[liberationtech] What I've learned from Cryptocat

Moxie Marlinspike moxie at thoughtcrime.org
Wed Aug 8 08:38:10 PDT 2012



On 08/08/2012 06:37 AM, liberationtech at lewman.us wrote:
> On Tue, Aug 07, 2012 at 05:18:02PM -0700, erik at sundelof.com wrote 4.7K bytes in 111 lines about:
> :partial defenses using any technology tool. I may feel too strong about
> :tools being discussed as THE solution or THE bulletproof vest so to speak.
> 
> I'm not picking on you Erik, but this comment finally struck me
> about what's bothered me with this debate. There is no such thing as 'the
> bulletproof vest'.

I don't think anyone is saying we want an "ultimate solution."  We have
a set of technologies that we're trying to replace with a more secure
solution (GChat, Facebook, etc...).  It's as simple as looking at the
attack vectors that we're concerned users will experience with these
existing web-based chat solutions and asking the question of whether
CryptoCat improves on any of them.

Again, as I see it, there are three possible vectors for attack with
existing web-based chat solutions:

1) SSL intercept.
2) Server infrastructure.
3) Operator.

These are not theoretical, pie-in-the-sky vectors.  These are things
that are actually happening, are within the state of the art of an
average adversary, and are within the scope of what this type of
technology problem could potentially address.

My analysis is that the CryptoCat technology does not improve any of
these three vectors, and in fact might make the user more at risk to
compromise through #1 and #2 than with existing web-based chat solutions
(GChat, etc...).

So again, I don't believe that those of us who have concerns about
CryptoCat are asking for a "bulletproof vest."  We're not demanding the
"ultimate tool."  To use your analogy, I'm looking for a bulletproof
vest that's at minimum not rated *worse* than GChat, and ideally is
rated some degree higher.

- moxie

-- 
http://www.thoughtcrime.org
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list