Silk Road forums

Discussion => Security => Topic started by: Gengar17 on August 05, 2013, 07:28 pm

Title: Cryptocat?
Post by: Gengar17 on August 05, 2013, 07:28 pm
Does anybody use Cryptocat to chat? How safe is it? It looks pretty solid to me.
Title: Re: Cryptocat?
Post by: comsec on August 05, 2013, 08:00 pm
Lol where have you been?  8) They are using incompetent crypto engineering and all crypto cat chats were decrypted by amateur researchers: CryptoCat meet DecryptoCat http://tobtu.com/decryptocat.php

Any in-browser encryption is useless, multiple side-channels including timing analysis since java runs in a VM and doesn't have direct access to the CPU. The following is also useless, most of these broken by Moxie Marlinspike or the same guy (tobtu.com) on hashcat forums:

1password can be cracked at 3MH/S https://agilebits.com/
LastPass can be cracked at 750MH/S https://lastpass.com/ or bypassed with java exploit
Crypho.com can be cracked in 1hr with a 7970 GPU
All Guardianproject.info apps are subject to MITM and leaks
http://www.thoughtcrime.org/blog/strongtrustmanager-mitm/

reliable crypto safe: http://www.schneier.com/passsafe.html or Keepass, as you can change the number of iterations. Choose millions of iterations on a phone, on a PC, tens of millions (and if used AES-NI, change to billions). Bonus: passphrase + key file for a combination key as well (though Truecrypt's multiple files is even better).

reliable mobile crypto: https://whispersystems.org/ or cryptophone by GSMK (expensive, 2,000 Euros+)

reliable chat crypto: Pidgin w/OTR only used with .onion XMPP servers or Torchat but even still, when it comes time to trade drop addresses or payment information you should PGP cut+paste that to each other to avoid the server snooping, or one maybe they contain logs, or who knows. Feds whenever they encounter encryption they save it for later when a bug is found in OTR or some crypto library they can then go back in time and decrypt all your old chats.

this was put together by hackers on 4chan's /g/, released last week and should be considered highly experimental: http://tox.im
Title: Re: Cryptocat?
Post by: Gengar17 on August 06, 2013, 03:29 am
Hahah, obviously I haven't been up to date on chat security. Guess I'm going to stop using it now, that's a bit unsettling. Not that I talked about anything too important ever.

So Pidgin with OTR is the safest alternative?
Title: Re: Cryptocat?
Post by: comsec on August 06, 2013, 04:05 am
Hahah, obviously I haven't been up to date on chat security. Guess I'm going to stop using it now, that's a bit unsettling. Not that I talked about anything too important ever.

So Pidgin with OTR is the safest alternative?

Only if you use a .onion jabber/xmpp server so you stay inside the tor network and there's no chance of outside snoops doing SSL MITM attacks. Torchat looks promising too. If you have a phone can both use textsecure but both your phones will be insecure end points.

Again if you're using OTR chat any sort of addresses exchanged in chat for drops or identity compromising info you should PGP encrypt and paste it into the chat to each other. You have no idea if the server is recording everything for later decryption should any bugs be found in OTR crypto engineering. Just think of everybody who used CryptoCat for a year who's chats (if they are archived somewhere) can now be decrypted and read in the clear.
Title: Re: Cryptocat?
Post by: Gengar17 on August 06, 2013, 10:50 pm
Thanks for the info, +1 to both of you!
Title: Re: Cryptocat?
Post by: Gengar17 on August 06, 2013, 10:55 pm
Another question I had about Cryptocat is if I never said an address and I use Cryptocat on TOR, is their a way they could determine who I am?