This Cute Chat Site Could Save Your Life and Help Overthrow Your Government By Quinn NortonEmail Author July 27, 2012 | 12:15 pm | Categories: Conferences, Crypto Nadim Kobeissi, creator of Cryptocat, spoke in mid-July at the HOPE conference, held at New Yorks Hotel Pennsylvania every two years. Credit: Quinn Norton/Wired Twenty-one-year-old college student Nadim Kobeissi is from Canada, Lebanon and the internet. He is the creator of Cryptocat, a project to combine my love of cryptography and cats, he explained to an overflowing audience of hackers at the HOPE conference on Saturday, July 14. The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed binary cat in the corner. The visitor has the option to name, then enter a chat. Theres some explanatory text, but little else. Its deceptively simple for a web app that can save lives, subvert governments and frustrate marketers. But as little as two years ago such a site was considered to be likely impossible to code. Cryptocat is an encrypted web-based chat. Its the first chat client in the browser to allow anyone to use end-to-end encryption to communicate without the problems of SSL, the standard way browsers do crypto, or mucking about with downloading and installing other software. For Kobeissi, that means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments. The fact that you dont have to install anything, the fact that it works instantly, this increases security, he explained, sitting down with Wired at HOPE 9 to talk about Cryptocat, activism and getting through American airports. To create Cryptocat Kobeissi had to deal with controversies in computer security, usability and geo-politics. When he flies through the US, hes generally had the notorious SSSS printed on his boarding pass, marking him for searches and interrogations  which Kobeissi says have focused on his development of the chat client. Online privacy doesnt have a lot of corporate or governmental fans these days, but Kobeissi has faced controversy before. During 2010 and 2011 I was a defender of WikiLeaks and the free press in general, and I thought Collateral Murder (the WikiLeaks publication of a controversial helicopter assault video) was a highly significant piece of journalism, he said. He mirrored WikiLeaks content and organized a march in support of the organization during the period in late 2010 when WikiLeaks found itself thrown off of Amazons hosting service and blocked by credit card companies. I know for certain that its contributed to other defenders of WikiLeaks and Bradley Manning being harassed, so its somewhat likely that I could also be targeted. Still, Kobeissi points out that hes never been questioned about WikiLeaks, only about Cryptocat. His SSSSs can mean hours of waiting, and Kobeissi says he has been searched, questioned, had his bags and even his passport taken away and returned later. But hes kept his sense of humor about the experience, even joking from the airport on his Twitter account. Nadim Kobeissi @kaepora WHAT AN SSSS FOR THE FIFTH TIME IN A ROW HOW COULD THIS HAPPEN I AM SO SURPRISED THIS IS SO SURPRISING pic.twitter.com/ooM1L0I7 17 Jun 12 Reply Retweet Favorite The young and cheerfully sarcastic Kobeissi is somewhat baffled by the border attention. Kobeissi said that in one of his last U.S. trips through Charlotte, NC, In total I was searched either three or four times,  in a single visit. Why? Do bombs materialize? I dont understand, he continued. If the searches, delays, and interrogations about Cryptocat are an intimidation tactic, they havent worked. Dear US Government, Im from Lebanon, Kobeissi said, laughing. You dont scare me, you dont understand. My friends were killed in 2008, my house was bombed and my neighborhood ruined. My father was killed in 2006. You dont scare me at all. If you want to scare me, send me for torture in Syria. But you cant anymore, because Syrians are revolting. A U.S. Customs and Border Protection spokesman declined to comment on Kobeissis detentions at the border, saying he was prohibited from doing so by privacy laws, though he maintains that it plays nicely with foreigners. The United States has been and continues to be a welcoming nation. U.S. Customs and Border Protection not only protects U.S. citizens and lawful permanent residents in the country but also wants to ensure the safety of our international travelers who come to visit, study and conduct legitimate business in our country. Our dual mission is to facilitate travel in the United States while we secure our borders, our people and our visitors from those that would do us harm like terrorists and terrorist weapons, criminals, and contraband. CBP officers are charged with enforcing not only immigration and customs laws, but they enforce over 400 laws for 40 other agencies and have stopped thousands of violators of U.S. law. CBP strives to treat all travelers with respect and in a professional manner, while maintaining the focus of our mission to protect all citizens and visitors in the United States. To get Cryptocat to the hands of Syrians resisting their government, or Canadians resisting being profiled by marketers, Kobeissi had to build a crypto tool in a place where no crypto tool has ever flourished  your browser. You have to make it just as easily accessible as Facebook Chat or Google Talk, which is what Im trying to do with Cryptocat, he said. Google, Facebook and a infinite variety of other sites are pushing more functionality into the browser to increase the power of web apps, and the browser has become, for many people, the main interface of their computer. But from a security point of view, the browser has always failed to provide for users  in no way worse than in cryptography. Encrypting data to keep it away from prying eyes, be they hackers or nations has proved nearly impossible in the browser, which has relied on one standard to do everything: SSL, which is known to be broken. The terrible state of browser security plagued Kobeissi in his work to build Cryptocat. Browsers are huge, complex, multilayered beasts with lots of moving parts, and every last one