Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes

alphadogg writes "The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations." The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat's gracious response, overly acerbic and dismissive of the project).

Why not use OTR?

[walshy007]

Why not just use OTR with pidgin? Supports any protocol you'd care to mention.

Re:Why not use OTR?

[hairyfeet]

And you want to see why that is a BAD IDEA see above. With these "apps" like it or not you are giving control to a few major corps that have been repeatedly shown to work with the US government hand in glove so it really won't be hard for them to make sure only "backdoor equipped" or vulnerable to MITM apps are allowed.

This is why those that give a rat's ass about security and doesn't want everything they say or do to be public record really needs to stick with X86, leave the phones and tablets for directions and seeing what guy played third stringer on that movie you are watching. all this pushing "web and cloud" only crap does is give the corps and govs a datamining field day.

Nothing overly dismissive there

This bug and the history of it point to the cryptocat people being utterly incompetent. It's perfectly possible that they did what they did with the best of intentions and that they reacted as well as they could - that does not change one iota about them being incompetent and that you better don't trust the work of incompetent engineers. It's nice that that civil engineer did not intend to kill anyone and that she helped in rescuing people, but still her incompetence is what caused the bridge to collapse and what makes it reasonable to be suspicious of the other bridges she's responsible for.

Re:Nothing overly dismissive there

Writing crypto apps that manage to use a string of digits as the key instead of the number it represents doesn't contribute to cryptography anything either - if only a lesson "why non-experts shouldn't do cryptography".

You're probably great cook, architect, furniture builder and shoemaker - or you're always keeping quiet about burnt food, leaky roofs, uncomfortable chairs and too tight shoes, right?

Re:Nothing overly dismissive there

[rtfa-troll]

Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?

Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.

Re:Nothing overly dismissive there

It is a devastatingly simple and obvious bug that any code review would have spotted. It's laughably amateurish.

It's especially egregious after the rant the author (isn't there just one?) went on about Javascript cryptography. Couldn't have happened to a nicer guy.

After all, what's the single biggest challenge in JavaScript cryptography? Random number generation. So what's the FIRST thing you look at when reviewing? Random number generation for keys. And what, pray, is their excuse for not using window.crypto.getRandomValues() with a typed array of bytes, which is guaranteed to be available in every supported browser? What, in fact, is their excuse for not using Uint8Array for carrying keys wherever they go?

Re:Nothing overly dismissive there

[chihowa]

As it is designed, email is capable of peer-to-peer(ish, if people have their own domains) operation and if people used PGP the messages would be safe in transit. It's not totally decentralized, though, as you still depend on DNS.

More importantly, a shift away from centralized corporate mail servers toward individual (or at least family or co-op) mail servers can happen gradually without relying on the network effect to legitimize a new system.

Re:Nothing overly dismissive there

[gweihir]

That is not how it works. Designing and implementing crypto correctly requires _understanding_. A test-and-fix approach where somebody else has found the issue, gives you exactly nothing. Experience can help in debugging, but crypto implementation security is not a problem where debugging skills help at all. The problem is that the software fulfills all its functional requirements, i.e. it works. That it can easily be attacked does not cause any crashes or problems that the developer or users can notice when using the software and hence the experience they made is largely useless.

Re:Nothing overly dismissive there

[gweihir]

Not true. DNS is not strictly needed. If you are paranoid, you can send emails to user@ip_address. That does require a static IP address though and the right configuration at the target MTA, but nothing else.

Re:Nothing overly dismissive there

[gweihir]

You are impressively stupid. You managed to get _everything_ wrong. Truly an accomplishment. Have you bothered to look up even one of the things you talk about? Apparently not.

You seem to be unaware that the source and target Mail servers are the source and target of the Email. "Smarthosts" and things like POP3 are a crutch for crippled systems that cannot act as mail-server themselves. And you seem to be unaware of exponential back-off, repeated delivery attempts and secondary MXes. And you are unaware that DNS is neither needed for Email delivery, nor centralized. At best, DNS is hybrid. In a very real sense, DNS is P2P for almost everything. You can also send Emails to an IP address without problem, as long as the target server is configured for it. And what does "deterministic" have to do with it? Do you somehow believe P2P means undirected, random propagation of data?

What an incredible collection of nonsense.

Re:A mathematician's apology

[lxs]

I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me

Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.

The analysis is correct, these people have no clue

[gweihir]

The mistakes made are utter beginner's mistakes that nobody even halfway competent with regard to cryptography would make. The only other possibility is that these mistakes were made intentionally.

While it is unclear whether utter cluelessness or devious intent is to blame, this software should not be trusted on any level or for any purpose. Of the people writing it can make this kind of mistake, then there will likely be a number of other mistakes in it that affect security and this piece of trash should be regarded as broken for any purpose.

Doing crypto is not a beginner's game. There are countless ways to get it wrong, and most of them cannot be found by testing, but require in-depth understanding and meticulous analysis of the mechanisms used. And encryption software being OSS only helps if some people with a clue care to review it.