Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] What I've learned from Cryptocat

Fabio Pietrosanti (naif) lists at infosecurity.ch
Mon Aug 13 10:14:47 PDT 2012


On 8/13/12 6:53 PM, Gregory Maxwell wrote:
>
> For example, it wouldn't be hard to educate people to only install
> software on their secure systems via a downloading tool that verifies
> (cryptographically) that the software which is being installed has
> been independently peer reviewed by multiple parties and is free of
> trusted reviewers asserting that the software is unsafe. The
> authenticity and independence of the signing parties can be validated
> by the software— the user only needs to provide keys from some people
> he knows to bootstrap the process.
>
> It wouldn't be hard— except the tools don't exist and there are a
> number of practical challenges that need to be solved, and interesting
> tradeoffs that need to be made.
Ok, cool.

But to make an example we can say that even today Tor cannot be secured 
against the "Server Operator" in the sense that if you are an "average 
user" you need to trust Tor Project, distributing Tor binaries.

One would say, "but there are hash and pgp signature and instruction on 
how to verify it" .

It doesn't matter for the average user.

The average user will NEVER check it.
The average user doesn't even know "what a digital signature is".
The average user does not know how to download pgp, import keys, execute 
command line arguments to verify a crypto checksum.

Those are all stuff for crypto-nerds and power-users, but not for 
average users.

So imho in the current context of technology, the average user, 
regardless what the provider say/suggest on the download page, does not 
have a real way to verify that what he is download does not contain a 
backdoor.

Being the operator Tor Project distributing Tor Browser Bundle, 
CryptoCat distributing a Chrome plugin, GnuPG Project distributing 
WinPGP, the problem is the same (for the average user).

This means that most of this discussion around CryptoCat is based on the 
need of a technology to solve a problem for "the average users" that 
simply does not exists (and that CryptoCat cannot solve).

-naif



More information about the liberationtech mailing list