![]() ![]() They have also cautioned chat users about potential threats to the web-based version. Although they do offer a Tor hidden service at xdtfje3c46d2dnjd.onion for anonymization. The Cryptocat Project has always stated that, with its encrypted instant messaging, it does not protect you against hardware or software keyloggers and that it does not anonymize you by default. With this increased scrutiny comes a renewed focus on overall security as Cryptocat continues to move beyond experimental phase. border in June of this year, the Cryptocat application has been more publicly visible. Since the temporary detainment of Kobeissi at the U.S. But does that introduce too much complexity for the average web surfer? What good are cryptography and security tools if they're not used? At the far end of the security spectrum, end users ideally would verify original download against hashes that were published or distributed in offline fashion. Today, there is no total solution - only the striking of a satisfactory balance. The existing presumption, correct or not, is that original downloads occur in a relatively safer network environment than recurring usage. But herein lies the heart of the problem, because the entire web security architecture rests upon the integrity of the embedded SSL certificate authority (CA) system. This is a positive step especially if the original extension download is from a known, trusted source and/or verified against a strong cryptographic hash function. Installing a Chrome or Firefox extension is a one-minute process in most cases and affords the user protection against a variety of threats. Don't wait a month to thank people who report vulnerabilities in your code.We understand that pushing this change strongly lowers immediate accessibility to those who don’t have the Chrome or Firefox extension installed, but we do believe that the security benefits outweigh the accessibility disadvantages in this case. It looks (from the pull request) like much of this was reported over a month ago. But you should also err on the side of quickly adding people's names to it when they report things. I bring this up because it's a valuable lesson for startups. I'm also a little confused: if the team put Steve Thomas on their thank-you page, why did Steve Thomas write a blog post linking directly to that page saying he wasn't on it? ![]() ![]() Vulnerabilities that devastate the security of Cryptocat earn a blog post. Vulnerabilities in TLS that are far less critical than this one are career-making. ![]() But there's a key difference between TLS and Cryptocat: the whole world is working on TLS security. Vulnerabilities are found semi-routinely in TLS, which was designed by several of the smartest crypto people in the world. When was the last cryptographic vulnerability discovered in any mainstream implementation of PGP? I feel bad for the team that worked on this (although I stand by my belief that they shouldn't be working on it), but this is an extremely aggravating statement. Cryptocat is not any different from any of the other notable privacy, encryption and security projects, in which vulnerabilities get pointed out on a regular basis and are fixed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |