[liberationtech] What I've learned from Cryptocat
Jillian C. York
jilliancyork at gmail.com
Mon Aug 6 18:36:54 PDT 2012
It *is* safer than Facebook, for both the reason Douglas lays out below and
for the fact that *just to have a Facebook account* you're technically
required to use your real name (yes, I know lots of people break this rule,
but it's also something lots of people don't think about).
That said, fair point about Google. Again, not a technologist, so I'm
taking those of you who are on your word at the moment.
On Mon, Aug 6, 2012 at 6:21 PM, Moxie Marlinspike <moxie at thoughtcrime.org>wrote:
>
>
> On 08/06/2012 05:28 PM, Jillian C. York wrote:
> > A /safer /web-based tool than Facebook chat with a GIANT WARNING is far
> > better than everyone continuing to hold their discussions in insecure
> fora.
>
> I think this sentence is really the essence of the problem. Why do you
> assume it's safer?
>
> CryptoCat has the word "crypto" in it, positions itself as a
> cryptography project, and has a stated emphasis on security, so it's
> easy to conclude that whatever it's doing is at least somehow better
> than what Facebook or Google are doing.
>
> However, my position is that Google Chat is currently more secure than
> CryptoCat. To be more specific, if I were recommending a chat tool for
> activists to use, *particularly* outside of the United States, I would
> absolutely recommend that they use Google Chat instead of CryptoCat.
> Just as I would recommend that they use GMail instead HushMail.
>
> The security of CryptoCat v1 is reducible to the security of SSL, as
> well as to the security of the server infrastructure serving the page.
> Any attacker who can intercept SSL traffic can intercept a CryptoCat
> chat session, just as any attacker who can compromise the server (or the
> server operator themselves) can intercept a CryptoCat chat session.
>
> This effectively means that CryptoCat is not a "cryptography project,"
> in the sense that whatever cryptography it delivers does not affect or
> improve upon the existing attack vectors of chat tools that we're trying
> to "replace" like GChat.
>
> So I believe it comes down to a question of who we trust to provide a
> more secure SSL and server-side infrastructure. No offense to Nadim,
> but at this point I believe that Google does a better job. It'd be
> tough to do better, given the amount of dedicated people and resources
> they have specifically focused on that problem, as well as the amount of
> advanced information they have access to concerning coming SSL attacks,
> etc.
>
> - moxie
>
> --
> http://www.thoughtcrime.org
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
--
*+1-857-891-4244 |** jilliancyork.com | @jilliancyork *
"We must not be afraid of dreaming the seemingly impossible if we want the
seemingly impossible to become a reality" - *Vaclav Havel*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120806/89b3889e/attachment.html>
More information about the liberationtech
mailing list