Ho sentito da molte persone che Crypto Cat ha alcuni difetti di sicurezza. Qualcuno ha eseguito un'analisi del sistema e ha scritto un white paper? Sono curioso di sapere quali sono i difetti specifici e quali soluzioni potrebbero essere implementate per risolverli.
Has anyone performed an analysis of the system and written a whitepaper?
Sì, ecco il report di Pentest Public Public per Criptocat 2 (PDF) , e questa è la sua conclusione:
Conclusion
Cryptocat 2 has reached a great maturity level in a very short period of time. It is commendable that the development team has proven great expertise in the creation of secure code, despite the complexity of the task at hand. While communication process is critical in the dynamically updated framework of audits (both during the assignment and following its completion), it was exceptionally well-handled in this case, resulting in the discussed issues acquiring almost immediate fixes. Let us illustrate that by saying that on several occasions feedback with successful fix notification has managed to reach us concurrently to follow-up email's preparation!
Nevertheless, the problems we have spotted underline the importance of a well-planned and thoroughly implemented security architecture within browser extensions. One has to be reminded that a vulnerability that causes a rather harmless script execution in the web application context, might turn out to become a detrimental privilege escalation or remote code execution when it is discovered and exploited in a browser extension. Cure53 would like to thank Radio Free Asia, the entire Cryptocat development team and Nadim Kobeissi partciularly, for this challenging and all-round professionally-handled project.
EDIT: Vorrei anche indirizzarti a questa @ semplice spiegazione di Adnan sulle differenze tra cosa Cryptocat era, e qual è il cambiamento più essenziale nel suo modello di fiducia / sicurezza da quando è passato a Cryptocat 2:
By moving the code to a browser plugin, now you need to trust the source only the first time you download code. Communication still happens between you and the server, encryption and decryption still happens in your browser, the code is still JavaScript and HTML5. The only difference here is that next time you connect to CryptoCat servers, you don't need to trust the code they send you. The code in your browser all the time, you can audit it and check it whenever you want.
Leggi l'intera risposta per una migliore prospettiva su ciò che viene discusso in quel thread, ho incluso solo un breve estratto da esso, non volendo imporre gli sforzi di Adnan.
Ho avuto una conversazione con lo sviluppatore principale di cryptocat e ho pensato di pubblicare la sua email qui:
Da Nadim Kobeissi
With regards to security, Cryptocat has been audited numerous times by professional security companies. Our latest audit from Veracode gave us a score of 100/00: https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/
There's still work to do seeing as the field of browser cryptography is new, but I'm confident that Cryptocat has impressive security.
I invite you to also check out our codebase: https://github.com/cryptocat/cryptocat/
…and documentation: https://github.com/cryptocat/cryptocat/wiki/
NK
Nonostante gli audit di sicurezza, si è scoperto che fino a poco tempo fa Cryptocat aveva un grosso difetto che aveva un impatto sulle chat di gruppo:
According to security expert Steve Thomas, [group chat] messages sent via Cryptocat between 17 October 2011 and 15 June 2013 are compromised. The security hole affects all versions of the chat software since 2.0, as the hole was only discovered and closed in version 2.0.42. On his web site, Steve Thomas has a massive go at the software developers.
Leggi altre domande sui tag web-application