Search Mailing List Archives
[liberationtech] Any thoughts on this?
schoen at eff.org
Sat Jun 22 09:44:37 PDT 2013
Yosem Companys writes:
> From: Dewald Pretorius, owner of SocialOomph.com
> The alarming revelations of the extent to which our privacy is being
> invaded by governments have inspired me to create a free encryption service
> that is for everyone. It is gratis, it's extremely easy to use, and it's
> anonymous (no need to sign up).
① You actually send them your plaintext every single time you use
the service. If you want to send plaintext to a third party, why not
a webmail or IM provider or social network?
② Reference to being run by a Canadian is possibly intended to invoke
jurisdictional diversity but the server is hosted in the U.S. (Amazon
AWS), not even on machines physically owned by the service operator.
③ Instructions say "give the password to the recipient (obviously
not in the same email!)" -- so, how are users supposed to give the
password to the recipient?
④ I suspect most users will choose passwords that can be brute-forced
easily. There isn't even any advice to users about what a good
password would be in this context (and no documentation about whether
or how a KDF is used).
People here were criticizing harshly criticizing the older version
of CryptoCat over vulnerabilities less concrete and fundamental than
these. Without (at least) some new browser functionality, "nothing
to install" is a massive red flag for any cryptographic application.
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the liberationtech