In the news;the
encrypted chat app Cryptocat has made it to iPhone and iPad, adding itself to
the growing list of privacy-conscious mobile messaging apps.
“Easily have group conversations with your
friends without fearing monitoring or interception,” reads the app’s
description in Apple’s iTunes Store. “Cryptocat is [a] free, open chat that
aims to provide an open accessible Instant Messaging environment with a
transparent layer of encryption that’s easy to use.”
Unlike other
secure messaging apps — such as Wickr,
TextSecure or Silent Text — Cryptocat doesn’t require fixed usernames or
accounts. Instead, people can create a disposable username and then start a new
conversation or join an existing one.
“There are no buddy lists or account activity
or account history to link back to the user,” lead Cryptocat developer Nadim
Kobeissi wrote on the Cryptocat
blog. “This way, Cryptocat offers a unique ephemerality that makes setting
up encrypted conversations immediate and without any lasting history that can
be traced back to users.”
Cryptocat apps already exist for several web
browsers, including Apple Safari, Google Chrome, Mozilla Firefox and Opera.
There’s also a stand-alone client for Mac OS X. The iOS mobile app can interact
with any other Cryptocat build.
Asked
whether Cryptocat was planning an Android version as well, Kobeissi told Tom’s Guide,
“Yes!”
Asked whether he planned to ever make money
off Cryptocat, Kobeissi, a recent college graduate based in Montreal, said,
“No!”
Cryptocat uses the Off-the-Record Messaging
(OTR) protocol to encrypt its messages, but its developers warn that it’s not
perfect, and it certainly isn’t safe from prying by the National Security
Agency or other intelligence or police services.
“Cryptocat is not a magic bullet,” the
Cryptocat Chrome app warns. “You should never trust any piece of software with
your life. Cryptocat can’t protect you against untrustworthy people or key
loggers, and does not anonymize your connection” as Tor would.
(An anonymizing
Tor plug-in for several chat applications is in the works.)
Jonathan Zdziarski, a Boston-based expert on
extracting data from iOS devices, stressed the Cryptocat iOS app’s limitations
in a review
he posted on the iTunes Store page.
"The app leaves behind a treasure trove
of forensic artifacts that can be lifted from your device if it is ever stolen,
hacked or seized by law enforcement," Zdziarski wrote. "All your past
typing is logged into Apple’s keyboard cache … The app also intentionally
stores the user’s private key, room name, nick[name], buddies and other
identifying information in the configuration file."
"If I could figure this out in just a
couple of minutes," Zdziarski added, "I’m sure bad guys/feds/etc. are
figuring it out too."
Kobeissi told Tom’s Guide that Zdziarski was
aiming at the wrong target.
"His comments ignore the threat
model," Kobeissi said in an email message. "If you seize any iPhone,
surely you can get some data via forensics. Cryptocat’s security goals are
protecting data from interception, not protecting your phone from
forensics."
Last year, serious flaws in Cryptocat
encryption were discovered and patched.
"Every time there has been a security
issue with Cryptocat, we have been fully transparent, fully accountable and
have taken full responsibility for our mistakes," Kobeissi wrote on the
Cryptocat blog following the patch.
Source: YahooTech
No comments:
Post a Comment