems that the developer or users can notice whe
Re: (Score:2, Insightful)
Writing crypto apps that manage to use a string of digits as the key instead of the number it represents doesn't contribute to cryptography anything either - if only a lesson "why non-experts shouldn't do cryptography".
You're probably great cook, architect, furniture builder and shoemaker - or you're always keeping quiet about burnt food, leaky roofs, uncomfortable chairs and too tight shoes, right?
Re: (Score:2)
Indeed. Security, and in particular crypto, is different. Experience is of limited value, what is needed is understanding. One problem is that testing is completely useless to find security problems in crypto. Most developers today rely on testing as primary quality analysis tool, and it does not cut it for crypto.
Re:Nothing overly dismissive there (Score:5, Insightful)
Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?
Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.
Re: (Score:2)
They do make that clear on their website however.
For myself I'm waiting on peer to peer encrypted chat. That's where things get interesting.
Re: (Score:2)
I am waiting for a peer-to-peer email replacement that solves the issue of trusting companies and data centers on storing and transferring messages.
A few years ago I wrote a peer-to-peer chat application (used an existing java library) for a postgraduate course homework. I wouldn't offer that to public though.
Re: (Score:2)
You'd still need some kind of centralised authentication server for email however, as it's domain related, otherwise it wouldn't be email, just a slower form of chat.
Re:Nothing overly dismissive there (Score:4, Informative)
As it is designed, email is capable of peer-to-peer(ish, if people have their own domains) operation and if people used PGP the messages would be safe in transit. It's not totally decentralized, though, as you still depend on DNS.
More importantly, a shift away from centralized corporate mail servers toward individual (or at least family or co-op) mail servers can happen gradually without relying on the network effect to legitimize a new system.
Re: (Score:3)
Not true. DNS is not strictly needed. If you are paranoid, you can send emails to user@ip_address. That does require a static IP address though and the right configuration at the target MTA, but nothing else.
Re: (Score:2)
The p2p messaging would not use a definite path between source and target and could possibly store the encrypted message parts on other PCs if the receiver's computer is not available.
The IP address could also change (a unique identifier might still be needed though).
Re: (Score:2)
Complete nonsense. You are talking about anonymization techniques, not P2P techniques. Anonymization can be done on top of P2P, but it is something entirely different with different aims, techniques and requirements. Anonymity can also be done without P2P, which clearly shows the concepts are different.
And of course a unique identifier is needed. How would Email be addressed otherwise? That you cannot see that the presence of such an identifier is critical for the system to work clearly shows that you have
Re: (Score:2)
Nonsense is your existence. I was not talking about Anonymization at all. Go back to your freaking hole ass-hole.
Re: (Score:2)
Pathetic. Incompetent and unaware of it.
Re: (Score:2)
Aehm, SMPT is P2P and has always been P2P? Just run your own server. All you need for that is a static IP or a working dynamic DNS resolver. That you have to trust "companies and data centers" is just your own laziness.
It never ceases to amaze me how clueless some people are.
Re: (Score:1)
You don't know anything about P2P , do you?
Emails need domain names and name service and domains are centralized services. The transfer of emails also happen in a deterministic way (i.e. between the source and target servers). It means the email service depends on the existence of the source and target servers at all times.
It never ceases to amaze me how clueless people talk big.
Re: (Score:3)
You are impressively stupid. You managed to get _everything_ wrong. Truly an accomplishment. Have you bothered to look up even one of the things you talk about? Apparently not.
You seem to be unaware that the source and target Mail servers are the source and target of the Email. "Smarthosts" and things like POP3 are a crutch for crippled systems that cannot act as mail-server themselves. And you seem to be unaware of exponential back-off, repeated delivery attempts and secondary MXes. And you are unaware tha
Re: (Score:2)
You are an asshole and a freaking illiterate stupid. And yes, you deserve that freak tag on your name.
I was not suggesting to implement SMTP using P2P. Go back to your stupidity hole.
Re: (Score:2)
Says the one that is not even able to have, maybe, a look at RFC2822....
Re: (Score:2)
At the time I implemented my first SMTP, POP3 and HTTP servers using C (and developed SMTP and POP3 server libraries for Delphi) you were possibly in primary school. Go back to your pathetic hole.
Re: (Score:2)
Meaningless posing. Seems to me you never understood what you were doing (if you are not lying). Implementing something specified by others and actually understanding architectural characteristics and what their effect is are two entirely different things. And you decidedly have not kept up with things.
What also seems to elude you is that your past "accomplishments" are entirely meaningless. (Which is why I do not claim any. So far I could easily blow you out of the water, but that is not how this game work
Re: (Score:2)
Yes, bla bla bla
You don't even understand the basic concepts of P2P.
Re:Nothing overly dismissive there (Score:4, Interesting)
It is a devastatingly simple and obvious bug that any code review would have spotted. It's laughably amateurish.
It's especially egregious after the rant the author (isn't there just one?) went on about Javascript cryptography. Couldn't have happened to a nicer guy.
