Fourth Amendment

Privacy-Oriented Cryptocat Unveils Smartphone App

|

Adrian Ilie \ Wikimedia

Cryptocat, a web application for private chatting, now functions on smartphones. In a demo at RightsCon, a gathering in Silicon Valley that focuses on technology and combating human rights challenges, Cryptocat unveiled its chat-based cryptographically-based private mobile app, a tool they've been cooking up this past year.

Cryptocat's mission, according to its blog, is "Making encrypted chat easy, fun, and accessible for everyone." While not as simple as using Facebook or GChat, it's easier to use than other encrypted instant messaging services. It's available for free from the Apple app store.

Users of Mozilla, Chrome, Safari, Opera, and Mac OS X – and now iOS, can use the app. It utilizes Off-the-Record Messaging (OTR), a cryptographic protocol for secure instant messaging, and perfect forward secrecy, a system that constantly generates new user keys so snoops cannot decrypt older messages. Security measures extend beyond the cryptographic protocols. According to The Verge, the servers are stored "in a Swedish nuclear bunker to protect them from government intrusion."

It took Cryptocat a year to transit to a mobile app. One might think securing information would be a cinch, but secure communications require complex cryptography. Developers have been struggling to make secure communications, of all sorts, more user-friendly. Cryptocat has been a main player in this movement.

Private communications have come a very long way since cypherpunks organized an esoteric email group focused on discussing the technical aspects of encrypted communications in the 90's. Not to mention, Cryptocat has come a long way since repairing a "rookie" cryptographic mistake made last year.

Privacy developments have been fueled by a newish hunger. In an interview with Ars Technica last December, Cryptocat developer Nadim Kobeissi said:

'Two years ago not a lot of people cared,' he comments. But times have changed. 'Now a lot of people care.'

Innovative developers are feeding this hunger with an array of technologies. The app comes hot on the heels of the Blackphone, which launched pre-orders for its cryptographically-secured phone last week. Jeeves, a programming language in the making, accommodates built-in privacy protocols. A MIT researcher even proposes encrypting genetic information.

The hope is that privacy-centric technology would give consumers more secure options to choose from. Someday they could make bypassing National Security Agency intrusion easy and difficult-to-enact legislative reform unnecessary.

Advertisement

NEXT: First Study of LSD's Psychotherapeutic Benefits in Four Decades Breaks Research Taboo

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I use TextSecure. Should I replace it with this? Get both?

    1. I vote we just all start using substitution ciphers to make the NSA study all of our meaningless banter here at H&R, which will eventually force them to ignore us entirely.

    2. I use Pidgin with OTR and ChatSecure from The Guardian Project. They are the ones that made Orbot which is the Android version of Tor.

      Pidgin with OTR is easy. You can use it over just about any chat, including Facebook, as long as the other person has it too.

      https://guardianproject.info/apps/chatsecure/

  2. One might think securing information would be a cinch

    Anyone that really thinks this is a complete moron.

  3. One might think securing information would be a cinch
    ———
    Um, WHO thinks that exactly?

    1. “Um, WHO thinks that exactly?”
      The guy on the streetcorner in the sandwich board sign.

  4. The hope is that privacy-centric technology would give consumers more secure options to choose from. Someday they could make bypassing National Security Agency intrusion easy and difficult-to-enact legislative reform unnecessary.

    Not with the advent of quantum computing; security measures (including encryption) are only reactive. There’s nothing that’s “unhackable” anywhere.

    1. Okay then we’d react. Quantum encryption would be even more unbreakable.

      1. True, but the attacker is always the one that’s a step ahead; plus, you don’t get to know you’ve been hacked until whatever you were storing of value was lost (or used against you).

        1. You should look up ‘MaidSafe’.

    2. Don’t give me that quantum computing shit. Even if they did have it, they would still have to crack every single message using brute force. Their best attack is still through an exploit like FinFisher.

      True, but the attacker is always the one that’s a step ahead;

      How do you figure? If they were always one step ahead, encryption would be useless. Consider the last known attack, the one against Freedom Hosting, they were about 3 steps behind. It only worked on an older version of the Tor Browser, only with Javascript enabled, and only on Windows.

      Most, if not all, successful attacks are user errors. Encryption is like using a condom. When used properly, it is nearly 100%. When a condom fails, it is usually the fault of the person using it.

  5. Heck yeah dude thats what I am talking about! Roll with it.

    http://www.Anon-VPN.com

    1. You know, I’m normally a rule-of-law kinda guy.

      But this endless fucking spamming might qualify as aggression, and this really makes me want to suggest an endless DDOS against “anon-vpn.com”.

      It sure as hell doesn’t make me want to be one of their customers, because this is the shoddiest possible business practice short of outright fraud.

  6. Ecryption can be relative easy– by a developer using a standard black-box form of encryption inserted into his code.

    However, make the entire app secure is very tricky.

    1. The “entire app” doesn’t need to be secure (and can’t be, at the level of “secure from cameras looking at the screen” or “secure from the OS kernel itself or a superuser”).

      The relevantly sensitive part is the communication channel, not the running code. (Oh, sure, “don’t save the decrypt to disk”, but… if you need help with that one you have bigger problems as a developer.)

      An even more interesting question is not “is this app secure?” but “how can I TRUST that this app is secure, and that its private backend servers are trustworthy?”.

      1. Roger that. But that’s what I’m saying, an encryption neophyte can, with relative ease, encrypt his communication stream. I seem to remember you could insert the PGP code into any C++ program relatively quickly.

        but “how can I TRUST that this app is secure, and that its private backend servers are trustworthy?”.

        In this day and age, it’s going to have to be open source.

      2. If you have root access, you can run every app through Tor (Orbot). You can even chroot a Linux OS on Android. There are, of course, some stability issues. You still need to access the Android drivers.

  7. So I would have to get this from of Apple’s App Store, which is probably being snooped by the NSA who will then target further snooping on anyone who downloads the app.

  8. After reading this blog realize the Cryptocat really a best web application for private chatting and I am so happy it freely available in all apple app stores. I hope it supports all browsers.

  9. Cryptocat is completely responsible to all privacy concern. Let them want to update proper privacy policy and user agreement.

    http://www.ndottech.com

Please to post comments

Comments are closed.