
Cryptocat Considered Harmful: The Root Cause - jonathanmarvens
https://datavibe.net/~sneak/20130717/cryptocat-considered-harmful
======
thirsteh
So make something better that people will actually use--then the question of
what to use will become a no-brainer. "Just use Foo." The "best" alternative
to something like Cryptocat is Pidgin/Adium+OTR plugins, and you can't
seriously claim they're as usable (nor are their implementations actually
perfect.) If not that, then help to fix whatever issues the popular tools
have. (They're open source, after all.)

Make formal security proofs, implement them, open source your prototypes, and
have them vetted by as many cryptographers as possible (so one or two if
you're lucky.) Then figure out how to market your product.

By far the hardest aspect of cryptography engineering is getting people to use
your software in the first place. It doesn't matter how good you are at crypto
if your software is never used.

It's very easy to criticize. Much harder to actually make more secure, more
usable alternatives. (And, ironically, the people who ought to be doing this
the most are much more hesitant to do so since they know of many more subtle
ways to make mistakes.)

~~~
qbproger
[https://heml.is/](https://heml.is/) should be on the way. I've been keeping
on eye on it. It'll be interesting what the security community thinks of it
after release.

There is also TextSecure
([https://whispersystems.org/](https://whispersystems.org/)), but it requires
text messaging.

~~~
thirsteh
Definitely holding off until the open source release (and hopefully it won't
just be dumps of old versions like Silent Circle's.)

Agree that TextSecure and Redphone are great tools, albeit in different
categories, and as far as I can tell their implementations are sound.

------
afreak
Nadim's ego has lead him down a path where he believes that what he is doing
is infallible and his critics do not deserve any level of praise--and it is
reenforced by those who do not know any better than he does. You can see this
in any project or startup, but in the case of Cryptocat, we have a situation
where lives are potentially at risk and there is a likelihood that someone has
already been compromised due to his actions.

The "cutesy" icons and flashy colours that Cryptocat displays are really
nothing more than lipstick on a pig.

------
deanclatworthy
As a passive observer of all cryptography discussions on HN, I can't help but
think if security researchers spent as much time on creating usable, secure
software as they did in proving that other's implementations were flawed we'd
be in a much better place.

As a user, I just want to be able to message another person, over the internet
without having to worry about setting up plugins or setting up any kind of
keys. I want to add them to my friend list, click their name, send them a
message and be comfortable in the fact that my communication cannot be
intercepted.

~~~
aaronem
Would you rather use a piece of communications software which purported to be
cryptographically secure, but wasn't, and not know it because no security
researchers spent any effort attempting to prove that its crypto
implementation was flawed?

~~~
thirsteh
> Would you rather use a piece of communications software which purported to
> be cryptographically secure

..than communicate in plain text? Yes.

Where's the alternative? We can have Cryptocat shut down, which is what the
author is suggesting, but then what are we (and by that I really mean people
who currently use Cryptocat) going to do?

~~~
zAy0LfpBZLC8mAC
So, let me put that a bit more clearly:

You would prefer to communicate in plaintext-equivalent where you think nobody
can read it even though in fact everybody can over communicating in plaintext
where you know everybody can read it?

~~~
thirsteh
I wouldn't prefer that, but I'm also not as convinced that Cryptocat is as
"clearly broken" (i.e. plaintext is trivially recoverable) in its current
state as a lot of people on here are. Most of the attacks that I've seen so
far were against the group chat implementation, which, granted, is
significant, but not against the primary component, the OTR chat.

I think it is somewhat naive to believe that _any mechanism_ other than a one-
time pad will absolutely keep your communications safe, and that it's a little
dangerous to insinuate that Cryptocat leaks information about the plaintext
but X or Y doesn't.

------
rudin
Guy creates a blog and his first single post is to discourage someone truly
trying to innovate in the cryptography space (though admittedly more in
usability aspects).

After listening to Glen Greenwald at the CCC it was quite clear that
cryptography that is easier to use than PGP is really needed in this world (he
almost lost the Snowden story due to it). I think that Nadim needs to be
encouraged. Sure, point out any flaws but aim for constructive feedback.

