An Open Letter to The New York Times December 17, 2016 Dear The New York Times newsroom and information security staff, On December 15, 2016, [1]nytimes.com published a new [2]tips page that offers individuals who want to blow the whistle on newsworthy issues ways to do so without risking their security and privacy. There is no question that this commendable decision, taken by a newspaper of record, is a significant asset towards a more effective free press. The New York Times makes itself available to tipsters via cutting-edge privacy technologies such as [3]SecureDrop and [4]Signal. SecureDrop has been deployed in many of the world's most important newsrooms and has almost certainly aided in the publication of the most ethically significant leaks of this decade. Signal's parent company, Open Whisper Systems, has indirectly allowed more than a billion people access to indisputably strong encryption. Cryptocat's own development was strongly influenced, and has influenced, these tools: we adopted a variant of Signal's encryption protocol in March 2016, which was clearly superior to our own, and our early research on client-side web encryption in 2011 set the stage for SecureDrop and Mailvelope (another recommended tool) to follow in using similar engineering fundamentals, oftentimes by learning through our own early engineering mistakes and thereby avoiding them. Cryptocat was also funded by the same primary backer as SecureDrop, Signal and Mailvelope: the [5]Open Technology Fund, an institution financed by public U.S. taxpayer dollars which supports independent efforts towards a more secure and private Internet. As a side-note, Cryptocat was even [6]featured in a The New York Times article back when it (and myself) were quite young and starting up. Cryptocat does not offer the services of either Signal or SecureDrop: it does not run on mobile devices and its user experience is not directly focused on the anonymous leaking of documents. Cryptocat is desktop software that offers a service similar to Google Talk or Yahoo Messenger: desktop chat with the ability to send large files, video messages, and offline messages. Unlike those services, Cryptocat couples these features with strong encryption, support for multiple devices and [7]advanced security features such as certificate pinning, forward secrecy and future secrecy. When you use Cryptocat, the aim is that we cannot ever decipher the messages and files you communicate. However, The New York Times's tips page also recommends a third tool, [8]PGP, implemented through the Mailvelope browser extension, which allows users to send encrypted emails to The New York Times. The goal is of letter is to petition for Cryptocat's inclusion instead of PGP. PGP does not offer a standard of security that merits its inclusion, while Cryptocat does provide a clearly higher standard of security and privacy than PGP when used under the same use-case. Here is the reasoning behind this claim: Cryptocat vs. PGP: On History It is best to start with the obvious: in the case that Cryptocat was ever considered by The New York Times for their tips page, it was likely almost immediately dismissed due to its history of critical vulnerabilities in [9]different [10]aspects of its engineering during its early development. In 2012 and 2013, Cryptocat fell to regrettable lapses in engineering practices that led to a well-deserved weakening of its reputation. Cryptocat clearly failed its users on multiple occasions, and for the past three years, I have been deeply sorry and regretful for these mistakes and I have dedicated all the effort that is within my capacity to mitigating them and preventing them in the future. Nevertheless, every time these vulnerabilities were reported, Cryptocat responded with full disclosure, immediately issuing security updates and publicly thanking and crediting the security researchers responsible for their discovery. PGP, on the other hand, is a well-studied protocol, owing largely to its initial release in 1991, a clean two decades before Cryptocat's inception. The PGP protocol's maturity notwithstanding, it should be noted that Mailvelope is actually younger than Cryptocat and still uses some of the engineering practices that Cryptocat was often criticized for, such as working inside the web browser and even going further than Cryptocat ever did, by injecting code into web pages that it does not control. Cryptocat recognized these engineering practices as fundamentally unsafe and completely moved away from them in its rewrite this year as a pure desktop application. The truth is that since its complete rewrite in March 2016, Cryptocat has simply adopted engineering fundamentals that are known to be undoubtedly safer than those used by Mailvelope, and has been able to integrate encryption technologies that the ossified PGP protocol cannot hope to accomplish. Furthermore, Cryptocat's new rewrite as a desktop application was undergone during my graduate studies, in an environment where I had the resources to produce dependable software. Cryptocat's rewrite was in fact largely informed by the research I participated in for an upcoming academic publication (Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach) that studies secure messaging in detail. This is a stark difference from the first Cryptocat, which was developed as one of my very first programming projects when I was twenty years old. Judging the new Cryptocat desktop application on the basis of the older Cryptocat browser extension is as legitimate as judging a Boeing 747 on the basis of the performance of the Wright Brothers' first functioning aeroplane. This sort of comparison must not be the benchmark with which security software is evaluated. It is true that PGP remains more aged than Cryptocat. But we are not in the business of fine wine here; Signal, SecureDrop and any other tool worth using is not only younger than PGP but younger than Cryptocat itself. We should judge based on engineering merit, not on age. And when past reputation is concerned, I believe that Cryptocat has honestly done the work to obtain full merit for its excellence in moving past its early blunders into dependable software. Cryptocat vs. PGP: On Cryptographic Security In PGP, all emails ever sent by a tipster are encrypted with one single private key, which is kept indefinitely on the user's computer. This private key can only be changed or reset via a manual and relatively obscure process. Whenever this is done, the user's new public key must be communicated manually to all of its contacts. If this single private key is ever compromised, all of that user's prior communications, emails and attachments are forever compromised. If a user wants to use their same PGP identity on multiple devices, the compromise of one device compromises all of their past communications from all of their devices. In [11]"What's the Matter with PGP?", Matthew Green writes: “For all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die. [...] A PGP critic is just a PGP user who’s actually used the software for a while. At this point so much potential in this area and so many opportunities to do better. It’s time for us to adopt those ideas and stop looking backwards.” Cryptocat is cryptographically superior to PGP in almost every respect: * No