On Mon, Aug 6, 2012 at 6:53 PM, Nadim Kobeissi <nadim@nadim.cc> wrote:

The blog post suggests that becoming a local browser app means that Cryptocat no longer uses JavaScript cryptography. This is nonsense: JavaScript is a *language*, and since browser apps/plugins are written in an HTML5 framework, we will still be using JavaScript to implement cryptographic functions. The only thing that has changed is *the method of code delivery.*

This makes me a little sad. Previously, I understood what cryptocat was for: It was an insecure system, which was still probably significantly more secure than the common default unencrypted system, for use where deployment/usability issues meant it the choice was insecure-hosted-software or totally-insecure-plaintext. Non-server-replaceable systems like OTR were strictly preferable, of course, but in reality aren't ubiquitously used like they ought to be. With it becoming a browser extensionb it seems like it would gain much, although not all, of the usability challenges that precluded using OTR in the first place and in those places where the extension can't be pre-installed we still have short term SSL CA trust challenges (for the on-demand distribution of the extension). It also still retains many of the JS crypto specific technical challenges (no mlock, so no way to prevent long term keying material from hitting disk; generational GC so overwriting can't be trusted to reduce cold boot attack exposure). No doubt you'll find this an unwanted barb when you're already working hard trying to make good software to protect people, and that isn't my intention... but I don't know how to illustrate my confusion otherwise. _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE