Slashdot Mirror

← Back to Stories (view on slashdot.org)

Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes

Posted by Unknown on from the can't-catch-a-break dept.

alphadogg writes "The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations." The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat's gracious response, overly acerbic and dismissive of the project).

6 of 83 comments (clear)

  1. Nothing overly dismissive there by Anonymous Coward · · Score: 5, Insightful

    This bug and the history of it point to the cryptocat people being utterly incompetent. It's perfectly possible that they did what they did with the best of intentions and that they reacted as well as they could - that does not change one iota about them being incompetent and that you better don't trust the work of incompetent engineers. It's nice that that civil engineer did not intend to kill anyone and that she helped in rescuing people, but still her incompetence is what caused the bridge to collapse and what makes it reasonable to be suspicious of the other bridges she's responsible for.

    1. Re:Nothing overly dismissive there by Anonymous Coward · · Score: 0, Insightful

      I somewhat suspect that, at this point, they're more competent than you in the matter. They have experience.

      It beats sitting on your ass doing nothing.

    2. Re:Nothing overly dismissive there by Anonymous Coward · · Score: 0, Insightful

      I like how some idiot with mod point modded your appeal to accomplishment up.

      When you want to add a new wing to your house and neighbour says "Hey, the architect you hired is utterly incompetent and nothing he built stands longer than a year", I hope you'll stick to your principles and dismiss him with "At this point he's more competent than you, and you haven't even built a shed in your life".

    3. Re:Nothing overly dismissive there by Anonymous Coward · · Score: 2, Insightful

      Writing crypto apps that manage to use a string of digits as the key instead of the number it represents doesn't contribute to cryptography anything either - if only a lesson "why non-experts shouldn't do cryptography".

      You're probably great cook, architect, furniture builder and shoemaker - or you're always keeping quiet about burnt food, leaky roofs, uncomfortable chairs and too tight shoes, right?

    4. Re:Nothing overly dismissive there by rtfa-troll · · Score: 4, Insightful

      Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?

      Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Re:A mathematician's apology by lxs · · Score: 4, Insightful

    I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me

    Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.