Slashdot Mirror

← Back to Stories (view on slashdot.org)

Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes

Posted by Unknown on from the can't-catch-a-break dept.

alphadogg writes "The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations." The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat's gracious response, overly acerbic and dismissive of the project).

43 of 83 comments (clear)

  1. Why not use OTR? by walshy007 · · Score: 2

    Why not just use OTR with pidgin? Supports any protocol you'd care to mention.

    1. Re:Why not use OTR? by Anonymous Coward · · Score: 1

      Hmm... the one that works and isn't written by a bunch of monkeys, or the one that runs inside a web browser... oh such a tough decision.

    2. Re:Why not use OTR? by hairyfeet · · Score: 2

      And you want to see why that is a BAD IDEA see above. With these "apps" like it or not you are giving control to a few major corps that have been repeatedly shown to work with the US government hand in glove so it really won't be hard for them to make sure only "backdoor equipped" or vulnerable to MITM apps are allowed.

      This is why those that give a rat's ass about security and doesn't want everything they say or do to be public record really needs to stick with X86, leave the phones and tablets for directions and seeing what guy played third stringer on that movie you are watching. all this pushing "web and cloud" only crap does is give the corps and govs a datamining field day.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:Why not use OTR? by SuperTechnoNerd · · Score: 1

      I don't have any mod points at this time. Here are some virtual ones.
      +5 +5 +5 +5
      you hit the nail on the head. As least some one sees whats happening..

    4. Re:Why not use OTR? by SuperTechnoNerd · · Score: 1

      Screw the morons. Let them wallow in their stupidity..

    5. Re:Why not use OTR? by hairyfeet · · Score: 1

      Thanks and they can have my X86 units when they are prying my cold dead hands from it!

      And for the moronic AC that says "in 10 years nobody will be using X86" I have YET to see a God damned cell phone that can do ANY real work, all it is is tweets for twits and social shit, and every Foleo style crap they have come up with to shoehorn a phone or tablet into a tool to do actual work has been full of fail.

      Personally I think if Ballmer doesn't get his fat,stupid,buzzword loving ass out of the big chair a Steve Jobs type is gonna come along and bitchslap the business away from his dumb ass,I really do. PCs are still selling nearly half a BILLION units a year, that is some damned good business yet the fat retard is trying to burn his own business to the ground in the hopes he can force people to pay Apple money for MSFT shit and that is NOT gonna happen, no way in hell.

      So the time is right for somebody to do the exact same play Jobs did, take BSD, make an easy to use GUI, hell I'd try to buy E17 outright, or maybe come up with a KDE ripoff, and get together with the OEMs and undercut the fuck out of the fat moron,say $25 a copy. for a final insult talk to the WINE guys about slapping their emulator in there to cover some of the "must haves" while they talk to Valve and the other companies about porting to the new OS. You can tell the OEMs are REALLY tired of the fat idiot fucking them over, hell Acer has done everything but call him a fucking moron and ALL of the OEMs have come out saying Windows 8 is fucking stupid and you know Intel isn't gonna walk away from all that money and I doubt AMD is either, so it really wouldn't be hard for the OEMs to pull a "gang of nine" and cut MSFT right out of the game.

      So if the retard wants to jerk off to a Surface running an appstore? let 'em, the OEMs are ripe for the taking and mark my words somebody is gonna see that business is worth having and take it away from the fat bastard. if they don't fire the idiot I predict MSFT will be where RIM is now by 2020, on the ropes and dying, and as long as somebody comes along to take the business I honestly won't care, I'll be happy to line my shelves with their product and give MSFT the same finger they have been giving us system builders.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Nothing overly dismissive there by Anonymous Coward · · Score: 5, Insightful

    This bug and the history of it point to the cryptocat people being utterly incompetent. It's perfectly possible that they did what they did with the best of intentions and that they reacted as well as they could - that does not change one iota about them being incompetent and that you better don't trust the work of incompetent engineers. It's nice that that civil engineer did not intend to kill anyone and that she helped in rescuing people, but still her incompetence is what caused the bridge to collapse and what makes it reasonable to be suspicious of the other bridges she's responsible for.

