[liberationtech] What I've learned from Cryptocat
Douglas Lucas
dal at riseup.net
Mon Aug 6 18:22:36 PDT 2012
Hi Libtech,
Jillian C. York wrote:
> Security experts have obvious reasons for being conservative, and I
> get that. Nevertheless, there are a lot of users who would benefit
> from *a little bit* of added security. The question, then, as I see
> it, is:
>
> *How do we provide that little bit while still making users aware of
> risks?*
Jacob Appelbaum replied:
> The problem is that the little bit is effectively zero.
>
> What's the difference between Facebook chat over SSL and Cryptocat
> over SSL?
>
> Without a browser extension/plugin - there is little to no difference.
>
> You have to trust the server and the server operator to not be a bad
> actor in both cases.
As an example problem, Facebook chat over SSL is automatically mined by
Facebook for "suspicious" activity to report, as we know. Known bad
actor, known bad server.
Current Cryptocat is neither, though it could become so in case of
server or operator compromise. So Cryptocat currently is a "little bit"
better than "known bad actor, known bad server"; we are discussing
whether that "little bit" make a significant difference.
Is not Riseup accessed over SSL webmail a comparable analogy to current
Cryptocat? And yet activists without their own .mx trust Riseup, and no
one says there's little to no difference between Facebook email and
Riseup email.
It certainly could be the case that I am missing something!
:-Douglas
More information about the liberationtech
mailing list