AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Cryptocat author for social media gets2/12/2024 ![]() Soghoian knows about this problem and has written extensively about the flaws in SSL, as have the security experts that he prefers to Patterson. Oddly, however, Soghoian and others in the security community don't believe in the "risk compensation" argument when it comes to their own work.įor instance, Soghoian is one of the net's biggest proponents of increased use of SSL (encountered on the web as as a way to increase user safety.īut SSL is widely known to be vulnerable to the exact same man-in-the-middle attack as Cryptocat. Notably, the Catholic Church's stance against promoting condoms to prevent HIV relies on the "risk compensation" argument. For those who don't know, tl'dr means "Too Long Didn't Read" and is used online to dismissively signal that a story is too long, but often it just demonstrates a person's intellectual laziness. Soghoian says we failed our readers and put their lives at risk because Cryptocat is made for the "tl dr crowd". We weren't hiding anything from readers - we write long stories and our readers read them. Leading with Kobeissi's background put the software in a different context - the software came across as an expression of a worldview informed by Kobeissi's life in Lebanon and the interrogations he says he's endured at the U.S. ![]() I made the decision to move it down, since the piece read much better in a different order. Moreover, Quinn's first draft had the section that Soghoian thought came too late - about the tool being in its early stages and being vulnerable to certain attacks - starting in the ninth paragraph of a very long piece. I won't apologize for the headline which, though bold, was also accurate. End of story.”įor the record, the headline on the story, This Cute Chat Site Could Save Your Life and Help Overthrow Your Government, and the placement of the section on the tool's experimental nature, were my choices as the editor. “If you don’t go where the users live, you don’t get users. Random internet user spends most if not all of her time in the browser, and generally doesn’t care to install even a separate email client - much less a separate chat client,” she said. “As much as it drives all of us nerds batshit, J. Patterson agrees with Kobeissi’s approach. Security is not possible without (that), but security is equally impossible without making it accessible.” It’s very important to have good crypto, and audit it. Encrypted chat tools have existed for years - but have largely stayed in the hands of geeks, who usually aren’t the ones most likely to need strong crypto. Kobeissi wants Cryptocat to be something you want to use, not just need to. ![]() “I don’t think Nadim really knew what he was in for when he started this project, but although it got off to a bumpy start, he’s risen to the occasion admirably,” said Patterson.īut Kobeissi also knows that it’s equally important that Cryptocat be usable and pretty. “We implemented elliptic curve cryptography, (and) a cryptographically secure random number generator in the browser,” along with creating a Cryptocat Chrome app to address the code delivery problem. Now more than a year later, “Cryptocat has significantly advanced the field of browser crypto,” he said with obvious pride. Kobeissi faced criticism from the security community for even trying, but he persevered. The biggest problem is that delivery of Javascript code from server to browser could be intercepted and modified by breaking the SSL connection without a user ever knowing they were running malicious code. No libraries or standards existed to handle normal encryption functions in Javascript. Problems like bad browser sandboxing meant that something in one tab could affect a session in a Cryptocat window. Patterson deals with security and cryptography on an architectural level in her research, and has reviewed and commented on Cryptocat. “Browsers are huge, complex, multilayered beasts with lots of moving parts, and every last one of them implements at best some dialect of each of the many standards that a modern browser has to support,” said Meredith Patterson, a senior research scientist at Red Lambda.
0 Comments
Read More
Leave a Reply. |