    1. Re:Nothing overly dismissive there by Anonymous Coward · · Score: 2, Insightful

      Writing crypto apps that manage to use a string of digits as the key instead of the number it represents doesn't contribute to cryptography anything either - if only a lesson "why non-experts shouldn't do cryptography".

      You're probably great cook, architect, furniture builder and shoemaker - or you're always keeping quiet about burnt food, leaky roofs, uncomfortable chairs and too tight shoes, right?

    2. Re:Nothing overly dismissive there by rtfa-troll · · Score: 4, Insightful

      Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?

      Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    3. Re:Nothing overly dismissive there by Anonymous Coward · · Score: 4, Interesting

      It is a devastatingly simple and obvious bug that any code review would have spotted. It's laughably amateurish.

      It's especially egregious after the rant the author (isn't there just one?) went on about Javascript cryptography. Couldn't have happened to a nicer guy.

      After all, what's the single biggest challenge in JavaScript cryptography? Random number generation. So what's the FIRST thing you look at when reviewing? Random number generation for keys. And what, pray, is their excuse for not using window.crypto.getRandomValues() with a typed array of bytes, which is guaranteed to be available in every supported browser? What, in fact, is their excuse for not using Uint8Array for carrying keys wherever they go?

    4. Re:Nothing overly dismissive there by gl4ss · · Score: 1

      I somewhat suspect that, at this point, they're more competent than you in the matter. They have experience.

      It beats sitting on your ass doing nothing.

      they might not. after all they named their project so that I thought it's something like netcat with crypto.

      it's very web 2.5 though.

      --
      world was created 5 seconds before this post as it is.
    5. Re:Nothing overly dismissive there by Intrepid+imaginaut · · Score: 1

      They do make that clear on their website however.

      For myself I'm waiting on peer to peer encrypted chat. That's where things get interesting.

    6. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      I am waiting for a peer-to-peer email replacement that solves the issue of trusting companies and data centers on storing and transferring messages.

      A few years ago I wrote a peer-to-peer chat application (used an existing java library) for a postgraduate course homework. I wouldn't offer that to public though.

    7. Re:Nothing overly dismissive there by Intrepid+imaginaut · · Score: 1

      You'd still need some kind of centralised authentication server for email however, as it's domain related, otherwise it wouldn't be email, just a slower form of chat.

    8. Re:Nothing overly dismissive there by chihowa · · Score: 3, Informative

      As it is designed, email is capable of peer-to-peer(ish, if people have their own domains) operation and if people used PGP the messages would be safe in transit. It's not totally decentralized, though, as you still depend on DNS.

      More importantly, a shift away from centralized corporate mail servers toward individual (or at least family or co-op) mail servers can happen gradually without relying on the network effect to legitimize a new system.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    9. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Indeed. The mistakes made are utter beginners mistakes. Nobody halfway competent in the implementation of cryptography would ever make them, as competent people would have recognized these components as critical for the security of the product. The only other explanation is malicious intent.

      Given these two alternatives, the only possible recommendation is "Stay away from this software, do not use it for any purpose."

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Nothing overly dismissive there by gweihir · · Score: 2

      That is not how it works. Designing and implementing crypto correctly requires _understanding_. A test-and-fix approach where somebody else has found the issue, gives you exactly nothing. Experience can help in debugging, but crypto implementation security is not a problem where debugging skills help at all. The problem is that the software fulfills all its functional requirements, i.e. it works. That it can easily be attacked does not cause any crashes or problems that the developer or users can notice when using the software and hence the experience they made is largely useless.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Indeed. Security, and in particular crypto, is different. Experience is of limited value, what is needed is understanding. One problem is that testing is completely useless to find security problems in crypto. Most developers today rely on testing as primary quality analysis tool, and it does not cut it for crypto.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    12. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Aehm, SMPT is P2P and has always been P2P? Just run your own server. All you need for that is a static IP or a working dynamic DNS resolver. That you have to trust "companies and data centers" is just your own laziness.

