Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] What I've learned from Cryptocat

Jillian C. York jilliancyork at
Mon Aug 6 18:36:54 PDT 2012

It *is* safer than Facebook, for both the reason Douglas lays out below and
for the fact that *just to have a Facebook account* you're technically
required to use your real name (yes, I know lots of people break this rule,
but it's also something lots of people don't think about).

That said, fair point about Google.  Again, not a technologist, so I'm
taking those of you who are on your word at the moment.

On Mon, Aug 6, 2012 at 6:21 PM, Moxie Marlinspike <moxie at>wrote:

> On 08/06/2012 05:28 PM, Jillian C. York wrote:
> > A /safer /web-based tool than Facebook chat with a GIANT WARNING is far
> > better than everyone continuing to hold their discussions in insecure
> fora.
> I think this sentence is really the essence of the problem.  Why do you
> assume it's safer?
> CryptoCat has the word "crypto" in it, positions itself as a
> cryptography project, and has a stated emphasis on security, so it's
> easy to conclude that whatever it's doing is at least somehow better
> than what Facebook or Google are doing.
> However, my position is that Google Chat is currently more secure than
> CryptoCat.  To be more specific, if I were recommending a chat tool for
> activists to use, *particularly* outside of the United States, I would
> absolutely recommend that they use Google Chat instead of CryptoCat.
> Just as I would recommend that they use GMail instead HushMail.
> The security of CryptoCat v1 is reducible to the security of SSL, as
> well as to the security of the server infrastructure serving the page.
> Any attacker who can intercept SSL traffic can intercept a CryptoCat
> chat session, just as any attacker who can compromise the server (or the
> server operator themselves) can intercept a CryptoCat chat session.
> This effectively means that CryptoCat is not a "cryptography project,"
> in the sense that whatever cryptography it delivers does not affect or
> improve upon the existing attack vectors of chat tools that we're trying
> to "replace" like GChat.
> So I believe it comes down to a question of who we trust to provide a
> more secure SSL and server-side infrastructure.  No offense to Nadim,
> but at this point I believe that Google does a better job.  It'd be
> tough to do better, given the amount of dedicated people and resources
> they have specifically focused on that problem, as well as the amount of
> advanced information they have access to concerning coming SSL attacks,
> etc.
> - moxie
> --
> _______________________________________________
> liberationtech mailing list
> liberationtech at
> Should you need to change your subscription options, please go to:
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> Should you need immediate assistance, please contact the list moderator.
> Please don't forget to follow us on!/Liberationtech

*+1-857-891-4244 |** | @jilliancyork *

"We must not be afraid of dreaming the seemingly impossible if we want the
seemingly impossible to become a reality" - *Vaclav Havel*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list