With the recent media blitz surrounding the National Security Agency’s apparent spying on the American public through the Internet, the issue of privacy has become a hot topic for those people concerned with protecting their personal information while using web-based services. Consumers are turning away from data-collecting giants like Google, in favor of lesser known service providers that can promise anonymity. Cryptocat is one such provider touted for maintaining the inconspicuous nature of its users’ activities. Unfortunately, Cryptocat recently came under fire for possibly not being as secure as it claims to be. Is Cryptocat as cryptic as it should be? Here are some things to consider:
What is Cryptocat?
Cryptocat is an instant messaging (IM) service that enables people to chat either one on one, or as a group in a chat room. This open source, browser-based programming is said to be especially resistant to the threat of eavesdropping, which has led many privacy-seeking web surfers to use it regularly.
The Power of Encryption
Cryptocat works to keep user data exchange safe by encrypting it while it is being sent across the net. Encryption is the process of scrambling data into unrecognizable (hence, unreadable to hackers) code, and then putting it back together once it has reached its secure destination. By today’s standards, encryption one of the most effective ways possible of protecting data on the web. Still, it is not foolproof. If not done correctly, it can lead users into a false sense of safety while making their private information vulnerable to threat.
The Cryptocat Bug
Researcher Steve Thomas identified a bug in the Cryptograph code that compromised the security of users’ conversation data. In layman terms, the bug minimized the number of digits used to encrypt the data, thereby making it much easier to crack. Cryptocat representative Nadim Kobeissi issued an apology for the oversight, and the bug was reportedly fixed within a month’s time.
Who should be Concerned?
The bug negatively affected user vulnerability for a period of over a year and a half–or, from October 17, 2011 to June 15, 2013. In his scathing blog post about the Cryptocat bug, Thomas warns Cryptocat users that if they participated in group chat during that time frame, they should consider their messages to be compromised; furthermore, if they were using a version of Cryptocat developed during that timeframe, they are likewise compromised. The only solution now is to be sure you are using Cryptocat version 2.0 or newer.
Of course, as Kobeissi warns, you should never assume that any of your data on the web is impenetrable. When it comes to online security, the best rule of thumb is to refrain from sharing anything that could potentially come back to haunt you, should your data be compromised. You might even want to consider a VPN for Windows service to keep things even more secure.