back to article Cryptocat WIDE OPEN, new version a must

The encrypted online chat service Cryptocat is urging users to install a new version, following the revelation that its encryption could be cracked by brute force. Making the announcement here, Cryptocat says the vulnerability existed in the way key pairs were generated. It claims that the bug existed in any 2.0 version prior …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Strong typing?

    We've heard of it.

    1. Wzrd1 Silver badge

      Re: Strong typing?

      Dogshit code, we've heard of it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Strong typing?

      Ahh, I've heard of that. You need to get a microswitched keyboard, it'll hold up to the punishment much better.

    3. Anonymous Coward
      Anonymous Coward

      Re: Strong typing?

      I'VE HEARD OF IT TOO!

    4. Paul Shirley

      Re: Strong typing?

      You need to actually read the source article, strong typing would have exactly NO effect on the stupid programming they did. This wasn't a type problem, it was the crap they put into the type.

      Strong typing can only give you a hint about impending stupidity. It can't make you take the hint.

  2. Anomalous Cowshed

    Hello Kitty

    Special offer: Hello Kitty school of programming and encryption. £ 10. For the entire school, that is.

  3. Anonymous Coward
    Anonymous Coward

    As much as I like the idea of encrypted chat, its a pain.

    1. do you know it doesn't have a back door?

    2. all your contacts have to use it. Good luck with that.

    Its easier now to hide in plain sight than attempt to obfuscate your online presence....

    1. WatAWorld

      Overall I agree.

      The only thing I disagree about is hiding in plain site.

      - Yes this is what most of us are better off doing. This is what I do.

      - No this won't work for people with commercial, industrial or scientific secrets who have been targeted for industrial espionage by the various governments that control the internet their chats pass through.

  4. DeathSquid
    FAIL

    Fool me once, shame on me...

    It's nice that they have a new version, but ALL the previous chats protected by ECC keys are compromised. That can't be fixed by a software patch.

    It's pretty clear that the developers are still climbing the crypto learning curve. This stuff is complicated, non-intuitive and even the smallest error can have large consequences. Worse still, the mistakes they made were absolutely basic, like using way too short keys. Only a fool would trust their software going forward.

  5. John Smith 19 Gold badge
    Flame

    Open source or closed source.

    If open source. Shame on the users. Eyes on the code is one of the points of OS.

    If closed source. Shame on the devs. That sort of thing smells of some dev being "clever."

    I suspect if this world is finally destroyed in a man made disaster its root cause will also be some dev being "clever"

    BTW give what's know about government surveillance all that back chat has been stored and can be processed off line. So no if you're serious about privacy you can't release early and fix later on. It's too late for that. I am especially p**sed off at this as I've had to fix "clever" code before and none of the t**ts had heard the phrase "premature optimization is the root of most evil."

    1. Ru

      Re: Open source or closed source.

      If open source. Shame on the users.

      Have a quick read of some of this stuff: http://security.stackexchange.com/questions/37157/flaws-in-crypto-cat

      Seems like the code was audited, more than once (I have no particular interest in finding out how competent the auditors were, however). The problem is, some kinds of keying bugs are startlingly difficult to spot and very easy to introduce... see the Debian SSL/SSH screwup in the recent past for another example. If this stuff can be missed by so many people for so long, it is perhaps a good reminder that "many eyes" helps software quality, but does not guarantee it.

This topic is closed for new posts.

Other stories you might like