After all, what's the single biggest challenge in JavaScript cryptography? Random number generation. So what's the FIRST thing you look at when reviewing? Random number generation for keys. And what, pray, is their excuse for not using window.crypto.getRandomValues() with a typed array of bytes, which is guaranteed to be available in every supported browser? What, in fact, is their excuse for not using Uint8Array for carrying keys wherever they go?
Re: (Score:2)
Indeed. That random number generation and use is critical is well-known to anybody with a clue since Netscape messed it up almost 20 years ago (in 1996). Since that time, nobody competent has any excuse to not very carefully scrutinize this part of the system in any review worth the name.
Re: (Score:2)
Indeed. The mistakes made are utter beginners mistakes. Nobody halfway competent in the implementation of cryptography would ever make them, as competent people would have recognized these components as critical for the security of the product. The only other explanation is malicious intent.
Given these two alternatives, the only possible recommendation is "Stay away from this software, do not use it for any purpose."
Where is the HTML5 version of cryptocat? (Score:2)
Does anyone know what happened to the HTML5 (non-plugin) based server-side version of cryptocat?
I don't care if it's less secure than the new plugin-required version.. it will still probably defend against an eavesdropper in my college dorm or at Starbucks.
The really scary thing... (Score:2)
The really ugly 'gotcha', with any attempt at encrypted/obfuscated/steganographic communication, cryptocat included but hardly alone, is storage.
If your adversary is just drinking from the firehose, and lacks the ability to do more than a cursory inspection, all you have to do is be better than their cryptoanalysts today. If they have sufficient storage to archive a nontrivial percentage of what passes by(or their cursory inspection is good enough to classify suspicious encrypted traffic for storage) you ha
Re: (Score:2)
True, you have to stay secure for the length of time the message has value. This varies. If you're the military, and reporting the position of a patrol in the field, this doesn't need to stay secret for very long. (3 days later the info is pretty useless anyway)
Breaktroughs in algorithms makes this hard. You can nest encryption, which means you're safe unless *all* of the levels are cracked, but it's a hassle.
Why not use Skype (Score:1)
It's encrypted end to end and you can totally discuss your plans and share secrets using the instant messaging. For better protection, why not wrap them in a PDF labelled 'secret plans NSA do not read"?
Plus its from a trusted company that never harms their customers, Microsoft, in a country with strong privacy laws, America. So its double plus good private!
Re:A mathematician's apology (Score:5, Insightful)
I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me
Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.
Re: (Score:2)
Societies are composed of many different kinds of individuals, and each individual can behave in many different ways. You need to protect yourself even if just a small percentage of people in society want to harm you some of the time.
Re: (Score:2)
> I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me. Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).
Goodness, you are an optimist. The military, economic, or social advantage to accessing private communications is very large, and the social and economic and political advantages are _tremendou
Re: (Score:2)
Informants can compromise comms; alternatives (Score:1)
So, strategies towards social change are better off being legal and transcendent (e.g. Bucky Fuller's idea of creating alternatives that make the status quo obsolete). So a lot of the focus on encrypted communications misses the big picture of the vast 21st century changes we are seeing towards post-scarcity...
Or as I say here: :-)
http://www.pdfernhout.net/on-dealing-with-social-hurricanes.html [pdfernhout.net]
---
Our biggest advantage is that no one takes us seriously.
And our second biggest advantage is that our communicati
A valuable lesson (Score:2)
The last sentence of this article says it all :
Also I learned that it means nothing when I hear "it is open source and peer reviewed".
The analysis is correct, these people have no clue (Score:3)
The mistakes made are utter beginner's mistakes that nobody even halfway competent with regard to cryptography would make. The only other possibility is that these mistakes were made intentionally.
While it is unclear whether utter cluelessness or devious intent is to blame, this software should not be trusted on any level or for any purpose. Of the people writing it can make this kind of mistake, then there will likely be a number of other mistakes in it that affect security and this piece of trash should be regarded as broken for any purpose.
Doing crypto is not a beginner's game. There are countless ways to get it wrong, and most of them cannot be found by testing, but require in-depth understanding and meticulous analysis of the mechanisms used. And encryption software being OSS only helps if some people with a clue care to review it.
Re: (Score:2)
You gain competence the same way pilots do. They don't get to fly hundreds-of-passengers boeings on their first day either. It's OK to be a crypto beginner. But why do they publish a chat system instead of scribbling around in Cryptool?
If you see someone looking into a loaded shotgun barrel with their finger on the trigger, you don't say "oh, let him learn by trial and error". You take the gun from him, slap him across the face and send him learning the basics.
Re: (Score:2)
You gain competence by studying it, but trying things, etc. Before that you already have to be a pretty good and experienced programmer. People without that skill should not even try, it is a mandatory skill. You cannot learn how to program well doing crypto, crypto has a whole additional set of difficult and subtle requirements.
And no, test-and-fix does not work for crypto. That is not "my rule", but in the very nature of things. The problem is that testing will not show the mistakes for crypto, and hence