[liberationtech] What I've learned from Cryptocat
Maxim Kammerer
mk at dee.su
Tue Aug 7 08:02:28 PDT 2012
On Tue, Aug 7, 2012 at 4:21 AM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
> However, my position is that Google Chat is currently more secure than
> CryptoCat. To be more specific, if I were recommending a chat tool for
> activists to use, *particularly* outside of the United States, I would
> absolutely recommend that they use Google Chat instead of CryptoCat.
> Just as I would recommend that they use GMail instead HushMail.
>
> The security of CryptoCat v1 is reducible to the security of SSL, as
> well as to the security of the server infrastructure serving the page.
> Any attacker who can intercept SSL traffic can intercept a CryptoCat
> chat session, just as any attacker who can compromise the server (or the
> server operator themselves) can intercept a CryptoCat chat session.
Are you equating passive attacks with active attacks? If I understand
how CryptoCat works correctly, it is resistant against passive
interception attacks, whereas Google Chat stores cleartext on Google
servers, which are easily accessible to law enforcement. Active
attacks against SSL can be mitigated by pinning CryptoCat
certificates, so you are left with what, compromise of server
infrastructure? That requires LE jurisdiction where the servers are
located, domain expertise, and dealing with the risk that the
compromise is detected. All that vs. Google servers, which, if I
remember right, provide a friendly interface to user accounts once
served with a simple wiretapping order (and as has been already
mentioned, Google is a multinational corporation, subject to a
multitude of jurisdictions, and is known to bend over for whoever is
in charge).
--
Maxim Kammerer
Liberti Linux: http://dee.su/liberte
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list