[kaeporan]

I disagree; I don't think your summary is accurate. This is an audit of a pre-release prototype. All the bugs were fixed before release, and our blog post at https://blog.crypto.cat/2014/04/recent-audits-and-coming-imp... does not discuss mere band-aids. It discusses, at length, real solutions to complex problems that many encryption apps face. It resolves pitfalls that even companies like Apple commit on a much wider scale and on a much more dangerous level.

For example. We didn't simply "re-use fixed IVs". We know not to do that. The resulting bug was the series of a much more complicated and hard to spot issue with the re-keying mechanism. Understand you might not have the full picture here.

Simply put, I refuse the assertion that Cryptocat's team has not dealt with its software development in a competent, professional, responsible and honest fashion.

I want to discuss this further with you. I want to convince you of my point of view. Please email me at nadim@nadim.cc so I can have the opportunity to discuss with you and hopefully convince that your perspective isn't exactly right on this.

[rancor]

I made no criticisms of how you responded to individual issues raised by the audit, and in fact it's encouraging to see many of the long-standing contact authorization issues finally being addressed as well as what I would generally consider an acceptable approach to handling individual security issues. But I don't think either of these points addresses my concerns regarding security conscious development practices.

I appreciate your willingness to continue this discussion, dropped you an email.