The points here centre around it "not good enough". This is a bit of a chicken
and egg problem and isn't really helpful.

~~~
lmm
Don't implement your own crypto. Better people than you have tried and failed.
Everyone should know this by now. If you can innovate on the usability, that's
great, and we really do need that - but build it on top of a well known, peer-
reviewed protocol like OpenPGP. It's not like it's even any harder than
rolling your own.

~~~
rudin
Definitely. I'm really interested in the progress of OpenPGP.js. It could
possibly replace a lot of the sketchier parts of Cryptocat.

~~~
daeken
Even if it does, it still won't help. Crypto in the browser is like playing
soccer in a minefield: either you don't move or you lose a leg. Either way,
your game is hosed.

The issues are, to put it mildly, insurmountable. The environment is simply
too toxic to trust. Between standard Web security flaws, timing attacks (what
happens when one context can detect the timing of another? Remember, the code
is slow, so your resolution doesn't have to be good), inadequate random number
generators, an inability to securely manage memory (don't want key materials
floating around), etc.

I'd rather trust Bob's Discount Car And Certificate Authority than JS crypto.

~~~
thirsteh
Unfortunately, after the recent revelations this is how I feel about computers
in general :)

------
delinka
I understand the problem here: don't experiment with crypto with your users'
safety in the balance, claiming all the while that they're safe. The sad
reality is that none if his users will ever know that there's a problem until
it's too late.

Slightly off-topic, but this is one of those areas that bugs the hell out of
me, and I don't know the solution. On one hand, security and cryptography
people tell lawmakers and those in authority that crypto is math, anyone can
do it, it's silly to try to regulate it, etc. On the other hand, these same
experts tell the "anyones" of the world _not_ to implement their own crypto,
mistakes are easy to make, correct implementations are hard ...

Here's the kicker for me: If you absolutely should never release another piece
of software that might have bugs that could endanger someone's life, then
you'll never release another piece of software. You can become the greatest
cryptographic implementor on the planet, implement to the current state of the
art, and, in a couple years, still have your work completely obliterated by a
new attack against a cryptosystem that you are using _correctly_.

~~~
thirsteh
I don't think your two examples are contradictory. It _is_ silly to try to
regulate export of strong crypto, and it _is_ difficult to get crypto right.

------
abvdasker
Note that this article simply shits all over Cryptocat without giving any
concrete examples: "has had myriad errors in implementation" and "After being
berated by dozens, repeatedly, because of the myriad flaws". I kept waiting
for Paul to substantiate his criticism or at the very least link to some of
the implementation flaws he keeps trumpeting, but he doesn't. Pointing out
that Cryptocat has tried multiple encryption schemes isn't really evidence in
itself, either.

For all I know this guy could be totally right about Cryptocat, but this is
absolutely not the way to make this kind of statement. It isn't well-reasoned
and it sure as shit isn't informative.

------
endou
A nice quote from Phil Zimmerman from a comment in a post by Schneier which
was posted in a comment to this post:

"I remember a conversation with Brian Snow, a highly placed senior
cryptographer with the NSA. He said he would never trust an encryption
algorithm designed by someone who had not earned their bones by first spending
a lot of time cracking codes. That did make a lot of sense. I observed that
practically no one in the commercial world of cryptography qualified under
this criterion. "Yes", he said with a self assured smile, "And that makes our
job at NSA so much easier." A chilling thought. I didn't qualify either. "

[https://www.schneier.com/blog/archives/2011/04/schneiers_law...](https://www.schneier.com/blog/archives/2011/04/schneiers_law.html#c530393)

edit:

By the way I think that Jeffrey Paul has a relevant point, I think it deserves
to be taken into account. I understand his words can hurt Nadim Kobeissi
nevertheless from my point of view they carry no such will.

------
cwmma
Considered Harmful considered harmful, please use the active voice.

~~~
lotsofcows
"Considered Harmful" is supposed to be humorous, please do not attempt humour
on HN.

~~~
lotsofcows
See?