Long-Term Encryption Key: By basing its cryptography on the innovative [12]Double Ratchet algorithm, Cryptocat's [13]chat encryption generates a fresh encryption key for every message. The theft of a device therefore only compromises the last small handful of messages, and only allows the user to impersonate the victim's device until that key is disassociated from the user's account. * Forward and Future Secrecy: If, at any point, the state of the encryption keys for a conversation is compromised, the conversation's security will self-heal with fresh key material, preventing the compromise of any past or future messages. * Multi-Device Support: Cryptocat supports linking multiple devices to a user's account through its implementation of the [14]OMEMO standard. Cryptocat extends this to allow recipients to authenticate contacts on a per-device basis and to see which device was used to send a particular message. If a device's identity keys are stolen, only that device may be impersonated, and the owner may unlink it from their Cryptocat account using any other device. To be clear, no one is claiming that Cryptocat is invincible. But all empirical analysis of the current cryptographic protocol indicates that it stands a better chance than PGP in terms of surviving a compromise or an active attacker. Cryptocat vs. PGP: On Metadata Let's assume a scenario in which someone is listening on the tipster's Internet connection. If the tipster uses PGP, the following information will be leaked: * Email Address: The tipster will need to sign up for an email account. This is more likely than not to be a semi-permanent indentifer, since obtaining an email account without some kind of SMS verification is becoming increasingly restricted by major providers such as Gmail and Microsoft. The email service provider will then log IP addresses used to log into that email, which email addresses sent tips to a The New York Times email address, and more. If the tipster uses their regular email address, they are almost certainly in trouble. * Key Metadata: PGP keys carry a significant amount of metadata, including the PGP version used to encrypt the message, the date the key was created, and much more. In order to correctly authenticate a PGP key, more identifying information might have to exist in order to convincingly correlate a key to an owner. With Cryptocat, users can [15]create random, one-time-use usernames without needing to provide a phone number or email address, or anything really. The only metadata the Cryptocat server sees is that a random username was used to send a message to The New York Times's account. The Cryptocat server does not retain any other information, including account creation time, IP addresses used to login, or anything else. Someone spying on the tipster's network will only be able to see that the tipster at some point used Cryptocat, but cannot identify which username the tipster used, or with whom the tipster communicated. Once the tip is communicated, Cryptocat users may choose to [16]delete their account, which completely erases any trace of the account on Cryptocat's servers. Once again, the hard, concrete facts indicate that Cryptocat is superior to PGP in terms of metadata. However, it should still be noted that Cryptocat, PGP and the other softare recommended by The New York Times still leak substantially more metadata than SecureDrop: tipsters with a strong metadata-related concern should consider using SecureDrop instead. Cryptocat vs. PGP: On Usability PGP is notorious for how painful it is to use. Cryptographers almost unanimously consider its usability to be the source of mistakes that can jeopardize user security within the first email they attempt to send. Aside from Matthew Green's above-quoted post on PGP, Signal's original programmer also had [17]this to say: When I receive a PGP encrypted email from a stranger, though, I immediately get the feeling that I don’t want to read it. [...] PGP is a technology dead end [...] In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install PGP. Now I’m still excited about the future, but I dream of a world where I can uninstall it. When using PGP, users must manually set up email clients and PGP plugins, all of varying degrees of quality and dependability. They must sign up with an email provider that might not respect their rights to privacy. They must manually generate PGP key pairs and communicate them to their third party, or upload them to a "key server" for out-of-band authentication. Finally, they must manually download and import the recipient's public key. In comparison, using Cryptocat involves downloading the client, signing up, registering your device, adding your recipient as a buddy and sending a message (after optionally verifying their device list via a friendly user interface). Unlike PGP, the workflow is almost exactly similar to that of popular applications such as Skype, therefore, there is crucially less room for the user to make a mistake. Aside from having less room for failure, Cryptocat also simply offers more features: support for multiple devices, each with a separate identity. Online and offline messaging. File sharing with file sizes of up to 200MB, which is far beyond what email attachments allow. And while this might be less useful for tipsters, Cryptocat also allows users to record video messages right from within their chat window. Cryptocat: Not Perfect but the Clear Better Choice All software will have bugs. No solution is bulletproof. All of the tools currently mentioned on the tips page of The New York Times has had vulnerabilities of varying severity, and security updates are, therefore, a fact of life for any software that we use and that matters. However, when we dare to discern, when we judge based on fact and science, we can clearly understand that Cryptocat is a better choice than PGP. In line with the [18]Cryptocat Mission Statement, Cryptocat will strive to be dependable software that deserves to be the conduit between some of the world's best journalists and stories that might change our lives. I ask the staff at The New York Times, with the most sincere good faith and the most serious intent to replace PGP with Cryptocat. Over its six years of development, it has matured into dependable software. It is the better choice. Signed, [19]Nadim Kobeissi Cryptocat software programmer [20]https://crypto.cat/news.html#nytltr References 1. https://nytimes.com/ 2. https://www.nytimes.com/newsgraphics/2016/news-tips/ 3. https://securedrop.org/ 4. https://whispersystems.org/ 5. https://www.opentech.fund/ 6. http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html 7. https://crypto.cat/security.html 8. http://openpgp.org/ 9. http://arstechnica.com/security/2013/07/bad-kitty-rooky-mistake-in-cryptocat-chat-app-makes-cracking-a-snap/ 10. https://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/ 11. https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/ 12. https://whispersystems.org/docs/specifications/doubleratchet/ 13. https://crypto.cat/security.html 14. https://conversations.im/omemo/ 15. https://crypto.cat/create 16. https://crypto.cat/help.html#deleteAccount 17. https://moxie.org/blog/gpg-and-me/ 18. https://crypto.cat/mission.html 19. https://nadim.computer/ 20. https://crypto.cat/news.html#nytltr