of them implements at best some dialect of each of the many standards that a modern browser has to support, said Meredith Patterson, a senior research scientist at Red Lambda. Patterson deals with security and cryptography on an architectural level in her research, and has reviewed and commented on Cryptocat. Problems like bad browser sandboxing meant that something in one tab could affect a session in a Cryptocat window. No libraries or standards existed to handle normal encryption functions in Javascript. The biggest problem is that delivery of Javascript code from server to browser could be intercepted and modified by breaking the SSL connection without a user ever knowing they were running malicious code. Kobeissi faced criticism from the security community for even trying, but he persevered. Now more than a year later, Cryptocat has significantly advanced the field of browser crypto, he said with obvious pride. We implemented elliptic curve cryptography, (and) a cryptographically secure random number generator in the browser, along with creating a Cryptocat Chrome app to address the code delivery problem. I dont think Nadim really knew what he was in for when he started this project, but although it got off to a bumpy start, hes risen to the occasion admirably, said Patterson. But Kobeissi also knows that its equally important that Cryptocat be usable and pretty. Kobeissi wants Cryptocat to be something you want to use, not just need to. Encrypted chat tools have existed for years  but have largely stayed in the hands of geeks, who usually arent the ones most likely to need strong crypto. Security is not just good crypto. Its very important to have good crypto, and audit it. Security is not possible without (that), but security is equally impossible without making it accessible. Patterson agrees with Kobeissis approach. As much as it drives all of us nerds batshit, J. Random internet user spends most if not all of her time in the browser, and generally doesnt care to install even a separate email client  much less a separate chat client, she said. If you dont go where the users live, you dont get users. End of story. Nevertheless, Kobeissi has said repeatedly that Cryptocat is an experiment. Structural flaws in browser security and Javascript still dog the project as it moves toward version 2, scheduled for the end of the year. Cryptocat 2 will be a full Jabber client, allowing for both current style OTR and Multi Party, or mpOTR for group chats. OTR is Off-The-Record messaging, the current gold standard in encrypted chat. (Not to be confused with Google Talks OTR, which is not encrypted at all.) Screenshot of the second version of Cryptocat, a Jabber/xmpp client with full OTR support. He isnt eager to bet his life on his work to date. But in environments like the Arab revolts, he acknowledges that for all of Cryptocats flaws, its better than software many people in Arab countries use right now, which can put them in tremendous danger. If the alternative is Facebook Chat or Google Talk or Skype please use Cryptocat by all means, but its still an experiment. Thus far Cryptocat hasnt penetrated far into the consciousness of the common user, but for some groups in need of secure communications, its already part of the toolkit. High security, simple to use, said an active participant in the internet collective Anonymous, which has faced prosecution and worse the world over. If its a hurry and someone needs something quickly, Cryptocat. Kobeissi himself grew up in Beirut, Lebanon. Besides authoring the secure chat tool and being a security researcher, hes a political science and philosophy major at Concordia University in Montreal, Canada. His post-college job is set  hell be developing Cryptocat full time, living on grant money for the project. He emigrated to Canada after a conversation with his mother, when the-then teenager came to realize he might not live very long in Lebanon  an situation that informed his software design. Hes vocal about his love of his adopted home in Canada, as well about how the internet and games kept him going through the rough times in the wartorn country of his birth, The happiest things in my childhood were Sega Game Gear and Sega Genesis. Its clear that Cryptocats distinctive 8-bit feel isnt just a gimmick. Nowadays he sees himself as coming from two cultures, North American and Middle Eastern, and it gives him a rare perspective on both the need and usefulness of getting crypto into the hands of everyone. This is something North Americans dont realize. Here were exporting cryptography software. Generally, especially in todays context, the Middle East imports cryptographic software, but its a foreign product. A foreign civilization made it, he said. He believes that by building Cryptocat with more sensitivity to the pleasures of the user, he can help the people that need secure communications most. I want it to be something that has a nice color scheme, that works in your browser, that you can open instantly, thats easily accessible, that has a cat, that has audio notifications, that has desktop notifications, Kobeissi said, Because these are important security features. When faced with the torture of using crypto software or the torture of a repressive government, some dissidents have  intentionally or not  opted for the latter. I have seen someone who I know knows how to use OTR not use OTR, and get tortured as a result, in Syria OTR is not accessible, its not a pleasure to use. Pages: 1 2 View All Related You Might Like Around the Web Related Links by Contextly WikiLeaks Associates Hit Back Over U.S. Twitter Records Demand U.S. Soldier on 2007 Apache Attack: What I Saw Another Hackers Laptop, Cellphones Searched at Border FBI Drive for Encryption Backdoors Is Dij` Vu for Security Experts Olympics Journalists Urged To Use Crypto, to Thwart Chinese Spying Show More Quinn Norton is a writer and photographer who peripatetically covers net culture, copyright, computer security, intellectual property, body modification, medicine, and biotech. Read more by Quinn Norton Follow @quinnnorton on Twitter.