[liberationtech] What I've learned from Cryptocat
Gregory Maxwell
gmaxwell at gmail.com
Mon Aug 6 16:28:53 PDT 2012
On Mon, Aug 6, 2012 at 6:53 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
> The blog post suggests that becoming a local browser app means that
> Cryptocat no longer uses JavaScript cryptography. This is nonsense:
> JavaScript is a *language*, and since browser apps/plugins are written in an
> HTML5 framework, we will still be using JavaScript to implement
> cryptographic functions. The only thing that has changed is *the method of
> code delivery.*
This makes me a little sad. Previously, I understood what cryptocat was for:
It was an insecure system, which was still probably significantly more
secure than the common default unencrypted system, for use where
deployment/usability issues meant it the choice was
insecure-hosted-software or totally-insecure-plaintext.
Non-server-replaceable systems like OTR were strictly preferable, of
course, but in reality aren't ubiquitously used like they ought to be.
With it becoming a browser extensionb� it seems like it would gain
much, although not all, of the usability challenges that precluded
using OTR in the first place and in those places where the extension
can't be pre-installed we still have short term SSL CA trust
challenges (for the on-demand distribution of the extension). It also
still retains many of the JS crypto specific technical challenges (no
mlock, so no way to prevent long term keying material from hitting
disk; generational GC so overwriting can't be trusted to reduce cold
boot attack exposure).
No doubt you'll find this an unwanted barb when you're already working
hard trying to make good software to protect people, and that isn't my
intention... but I don't know how to illustrate my confusion
otherwise.
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list