Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] What I've learned from Cryptocat

Moxie Marlinspike moxie at
Wed Aug 8 08:38:10 PDT 2012

On 08/08/2012 06:37 AM, liberationtech at wrote:
> On Tue, Aug 07, 2012 at 05:18:02PM -0700, erik at wrote 4.7K bytes in 111 lines about:
> :partial defenses using any technology tool. I may feel too strong about
> :tools being discussed as THE solution or THE bulletproof vest so to speak.
> I'm not picking on you Erik, but this comment finally struck me
> about what's bothered me with this debate. There is no such thing as 'the
> bulletproof vest'.

I don't think anyone is saying we want an "ultimate solution."  We have
a set of technologies that we're trying to replace with a more secure
solution (GChat, Facebook, etc...).  It's as simple as looking at the
attack vectors that we're concerned users will experience with these
existing web-based chat solutions and asking the question of whether
CryptoCat improves on any of them.

Again, as I see it, there are three possible vectors for attack with
existing web-based chat solutions:

1) SSL intercept.
2) Server infrastructure.
3) Operator.

These are not theoretical, pie-in-the-sky vectors.  These are things
that are actually happening, are within the state of the art of an
average adversary, and are within the scope of what this type of
technology problem could potentially address.

My analysis is that the CryptoCat technology does not improve any of
these three vectors, and in fact might make the user more at risk to
compromise through #1 and #2 than with existing web-based chat solutions
(GChat, etc...).

So again, I don't believe that those of us who have concerns about
CryptoCat are asking for a "bulletproof vest."  We're not demanding the
"ultimate tool."  To use your analogy, I'm looking for a bulletproof
vest that's at minimum not rated *worse* than GChat, and ideally is
rated some degree higher.

- moxie


More information about the liberationtech mailing list