      It never ceases to amaze me how clueless some people are.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Nothing overly dismissive there by gweihir · · Score: 2

      Not true. DNS is not strictly needed. If you are paranoid, you can send emails to user@ip_address. That does require a static IP address though and the right configuration at the target MTA, but nothing else.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Indeed. That random number generation and use is critical is well-known to anybody with a clue since Netscape messed it up almost 20 years ago (in 1996). Since that time, nobody competent has any excuse to not very carefully scrutinize this part of the system in any review worth the name.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      The p2p messaging would not use a definite path between source and target and could possibly store the encrypted message parts on other PCs if the receiver's computer is not available.

      The IP address could also change (a unique identifier might still be needed though).

    16. Re:Nothing overly dismissive there by gweihir · · Score: 2

      You are impressively stupid. You managed to get _everything_ wrong. Truly an accomplishment. Have you bothered to look up even one of the things you talk about? Apparently not.

      You seem to be unaware that the source and target Mail servers are the source and target of the Email. "Smarthosts" and things like POP3 are a crutch for crippled systems that cannot act as mail-server themselves. And you seem to be unaware of exponential back-off, repeated delivery attempts and secondary MXes. And you are unaware that DNS is neither needed for Email delivery, nor centralized. At best, DNS is hybrid. In a very real sense, DNS is P2P for almost everything. You can also send Emails to an IP address without problem, as long as the target server is configured for it. And what does "deterministic" have to do with it? Do you somehow believe P2P means undirected, random propagation of data?

      What an incredible collection of nonsense.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    17. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Complete nonsense. You are talking about anonymization techniques, not P2P techniques. Anonymization can be done on top of P2P, but it is something entirely different with different aims, techniques and requirements. Anonymity can also be done without P2P, which clearly shows the concepts are different.

      And of course a unique identifier is needed. How would Email be addressed otherwise? That you cannot see that the presence of such an identifier is critical for the system to work clearly shows that you have no clue what you are talking about.

      Maybe read up on the concepts before talking such incredible BS...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    18. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      You are an asshole and a freaking illiterate stupid. And yes, you deserve that freak tag on your name.

      I was not suggesting to implement SMTP using P2P. Go back to your stupidity hole.

    19. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      Nonsense is your existence. I was not talking about Anonymization at all. Go back to your freaking hole ass-hole.

    20. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Says the one that is not even able to have, maybe, a look at RFC2822....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    21. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Pathetic. Incompetent and unaware of it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    22. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      At the time I implemented my first SMTP, POP3 and HTTP servers using C (and developed SMTP and POP3 server libraries for Delphi) you were possibly in primary school. Go back to your pathetic hole.

    23. Re:Nothing overly dismissive there by gweihir · · Score: 1

      Meaningless posing. Seems to me you never understood what you were doing (if you are not lying). Implementing something specified by others and actually understanding architectural characteristics and what their effect is are two entirely different things. And you decidedly have not kept up with things.

      What also seems to elude you is that your past "accomplishments" are entirely meaningless. (Which is why I do not claim any. So far I could easily blow you out of the water, but that is not how this game works.) What counts is whether what you say make sense or not. What you said so far does not make sense and indicates a fundamental lack of understanding how things actually work. It also seems that you have stopped to understand what your own level of competence is (or never understood it). Here is a reference for you Dunning–Kruger effect

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    24. Re:Nothing overly dismissive there by wmac1 · · Score: 1

      Yes, bla bla bla

      You don't even understand the basic concepts of P2P.

  3. Where is the HTML5 version of cryptocat? by hellop2 · · Score: 1

    Does anyone know what happened to the HTML5 (non-plugin) based server-side version of cryptocat?

    I don't care if it's less secure than the new plugin-required version.. it will still probably defend against an eavesdropper in my college dorm or at Starbucks.

    --
    How many more years will slashdot have an off-by-one error on your Score in your profile?
  4. The really scary thing... by fuzzyfuzzyfungus · · Score: 1

    The really ugly 'gotcha', with any attempt at encrypted/obfuscated/steganographic communication, cryptocat included but hardly alone, is storage.

    If your adversary is just drinking from the firehose, and lacks the ability to do more than a cursory inspection, all you have to do is be better than their cryptoanalysts today. If they have sufficient storage to archive a nontrivial percentage of what passes by(or their cursory inspection is good enough to classify suspicious encrypted traffic for storage) you have to be better, today, than their cryptoanalysts for however long what you are saying is relevant. The former is hard, the latter is downright scary.

