Feeds

back to article Cryptocat WIDE OPEN, new version a must

The encrypted online chat service Cryptocat is urging users to install a new version, following the revelation that its encryption could be cracked by brute force. Making the announcement here, Cryptocat says the vulnerability existed in the way key pairs were generated. It claims that the bug existed in any 2.0 version prior to …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Strong typing?

We've heard of it.

7
0
Bronze badge

Re: Strong typing?

Dogshit code, we've heard of it.

0
0
Anonymous Coward

Re: Strong typing?

Ahh, I've heard of that. You need to get a microswitched keyboard, it'll hold up to the punishment much better.

2
0

Re: Strong typing?

I'VE HEARD OF IT TOO!

4
0
Silver badge

Re: Strong typing?

You need to actually read the source article, strong typing would have exactly NO effect on the stupid programming they did. This wasn't a type problem, it was the crap they put into the type.

Strong typing can only give you a hint about impending stupidity. It can't make you take the hint.

0
0
Silver badge

Hello Kitty

Special offer: Hello Kitty school of programming and encryption. £ 10. For the entire school, that is.

2
0
Silver badge

As much as I like the idea of encrypted chat, its a pain.

1. do you know it doesn't have a back door?

2. all your contacts have to use it. Good luck with that.

Its easier now to hide in plain sight than attempt to obfuscate your online presence....

1
1
Bronze badge

Overall I agree.

The only thing I disagree about is hiding in plain site.

- Yes this is what most of us are better off doing. This is what I do.

- No this won't work for people with commercial, industrial or scientific secrets who have been targeted for industrial espionage by the various governments that control the internet their chats pass through.

2
0
FAIL

Fool me once, shame on me...

It's nice that they have a new version, but ALL the previous chats protected by ECC keys are compromised. That can't be fixed by a software patch.

It's pretty clear that the developers are still climbing the crypto learning curve. This stuff is complicated, non-intuitive and even the smallest error can have large consequences. Worse still, the mistakes they made were absolutely basic, like using way too short keys. Only a fool would trust their software going forward.

3
0
Gold badge
Flame

Open source or closed source.

If open source. Shame on the users. Eyes on the code is one of the points of OS.

If closed source. Shame on the devs. That sort of thing smells of some dev being "clever."

I suspect if this world is finally destroyed in a man made disaster its root cause will also be some dev being "clever"

BTW give what's know about government surveillance all that back chat has been stored and can be processed off line. So no if you're serious about privacy you can't release early and fix later on. It's too late for that. I am especially p**sed off at this as I've had to fix "clever" code before and none of the t**ts had heard the phrase "premature optimization is the root of most evil."

0
3
Ru

Re: Open source or closed source.

If open source. Shame on the users.

Have a quick read of some of this stuff: http://security.stackexchange.com/questions/37157/flaws-in-crypto-cat

Seems like the code was audited, more than once (I have no particular interest in finding out how competent the auditors were, however). The problem is, some kinds of keying bugs are startlingly difficult to spot and very easy to introduce... see the Debian SSL/SSH screwup in the recent past for another example. If this stuff can be missed by so many people for so long, it is perhaps a good reminder that "many eyes" helps software quality, but does not guarantee it.

3
0
This topic is closed for new posts.