[pablobaz]

Easy to be snarky about this. But I admire their persistence.

In the face of the extensive criticism they could have just given up.

Instead they have acknowledged making mistakes, didn't give up, learnt from the mistake and changed their subsequent behavior. This is admirable.

[magikarp]

Thank you very much for that comment.

I believe that we've been truly open source, transparent and accountable for our code since day one. There are other projects who are currently similarly open and transparent (I respect TextSecure for this,) but I can't say this is the standard in this field.

We've always solicited and compensated feedback from security enthusiasts, hobbyists and world-famous cryptographers alike. Over the past year, we've had the opportunity to grow into a product that examined what is fundamentally responsibly possible in the browser, and we've even landed ourselves as a primary use-case for the W3C's Web Cryptography working group. We've produced a true, responsible alternative for people who just don't know how to use anything more complicated than Facebook Chat, and we've made it clear that we are not trying to replace PGP or other iron-clad 30-year old solutions. We're trying to help mom and pop users.

Regarding our past vulnerabilities, I can't think of a fuller disclosure than dedicating an entire talk to detailing every single one of them: https://blog.crypto.cat/2013/11/documenting-and-presenting-v...

We also carried out a study to verify whether users were indeed clicking on the security warnings on our website: https://blog.crypto.cat/2013/11/yes-cryptocat-users-are-read...

We want to do things right. We are truly open source, truly honest, transparent and we take immediate steps for mitigation every time. We will continue to solicit audits and feedback for our more experimental browser client, but also hope to have a more grounded product in our upcoming Objective-C (iPhone) and Java (Android) apps.

Overcoming a bad reputation is extremely more difficult than keeping a good one. We have been less lucky than other projects. The fact that we used experimental platforms and coupled that with overly loud disclosure of all the failures those platforms lended us meant that we couldn't keep face as easily as other projects.

But that said, I can't but resent the continued accusation that after three years at this, myself and all other volunteers (a wide range) working on this haven't matured enough to know what we're doing, and haven't proven that we care very much to do it right. It's very relieving to hear that the community at HN can understand this and see that we have been proceeding responsibly for quite some time now.

[mst]

> I can't but resent the continued accusation that after three years at this, myself and all other volunteers (a wide range) working on this haven't matured enough to know what we're doing, and haven't proven that we care very much to do it right.

The thing is, in the case of a significant percentage of people attempting crypto, it's not that they don't care, it's that they simply aren't capable of it. Jumblefucks like the telegram launch (which was too disorganised to be a clusterfuck, frankly) keep that fact fresh in everybody's mind.

What's interesting to note, though, is that people are now largely complaining about the fact that vulnerabilities have been found, rather than your response to them. I think maybe that's a more useful metric for how competently you're dealing with it than pure positive/negative response is, under the circumstances.

[DanBC]

Compare them to underground dentists -

Bob has no medical training, but has a dremel and practiced on a pig head. He offers to do a filling for his pal. He makes a bit of a botch of it, but he larns from his mistake and carries on. Dentistry is important so it's admirable that Bob ignores the criticism. Bob's first pal is currently fighting off a severe infection, but Bob uses that as a learning experience.

Bob will get there one day!

[TallGuyShort]

If a growing portion of the dentistry industry was discovered to have been weakening people's teeth at the government's request, I'd start to buy Bob a beer a little more often.

[mr_spothawk]

It turns out Bob was actually receiving radio transmissions from the ADA through his fillings. He's a sleeper in the underground dentist community, waiting for the call to turn his xray machine on when the TSA releases its ruling on the need for back-scatter surveillance to prevent the next tooth-bomber from hijacking civilian aircraft. Be careful what you say around Bob.

[tcdent]

Except, this is software.

My favorite expression when things get heated: "Nobody is going to die."

There are exceptions, of course, but a vast majority of the work we do just doesn't matter in the context of life and nature.

[wc-]

Unfortunately, I don't think the 'Nobody is going to die' statement holds up for software like cryptocat. If it is promoted as secure, then it could be used in areas with hostile regimes. For example, members of the Arab Spring uprising might have trusted cryptocat, but what if their governments were intercepting and decrypting those messages due to a flaw in the software?

Bottom line, explaining away problems by saying 'nobody is going to die' is a downright dangerous statement IMO.

[sdevlin]

> "Nobody is going to die."

This isn't accurate, e.g. http://cryptome.org/2012/07/chile-comments.htm .

Bad crypto is actually much more dangerous than a single rogue dentist.

[tcdent]

Bad crypto doesn't kill, people/organizations with a fucked up agenda do.

I thought this past year taught us that no information is safe. To expect that any system is entirely secure and ever will be is pure egotism.

[sdevlin]

Then what's the point?

[tlrobinson]

And one of those exceptions is people trying to use bad crypto to avoid persecution...

[lallysingh]

Normally, yes, but this is crypto. It's not medicine, but it's pretty close to a bullet-proof vest. It's important that it does its job.

[DanBC]

That's true. Market software accordingly and everything is fine.

I am glad to see cryptocat being much more careful with their wording.

[markmassie]

Except if the flawed software is a company's core product, the company might fail.

As we all know, corporations are people, my friend.

[jessaustin]

Are there any other dentists around who would work on Bob's pal? If so, are they actually better dentists than Bob? If so, is it possible for Bob's pal to find, enter, and understand their places of business, well enough to receive the care she requires?

Cryptocat would never be used by Glenn Greenwald, but that's because he is privileged to have access to better crypto.

[MichaelGG]

> but that's because he is privileged to have access to better crypto.

That's the first time I've heard of using PGP to be a privilege.

[utnick]

Agree , I really believe they are commited to security and openness. They should be a model for a lot of security focused companies out there. Security is a process.

[ID_HOME]

I know, it's like they never heard of the term "security through obscurity"