Skip to content

Past Cryptocat vulnerability

6. Jul 2013

Since I made clear that I support Cryptocat for communicating with me, I better inform you about a, already fixed, vulnerability.

You may should read their blog-post about it.

First of all you should note that the bug affected “only” multi-conversations aka group chats and did not apply to private conversations between to persons.

The vulnerability was present from 2.0 and 2.0.41 (including), which were around for seven months. The bug got fixed in 2.0.42, which was released on 19th April 2013.

By now all users should have a version that contains the fix. Possibly even the latest version which is, at the time of writing, 2.1.10.

The actual vulnerability was due to a bug in the ECC (Elliptic-curve-cryptography) code, which made private keys much much weaker. Thus the keys were easily breakable via brute-force.

I’m going to keep using Cryptocat, because we actually need a tool to communicate easily while our conversations are encrypted. The bug is fixed and it never affected my use-case so far.

I’m also amazed how open the developer was/is when it comes to vulnerabilities and his statement that he is no crypto expert, which as far as I know brought him some help, as he also stated would work mostly alone on the code.

Finally, big hands for Steve Thomas who discovered the bug. We need more eyes and maybe more hands on such code.


From → General

Comments are closed.

%d bloggers like this: