[ale] OT fyi CryptoCat allows instant easy encrypted chat

Fri Aug 2 13:21:35 EDT 2013

Good-enough security is only - good enough - until it is breached. Then, if the
breach happens in a silent way, we can be using completely compromised systems
and not know any better.  That seems bad to me.

On 08/02/2013 10:11 AM, Michael Trausch wrote:
> Like anything else, the security that it gives is proportional to one's
> understanding of its application and usage. I have zero experience or knowledge
> of CryptoCat, other than I follow its author on Twitter and I think he might be
> a legitimate white hat individual. But I would not trust the source without
> reading it myself or having had it read by someone whose opinion i trust on such
> matters, such as a real security professional. 
> 
> Security in today's world is nothing to joke about. The only thing I can say for
> sure is that if a person does not know about security themselves and doesn't
> choose to lean on a trustworthy source for security information, they will be
> compromised at some point without enough mitigation to be safe.
> 
> Time tested solutions are also great from a security viewpoint. For example,
> many people have vetted Tor and understand how it works. OpenVPN is a most
> excellent means to privately communicate with a network you control, whether
> personal or corporate. Both are understood and widely deployed and audited. That
> does not ensure or guarantee perfect security, but it increases my confidence
> that it is a truly secure solution. 
> 
> Sent from my iPhone
> 
> On Aug 2, 2013, at 8:46 AM, Pete Hardie <pete.hardie at gmail.com
> <mailto:pete.hardie at gmail.com>> wrote:
> 
>> I've seen some stuff on the net claiming that cryptocat is not as secure as it
>> claims - YMMV
>>
>> Pete Hardie
>> --------
>> Better Living Through Bitmaps
>>
>>
>> On Thu, Aug 1, 2013 at 7:16 PM, Ron Frazier (ALE)
>> <atllinuxenthinfo at techstarship.com <mailto:atllinuxenthinfo at techstarship.com>>
>> wrote:
>>
>>     Hi all,
>>
>>     I wanted to pass along some info about a way to instantly set up an
>>     encrypted chat session.  I thought this had been on the list before, but I
>>     searched my email archive and couldn't find it in the ALE folder.  So,
>>     please forgive if this has already been mentioned.  Maybe I was on another
>>     list when it was mentioned.
>>
>>     Anyway, CryptoCat is a project that allows you to set up private encrypted
>>     peer to peer and group chats almost instantly.  It's very quick and easy
>>     to use after installing the browser plugin.
>>
>>     https://crypto.cat/
>>
>>     It's still a work in progress, so you would have to read the docs on the
>>     site and determine how much faith you want to put in it.
>>
>>     There was a weakness in prior versions from 2.0 - 2.0.42 which weakened
>>     the group chat.  Private chats were not affected.  The blog suggests
>>     upgrading to 2.1.* where the problems have been fixed.  Apparently there
>>     was a weakness in the random number generator.
>>
>>     https://blog.crypto.cat/
>>
>>     Some people on the DC-404 list recommended not using this for anything too
>>     sensitive, and I certainly wouldn't bet my life on it.  However, I would
>>     use it if I just wanted to do a quick chat that I didn't want snooped on
>>     and needed moderate security.  I have used it once after someone I was
>>     communicating with suggested skype and I mentioned misgivings about that.
>>      The process was very painless and we were chatting to each other within 5
>>     minutes after I got the link from him.
>>
>>     Here's the link to the Firefox plugin.
>>
>>     https://addons.mozilla.org/en-__US/firefox/user/kaepora/
>>     <https://addons.mozilla.org/en-US/firefox/user/kaepora/>
>>
>>     It also works on Chrome, Safari, and Mac.  I guess my IE friends and
>>     family are out of luck.
>>