ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

No country for amateurs - the danger of supposedly secure messaging


Cryptocat = fail!

This from ArsTechnica:

Bad kitty! “Rookie mistake” in Cryptocat chat app makes cracking a snap
Programming flaw makes it trivial to bypass crypto used by activists and journalists.

by Dan Goodin - Jul 5, 2013 8:00 pm UTC

Developers of the Cryptocat application for encrypting communications of activists and journalists have apologized for a critical programming flaw that made it trivial for third parties to decipher group chats.

The precise amount of time the vulnerability was active is in dispute, with Cryptocat developers putting it at seven months and a security researcher saying it was closer to 19 months. Both sides agree that the effect of the bug was that the keys used to encrypt and decrypt conversations among groups of users were easy for outsiders to calculate. As a result, activists, journalists, or others who relied on Cryptocat to protect their group chats from government or industry snoops got little more protection than is typically available in standard chat programs. Critics said it was hard to excuse such a rudimentary error in an open-source piece of software held out as a way to protect sensitive communications.

"It was simply a matter of what I would call a fairly rookie mistake," independent security researcher Adam Caudill told Ars. "They didn't understand the data they were working with. Key generation code is one of the most critical parts of a crypto system because it doesn't matter what else you get right if you get that wrong."
--- End quote ---

Where it really gets scary is when you consider this:

Given recent revelations that National Security Agency officers routinely store encrypted communications indefinitely, it's reasonable to assume other governments do the same. That means encrypted data could conceivably be deciphered years or decades after it was intercepted as vulnerabilities are uncovered or as new attacks and faster computers become available.

"This is where an issue like this can be so devastating," Caudill wrote in his own analysis of the Cryptocat blunder. "If those encrypted messages have been saved anywhere—any users engaged in activity that their local government doesn't care for are now at risk."
--- End quote ---

One more thing to worry about...

Yeah. Problem


On a related note, this last bit from The H's report seems of interest:

The Cryptocat developers have since responded with a post on their development blog, expressly thanking Steve Thomas for his effort. According to the developers, the bug didn't affect private chats because it only occurred in group chats with more than two participants.

The incident has also caused embarrassment for the security specialists at Veracode. In February, the Cryptocat team proudly announced that Cryptocat had earned a Veracode Level 2 classification and a Security Quality Score of 100/100.

--- End quote ---

Stoic Joker:
Yes another sterling example of why encryption and magic should not be construed as synonyms.

There seems to be a (feel good) movement in the industry that want's people to believe that as long as X is encrypted it is magically impervious to anything. Frequently these are the same retards that hawk Antivirus Security Suites.

Reality: Encryption is slightly less effective than the car alarm on a Ferrari that is left in a ally in a bad neighborhood overnight. It's flashy, draws attention, and tends to have glass windows.

Bottom line: If you feel that you can't Speak Freely unless the conversation is encrypted...then you cannot speak freely...period.

If you feel that you can't Speak Freely unless the conversation is encrypted...then you cannot speak freely...period. -Stoic Joker (July 06, 2013, 02:07 PM)
--- End quote ---

  Yes, sad isn't it?   :(

There's a saying that every technical problem is really a "people" problem. And if that ever doesn't look to be the case, you'd better look again...

SJ is spot on. The problem isn't lack of adequate encryption. The problem is excessive  monitoring and overzealous surveillance.

Technology won't give us back our freedoms. But it's a damn handy tool for assisting somebody who wants to take them away - if we allow it to happen.


[0] Message Index

Go to full version