    1. Re:The really scary thing... by Eivind · · Score: 1

      True, you have to stay secure for the length of time the message has value. This varies. If you're the military, and reporting the position of a patrol in the field, this doesn't need to stay secret for very long. (3 days later the info is pretty useless anyway)

      Breaktroughs in algorithms makes this hard. You can nest encryption, which means you're safe unless *all* of the levels are cracked, but it's a hassle.

  5. Why not use Skype by Anonymous Coward · · Score: 1

    It's encrypted end to end and you can totally discuss your plans and share secrets using the instant messaging. For better protection, why not wrap them in a PDF labelled 'secret plans NSA do not read"?

    Plus its from a trusted company that never harms their customers, Microsoft, in a country with strong privacy laws, America. So its double plus good private!

  6. Re:A mathematician's apology by lxs · · Score: 4, Insightful

    I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me

    Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.

  7. Re:A mathematician's apology by stenvar · · Score: 1

    Cryptography's a horrible thing, really: it starts off with the principle that man is evil and will fuck you up if you don't protect yourself

    Societies are composed of many different kinds of individuals, and each individual can behave in many different ways. You need to protect yourself even if just a small percentage of people in society want to harm you some of the time.

    Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).

    Bullshit. We're biological beings subject to natural laws. A society in which everybody cooperates is provably not a stable solution, nor, for that matter, is it a very good solution. Yes, that's a mathematical fact.

    The percentage of people wanting to harm you today is remarkably small by historical standards, and the amount of protection you need is small. Be happy about that, and then take some reasonable precautions, like everybody else.

  8. Re:A mathematician's apology by Antique+Geekmeister · · Score: 1

    > I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me. Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).

    Goodness, you are an optimist. The military, economic, or social advantage to accessing private communications is very large, and the social and economic and political advantages are _tremendous_. Education won't solve that: the first person in the "educated" world who starts copying test answers, or reading their boss's private correspondence, will have tremendous advantages socially and in the workplace. That's part of what the NSA was doing to EU communications: industrial espionage to benefit American companies.

  9. A valuable lesson by zzyzyx · · Score: 1

    The last sentence of this article says it all :

    Also I learned that it means nothing when I hear "it is open source and peer reviewed".

  10. Re:Just host .onion hidden service forums! by Ash-Fox · · Score: 1

    Cloudflare is better at protecting my server infrastructure than TOR is.

    --
    Change is certain; progress is not obligatory.
  11. The analysis is correct, these people have no clue by gweihir · · Score: 2

    The mistakes made are utter beginner's mistakes that nobody even halfway competent with regard to cryptography would make. The only other possibility is that these mistakes were made intentionally.

    While it is unclear whether utter cluelessness or devious intent is to blame, this software should not be trusted on any level or for any purpose. Of the people writing it can make this kind of mistake, then there will likely be a number of other mistakes in it that affect security and this piece of trash should be regarded as broken for any purpose.

    Doing crypto is not a beginner's game. There are countless ways to get it wrong, and most of them cannot be found by testing, but require in-depth understanding and meticulous analysis of the mechanisms used. And encryption software being OSS only helps if some people with a clue care to review it.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:The analysis is correct, these people have no c by TCM · · Score: 1

    You gain competence the same way pilots do. They don't get to fly hundreds-of-passengers boeings on their first day either. It's OK to be a crypto beginner. But why do they publish a chat system instead of scribbling around in Cryptool?

    If you see someone looking into a loaded shotgun barrel with their finger on the trigger, you don't say "oh, let him learn by trial and error". You take the gun from him, slap him across the face and send him learning the basics.

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
  13. Re:The analysis is correct, these people have no c by gweihir · · Score: 1

    You gain competence by studying it, but trying things, etc. Before that you already have to be a pretty good and experienced programmer. People without that skill should not even try, it is a mandatory skill. You cannot learn how to program well doing crypto, crypto has a whole additional set of difficult and subtle requirements.

    And no, test-and-fix does not work for crypto. That is not "my rule", but in the very nature of things. The problem is that testing will not show the mistakes for crypto, and hence it is not the "normal" process at all.

    All pretty obvious to anybody that actually cares to find out. Your cluelessness is a disgrace.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.