Zooko Wilcox-O’Hearn on April 2, 2014
This is the second post in our series about security audits of Free and Open Source end-to-end encryption software. The first post in the series was about our security audit of SpiderOak’s crypton project.
Our mission at LeastAuthority is to bring verifiable end-to-end security to everyone. As part of that mission, in addition to operating the S4 simple secure storage service, we also perform security consulting. We LeastAuthoritarians have extensive experience in security and cryptography, and other companies sometimes ask us to analyze the security of their protocols and software.
We audited the widely-used Cryptocat encrypted chat program. This audit was funded by Open Technology Fund as part of their Red Teamproject to provide multiple professional security audits to Internet freedom projects.
What were the results?
We found several security issues in the version of Cryptocat that we examined (Cryptocat v2.1.15). For each one, we reported it to the Cryptocat developers, and they have either deployed a fix in a newer release of Cryptocat or else disabled the feature that has the vulnerability.
The complete list of the issues we found is at the end of this article, along with a link to the report document.
Unfortunately we didn’t have time to examine all parts of Cryptocat that we wanted to. We concentrated on the “crypto-related” parts: key generation and key management, random number generation, encryption and decryption, authentication and integrity, and the new file transfer feature. Most of the issues that we found were in those areas.
Our report explains what parts of it we looked at most closely (this is called the “coverage” results of the audit).
Parting thoughts
I would like to thank the Cryptocat project, led by Nadim Kobeissi, for their commitment to doing development in the open, inviting external review, and moving to address the issues we uncovered. This open development process is a good complement to Cryptocat’s Free and Open Source publication of their code and their commitment to providing end-to-end security for their users.
On top of that, I’d like to thank Cryptocat for their unflagging focus on usability. Usability is a critical factor if we are going to succeed at bringing verifiable end-to-end security to everyone, and it is an area where we as a community and as a society need to improve.
Any questions?
If you have any questions about these results or the process, please contact us or the Cryptocat developers.
The next project we are auditing is GlobaLeaks, so stay tuned.
Further reading
The full report: Report of Security Audit of Cryptocat
The post on the Cryptocat blog.
Tickets on the Cryptocat github issue tracker to track the status of each issue:
- Issue A (formerly at https://github.com/cryptocat/cryptocat/issues/575)
- Issue B (formerly at https://github.com/cryptocat/cryptocat/issues/576)
- Issue C (formerly at https://github.com/cryptocat/cryptocat/issues/577)
- Issue D (formerly at https://github.com/cryptocat/cryptocat/issues/578)
- Issue E (formerly at https://github.com/cryptocat/cryptocat/issues/606)
- Issue F (formerly at https://github.com/cryptocat/cryptocat/issues/607)
- Issue G (formerly at https://github.com/cryptocat/cryptocat/issues/608)