Has anyone performed an analysis of the system and written a
whitepaper?
Sì, ecco il report di Pentest Public Public per Criptocat 2 (PDF) , e questa è la sua conclusione:
Conclusion
Cryptocat 2 has reached a great maturity level in a very short period
of time. It is commendable that the development team has proven great
expertise in the creation of secure code, despite the complexity of
the task at hand. While communication process is critical in the
dynamically updated framework of audits (both during the assignment
and following its completion), it was exceptionally well-handled in
this case, resulting in the discussed issues acquiring almost
immediate fixes. Let us illustrate that by saying that on several
occasions feedback with successful fix notification has managed to
reach us concurrently to follow-up email's preparation!
Nevertheless, the problems we have spotted underline the importance of
a well-planned and thoroughly implemented security architecture within
browser extensions. One has to be reminded that a vulnerability that
causes a rather harmless script execution in the web application
context, might turn out to become a detrimental privilege escalation
or remote code execution when it is discovered and exploited in a
browser extension. Cure53 would like to thank Radio Free Asia, the
entire Cryptocat development team and Nadim Kobeissi partciularly, for
this challenging and all-round professionally-handled project.
EDIT: Vorrei anche indirizzarti a questa @ semplice spiegazione di Adnan sulle differenze tra cosa Cryptocat era, e qual è il cambiamento più essenziale nel suo modello di fiducia / sicurezza da quando è passato a Cryptocat 2:
By moving the code to a browser plugin, now you need to trust the
source only the first time you download code. Communication still
happens between you and the server, encryption and decryption still
happens in your browser, the code is still JavaScript and HTML5. The
only difference here is that next time you connect to CryptoCat
servers, you don't need to trust the code they send you. The code in
your browser all the time, you can audit it and check it whenever you
want.
Leggi l'intera risposta per una migliore prospettiva su ciò che viene discusso in quel thread, ho incluso solo un breve estratto da esso, non volendo imporre gli sforzi di Adnan.