[liberationtech] What I've learned from Cryptocat

Jacob Appelbaum jacob at appelbaum.net
Mon Aug 6 18:40:42 PDT 2012 

Eleanor Saitta:
> On 2012.08.06 17.51, Jacob Appelbaum wrote:
>> Jillian C. York:
>>> It's difficult.  I'm not a technologist, but I understand the issues and
>>> the user needs well.  My "type," I'd surmise, is few and far between.
>>>
>>> Security experts have obvious reasons for being conservative, and I get
>>> that.  Nevertheless, there are a lot of users who would benefit from *a
>>> little bit* of added security.  The question, then, as I see it, is:
>>>
>>> *How do we provide that little bit while still making users aware of risks?*
>>
>> The problem is that the little bit is effectively zero.
>>
>> What's the difference between Facebook chat over SSL and Cryptocat over SSL?
>>
>> Without a browser extension/plugin - there is little to no difference.
>>
>> You have to trust the server and the server operator to not be a bad
>> actor in both cases.
> 
> It is true that you have to trust the server operator in both cases.
> However, having a server configuration which does not completely
> compromise user privacy (vs. the operator) by default, like Facebook
> does, is still a significant improvement in many use cases, as is the
> ability to have a diversity of server operators.
> 

That is only true if they play nice.

> If you insist on only permitting tools which offer a mythical "perfect"
> standard of security, you ensure that many at risk users will use
> plaintext tools that offer no security at all.
> 

Perfect? Hardly.

Without the plugin version, I have to trust the server operators in both
cases and not just against bad action but also against compromise, each
time I use it. I think the plugin version is a reasonable middle ground
and I've discussed this with Nadim extensively.

> Yes, it is likely that cryptocat will be broken in a non-plugin version,
> and that people will die because of it.  However, it is also likely that
> cryptocat will save lives, vs. plaintext alternatives, and that a plugin
> version of cryptocat will also be broken at some point, and that people
> will die because of that.
> 

So this is where a lot of people take issue - you say "will be" without
the acknowledgement that SSL has major issues and that it is thus,
broken by many actors, right now. At least with the plugin version, we
can try to mitigate that harm right now.

> We need an ecosystem of tools, not a magic bullet.  

Sure, I agree. Which is why I have encouraged Nadim and continue to work
with him on this as well as other projects.

Lets be clear - we don't need another Haystack in our ecosystem.

> The Security
> Community as such has done much good over the years.  However, security
> professionals who are unwilling to acknowledge that different users have
> different needs, that online security exists within a larger
> constellation of risk analysis, and that usability can and often does
> trump pure security even when viewed purely through risk analysis and
> outcomes are doing a grave disservice to both their field and their users.
> 

This software hasn't evolved from those needs specifically - it has
evolved from Nadim wanting to write something in reaction to his
personal dislike of Facebook chat. I admire that goal but I feel like
the great irony there can at least be partially mitigated. Unlike other,
I have actually contributed hundreds of hours to helping Nadim with his
ideas, his project, the mpOTR work and then some. There is a middle
ground to be struck.

> It has been 21 years since PGP was released.  To this day, it remains a
> niche product at best.  Users with real world security concerns rarely
> if ever use encrypted email.  It is exactly this attitude which is to blame.
> 

Right and OTR is the counter example. Will Cryptocat be the middle
ground, where it's perfectly easy to use cryptography but missing key
items that make it safe?

> If you want to continue being irrelevant, go right ahead.  The rest of
> us have real world problems to solve.

It seems that you're speaking generally here because otherwise, it's
unbelievably rude and frankly, silly. For better or worse - I've
contributed countless hours to helping Nadim with Cryptocat.

All the best,
Jake

More information about the liberationtech mailing list