Security

Cryptocat Aims for Easy-to-use Encrypted IM Chat

Nadim Kobeissi, a 21-year-old Lebanese student in Canada, has been diligently working on a simple, secure way for people to chat on the web and keep their conversations away from prying eyes.

A self-described "computer wizard with a strong sense of civil awareness," Kobeissi estimates he spends five times more time on his Cryptocat project than his political science and philosophy studies at Concordia University in Montreal.

In an era of Web-based political activism, Cryptocat is aimed at providing rock-solid messaging security as governments around the world ramp up their Internet monitoring to ferret out activists.

Instant messaging programs are widely used, but there are security issues that make them less than ideal for activists.

Many of those applications implement SSL (Secure Sockets Layer), an encryption protocol that underpins e-commerce transactions. Messages are encrypted when transmitted, but those conversations are decrypted on the servers running those services, potentially allowing interlopers to record them.

There are proven encryption technologies for instant messaging, such as PGP (Pretty Good Privacy) and OTR (Off The Record), an add-on encryption program for IM applications such as Pidgin and Adium.

But PGP can be "difficult to use for people who aren't computer geeks," Kobeissi said. OTR must be downloaded, installed and configured, and both parties having a conversation must have it enabled in order for the messages to be encrypted.

The beauty of Cryptocat is its simplicity. First, one of its versions is web-based, so no application has to be downloaded. A user creates a chat session, picks a nickname and then types a random string of characters in order to generate the 256-bit AES encryption keys for the public key cryptography system it uses.

The encryption and decryption keys are only stored within a person's Web browser, providing true end-to-end encryption. Kobeissi said only recently have web browsers incorporated JavaScript engines powerful enough to use very long encryption keys. Even if an attacker seizes a server running Cryptocat, the conversations would be meaningless and impossible to decrypt.

Kobeissi has worked other features into the web-based client, including the ability to invite Facebook friends and send encrypted files to another person.

Still, there are limitations with Cryptocat, mostly because it hasn't been as rigorously tested as PGP and OTR, which have been vetted by the world's best cryptographers, Kobeissi said. Cryptocat is just under a year old.

"I'll tell activists to use it in maybe five years," Kobeissi said. "Cryptocat is probably quite secure. But you have to understand that when you tell people to rely on your software for their lives, you better be 100,000 percent sure you know what you are doing."

Cryptocat's code is open source, and Kobeissi has published details on how its encryption works in order to get feedback from other cryptology specialists.

As an added security measure, Cryptocat is compatible with TOR (The Onion Router), a worldwide network that make web surfing more anonymous by randomly routing traffic through its servers. By using a ".onion" URL for Cryptocat, the Cryptocat server will not know the users' true IP addresses, Kobeissi said.

Kobeissi has plans for quite a few Cryptocat improvements. There already is an add-on application for Google's Chrome browser, and Kobeissi expects to release native applications for iOS and Android later this year.

He's also planning to purchase some of the US$25-$35 Raspberry Pi mini-computers under development by the Raspberry Pi Foundation. Tiny packages containing Raspberry Pis and the Cryptocat server software could also be sent to regions in need. As an alternative, nongovernmental organizations could set up their own Cryptocat servers, Kobeissi said.

"That's why the code is open source," he said. "Anyone can download [the code] and set up their own server."

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments