A usable, secure messenger is a pretty important niche to fill. Cryptocat is a good concept (usability is important), but its implementation is flawed enough that it's worse than useless. With some TLC, better ground-up design, and through auditing? Pretty sweet. There isn't one messenger that fills every niche reasonably well (eg. Tox is fragmented and hasn't been audited as far as I'm aware, Jitsi is clunky and relies heavily on outside services, Retroshare requires an intricate knowledge of GPG, several other messengers sit over Tor which requires education, and libpurple is garbage, etc.).
Ricochet sits over Tor and doesn't require much or any in the way of education. The implementation details and use of Tor is virtually invisible to the end-user. It's nothing like using public key encryption to send an email for instance, and more akin to AOL Instant Messenger from a user perspective.
Just to play devil's advocate for the sake of discussion I'll say, the main benefit is "education" for designers of actual secure messaging apps such as those from Open Whisper Systems.
I remember Moxie writing about intentionally using insecure messaging apps that have great UI for the purpose of learning what non-technical users want, and he then built stuff that was both secure and usable.
I think it's interesting how apps like Cryptocat (on one side) and those from e.g. Open Whisper Systems (on another) play off each other. Some secure messaging apps were pressured to up their UI game, and now some "usable" apps are pressured to up their security game or shut down. Whatsapp got X25519 via the TextSecure protocol, and now Cryptocat is shutting down. It sends a message that designers of new apps will be competing against successful deployments of messengers that are both secure and usable.
There are still things like Telegram that are apparently big, but I think the trend is clear.
Agreed. There must be a cryptographic aphorism along the lines of John Gall's famous saying about the provenance of complex systems that work.
Something like: "Usable secure systems are created by iterating from secure unusable systems, not by iterating from insecure usable systems." Someone must have said something like this before, and put it more eloquently.
Are you sure that the usability wasn't fundamentally insecure? Because in that case, whether or not it was usable is meaningless as a benchmark for a system that works.
I don't think so. I did a brief look at how it works. It was basically a centrally-hosted, shared-secret setup. I've built those before. Super easy to build and use compared to high-secure, P2P apps w/ their trust management. Here was the user experience when I tried it:
1. Go to the right site. So, tell them to check domain and HTTPS.
2. Type in information you and other person agreed to preferably in person.
3. Chat.
Very, very usable. That could've been implemented in a simple, secure-coded app communicating over a secure tunnel with another simple app on a robust server. The crypto to do that sort of thing right (outside a browser) is pretty basic. One could even run the deployment server and untrusted storage separately so complex TCB couldn't affect trusted app delivery or operation. Not past availability.
Cryptocat's design was actually simpler than some high assurance systems of the past. That tells me it could be done robustly with a different implementation and protocol. Is it the best idea? Hell no for all kinds of reasons that start with centralization then get worse from there. Its usability can be recreated, though, in a more secure solution.
Note: As I said to tptacek, even the original with its security issues kept users safer than fads like Facebook Chat that spy on them. A fun, usable solution with better than average privacy is still a step up if used by the right people. Just gotta be clear to use something stronger (less fun) to stop hackers.
Secure from whom? A school IT admin? An abusive spouse? A kiddie with a wifi packet sniffer? From hackers going after email accounts? There are lots of threat models that CryptoCat was useful against; and in the long run, CryptoCat was right about usability.
How about "secure against the best funded, best staffed signals intelligence agency in the world"? Because that's the adversary Cryptocat ended up with. When it came out that Greenwald had used it for Snowden, Kobeissi was over the moon about it on Twitter; he treated it as an endorsement.
What's it matter if it's secure but not usable? That problem, aside from demand, is why almost everyone uses insecure messengers. Usability is more important if one is targeting the masses. Especially if the alternatives they find cool and usable are horribly insecure.
That leads to other side: what is a secure messenger? Secure against WHO? If it's hackers, then Cryptocat is entirely inappropriate as it will be smashed. Yet, average person's threat model includes all kinds of snoops that might not have hacking skill not to mention the service host. Especially in high school & college. Cryptocat would protect them from many of those while its own problems would be found and improved over time. Widespread adoption of Cryptocat over services like Facebook Messenger stashing & analyzing the messages would be a win in privacy.
So, the question is use case. I gave it a positive review for potential to get insecure crowd on something a little better. It was also fun thanks to good art. I just said they should clearly indicate it's not for stopping hackers, governments, etc. Plus keep links to good products that are. If people want those, they'll use them. If not, Cryptocat wasn't a bad fallback compared to straight-up invasive apps they were likely using.
People say things like this a lot. I understand why they say it. But, no. Emphatically, no.
Let me put a bullet right in the head of this argument in favor of Cryptocat and things like it:
In June 2013, Cryptocat was used by journalist Glenn Greenwald while in Hong Kong to meet NSA whistleblower Edward Snowden for the first time, after other encryption software failed to work.
And, you know what else? Guess what happened right around June 2013? Decryptocat.
I specifically said it shouldn't be used to stop hackers. Let's continue anyway as there's a lesson here.
"after other encryption software failed to work."
Nothing else worked because all your recommendations were unusable. It was using Cryptocat because it might be private or doing open communications that wouldn't be private. There was also a time window.
"Guess what happened right around June 2013?"
They completed the meeting without the NSA getting shit. Greenwald got the data. Snowden escaped. Comms remained private until an NSA analyst discovered both the intercepted data and Decryptocat. It worked.
Great story. Now, what app do you recommend for a future Greenwald that's so easy to correctly acquire and use that I could give my grandmother a 3-4 step flashcard and she get through it without help & minimum hassle? Cryptocat passed my granny test. Nothing else on a desktop did so far.
> I specifically said it shouldn't be used to stop hackers.
Script kiddies get their name because they only make use of easy-to-use tools written by knowledgable "hackers" that perform tasks that are vastly beyond the understanding of the kiddie. If your "secure communications" software doesn't stop a sophisticated passive adversary, it doesn't stop anyone, because a sophisticated adversary will inevitably release a point and drool tool that anyone can use to unscramble your data. [0]
> They completed the meeting without the NSA getting shit. ... Comms remained private until an NSA analyst discovered both the intercepted data and Decryptocat.
So, then the NSA did "get shit". They may not have gotten it in a timely manner, but they did get the plaintext of the conversation.
> Now, what app do you recommend for a future Greenwald...
TextSecure/Signal has been around since 2010. It walks you through the setup process, so no need for flashcards. Unlike Cryptocat, its crypto has stood up to scrutiny. It doesn't currently meet your "on a desktop" search criteria but:
1) It seems reasonable to expect that most journalists possess either an iOS or Android smartphone.
2) There is a Signal desktop client in development that's currently in population-limited beta testing. From what people tell me about how WhatsApp handles the interaction between its mobile clients and desktop client, Signal's desktop client is every bit as easy to use as WhatsApp's.
[0] Granted, Decryptocat likely has to be used by someone running code in the Cryptocat datacenters, but this does not invalidate my objection to your assertion.
"If your "secure communications" software doesn't stop a sophisticated passive adversary, it doesn't stop anyone"
So every non-technical person right now wanting others' conversations in various insecure apps are running full surveillance on them with control of their PC/phones because the NSA and other teams are? And NSA et al turned all that into script kiddie warez published openly with easy Google access? No they're not. Those that are make up a tiny, tiny few. So, you're argument is simply wrong.
Mediocre solutions stop people all the time despite pro's or talented people being able to defeat them. A subset of them get attack kits made by black hats or security professionals. A subset of that gets released into the wild. A tiny subset of laypersons find those and learn to wield them. Sometimes those tools require more access than they have, sometimes not. There's no all-or-nothing game with what happens using certain apps or security strategies. Lots of variation in risk. Your threat model, what software you're using, and how you're using it matters a LOT in determining what will actually happen.
Incidentally, this is why the Mac users felt immune to malware so long despite lots of popularity, business data up for grabs, and terrible security. If your argument was correct, they would've gotten owned massively and regularly in botnets that were on par with Windows if not worse. They didn't, though. The weakness and possibility of an attack didn't materialize into even large gains by hackers: just a little botnet or two in PPC days. Laypersons certainly didn't know about ways to own them all with easy tools. Actually, over all proprietary & FOSS in use, that appears to be an uncommon or rare event.
Note: I know people that to this day use PPC Mac's and old software in a hardened configuration with backups. No evidence that anyone has trashed their system so far. Plus, the laptop users would notice if lots of streaming was going on given the terrible battery usage of those. So your hypothesis is still failing for them going on over a decade.
"So, then the NSA did "get shit". They may not have gotten it in a timely manner, but they did get the plaintext of the conversation."
The requirement was that the NSA not be able to understand the content of those messages for a period of time that covers their activity. The NSA's goal is to spot stuff like this before it becomes a huge problem. Greenwald et al's requirement passed while NSA's failed. NSA didn't get shit in terms of their goals. They also lost a LOT. :)
"TextSecure/Signal has been around since 2010. "
I asked for a desktop app usable right now. I thought that was a mobile app. It's good that you...
"There is a Signal desktop client in development "
...brought me a red herring that wouldn't have helped Greenwald then or laypeople now. (sighs) Oh well. At least your counter might be true in a future case once that materializes. I look forward to its release.
> ...brought me a red herring that wouldn't have helped Greenwald then or laypeople now.
Funny. I addressed this in my previous comment, but I guess you glossed over it:
> 1) It seems reasonable to expect that most journalists possess either an iOS or Android smartphone.
Your snark doesn't enhance the credibility of your objections.
> The requirement was that the NSA not be able to understand the content of those messages for a period of time that covers their activity.
Two things:
1) That's not what you said, though. You said "the NSA didn't get shit", when in fact, they did. In my reply to you, I even addressed the fact that it's possible they got the plaintext of the conversation long after the meeting. [0] Again, your snark doesn't do you credit.
2) Another goal of the NSA is storage of encrypted data for later decryption just in case a decryption method is found and the data is useful. The NSA does far more than just deal with information that has a very brief shelf life.
> Mediocre solutions stop people all the time despite pro's or talented people being able to defeat them.
Does a messaging system that XORs the message and addressing information with a hard-coded value meet your definition of "secure messenger" if its target audience is the everyday US citizen who communicates only to people within the US? Why or why not?
[0] But, in reality, we can't know that NSA wasn't aware of this vulnerability in CryptoCat at the time of the meeting. It's entirely possible that they had access to the plaintext of the conversation shortly after it happened.
Cryptocat was not secure. No argument there! Decryptocat was the proof in the pudding.
If a secure product could be as user-friendly as Cryptocat was while still being secure, then most peoples' communications would be more secure.
That's all I was saying. I'm not trying at all to hand-wave the proven insecurity. I'm saying that the only thing they got right was the one thing that secure products have consistently gotten wrong. (Barring Signal.)
"That's all I was saying. I'm not trying at all to hand-wave the proven insecurity. I'm saying that the only thing they got right was the one thing that secure products have consistently gotten wrong. "
That's my main claim. Usability and setup phase were between 90-100% of my positive remarks on it in my review. I just added it still has value for crowds without tech-savvy opponents if (a) they won't use truly secure stuff due to hassle and (b) they are clearly informed usable but weak tools can be breached. As one of a few interim solutions if nothing else.