- #Cryptocat group chat cracked#
- #Cryptocat group chat update#
- #Cryptocat group chat software#
- #Cryptocat group chat code#
#Cryptocat group chat code#
That period covers seven months, Cryptocat says.Ĭryptocat creator and developer Nadim Kobeissi on Friday took to a live stream, broadcast from the SIGINT show in Germany, to address questions about the security hole from audience members and Twitter.ĭuring his 70-minute discussion, Kobeissi owned up to mistakes, including having hired code auditors rather than cryptographers.īut while he made mistakes, the level of anger he’s getting is “psychologically abusive,” he said. Security expert Steve Thomas, who discovered the hole, wrote on his blog that any users of Cryptocat between 17 October 2011 and 15 June 2013 should assume that their messages were compromised, as well as those of whomever they were talking to.Ĭryptocat, for its part, says that the hole was open from versions 2.0 up until (and not including the latest, fixed version) 2.0.42. The bug has to do with the way key pairs were generated for Cryptocat’s group chat.
#Cryptocat group chat update#
On Thursday, the project urged users to update after a security researcher pointed out a vulnerability that may have left group chats easier to crack for the past seven months. In February, the Cryptocat team proudly announced that Cryptocat had earned a Veracode Level 2 classification and a Security Quality Score of 100/100.Cryptocat is a free, open-source project aimed at providing secure, encrypted online chat. The incident has also caused embarrassment for the security specialists at Veracode. According to the developers, the bug didn't affect private chats because it only occurred in group chats with more than two participants. The Cryptocat developers have since responded with a post on their development blog, expressly thanking Steve Thomas for his effort. Thomas says that the hole makes it possible to decrypt a seemingly secure, encrypted chat recording in a matter of minutes. Cryptocat can be used as a Browser extension for Chrome, Firefox and Safari.
#Cryptocat group chat cracked#
The idea is to prevent attackers from drawing conclusions about previous or subsequent keys when one key is cracked on a communication channel, so that earlier and later messages continue to be protected. This technique generates new key pairs for every chat to create what is known as Perfect-Forward-Secrecy (PFS).
#Cryptocat group chat software#
The software uses Off-the-Record (OTR) messaging to encrypt users' messages. The expert was especially angered about the bug fix description, saying that the developers made an attempt to cover up their mistake claiming the fix became necessary because of backwards compatibility problems.Ĭryptocat is designed to provide a securely encrypted online chat facility. This meant the private Elliptic Curve Cryptography (ECC) keys would be "ridiculously small" and would present an ideal attack vector for brute force attacks. A function that expected an array of 15-bit integer values was actually handed a string of the digits 0 to 9 with the ASCII value of the digit taking the place of the 15-bit integer value and shrinking the possible values from 2^15 to 10. Thomas says that the vulnerability was triggered by a flaw in the code for converting strings into arrays of integers. On his web site, Steve Thomas has a massive go at the software developers. The security hole affects all versions of the chat software since 2.0, as the hole was only discovered and closed in version 2.0.42.
According to security expert Steve Thomas, messages sent via Cryptocat between 17 October 2011 and 15 June 2013 are compromised.
0 kommentar(er)
