On 08/06/2012 05:28 PM, Jillian C. York wrote: > A /safer /web-based tool than Facebook chat with a GIANT WARNING is far > better than everyone continuing to hold their discussions in insecure fora.
I think this sentence is really the essence of the problem. Why do you assume it's safer? CryptoCat has the word "crypto" in it, positions itself as a cryptography project, and has a stated emphasis on security, so it's easy to conclude that whatever it's doing is at least somehow better than what Facebook or Google are doing. However, my position is that Google Chat is currently more secure than CryptoCat. To be more specific, if I were recommending a chat tool for activists to use, *particularly* outside of the United States, I would absolutely recommend that they use Google Chat instead of CryptoCat. Just as I would recommend that they use GMail instead HushMail. The security of CryptoCat v1 is reducible to the security of SSL, as well as to the security of the server infrastructure serving the page. Any attacker who can intercept SSL traffic can intercept a CryptoCat chat session, just as any attacker who can compromise the server (or the server operator themselves) can intercept a CryptoCat chat session. This effectively means that CryptoCat is not a "cryptography project," in the sense that whatever cryptography it delivers does not affect or improve upon the existing attack vectors of chat tools that we're trying to "replace" like GChat. So I believe it comes down to a question of who we trust to provide a more secure SSL and server-side infrastructure. No offense to Nadim, but at this point I believe that Google does a better job. It'd be tough to do better, given the amount of dedicated people and resources they have specifically focused on that problem, as well as the amount of advanced information they have access to concerning coming SSL attacks, etc. - moxie -- http://www.thoughtcrime.org _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech