If you used Cryptocat from October 17th, 2011 to June 15th, 2013 assume your messages were compromised.

When i first learned about Cryptocat in early 2012 i was excited to try it out but after some research found multiple bugs and issues that made me lose my excitement. At a time where the desire for encryption and privacy is at an all-time high you want to make sure you pick the right tools for the job. Grabbing the first good sounding tool you find and relying on it 100% is a bad idea. Today i read an article about DecryptoCat by Steve Thomas, a tool that claims to “crack the ECC public keys generated by Cryptocat versions 1.1.147 through 2.0.41”. This is also the article where i got “If you used Cryptocat from October 17th, 2011 to June 15th, 2013 assume your messages were compromised.” While i don’t have the time or knowledge to really dive into the math on this one, i believe it’s claims as i’ve read about multiple issues, bugs and security concerns in the past.

So how will you know if a tool is right for the job?
When using any application/tool/utility but especially ones used for security purposes, research it. Find out if the people/company behind the product are reputable and if the product has a solid history. If a product is new, even if it’s from a reputable company, do not use it. Let the professionals and die-hards put it through the wringer and soon you’ll see reviews appear online either raving about it or knocking it for having issues. As Steve Thomas also mentions in his article “it means nothing when I hear “it is open source and peer reviewed”, something i absolutely agree with. While it may be harder for the NSA to hide a backdoor in an open source product because the product has so many eyes on it, it won’t stop poor coding and poor implementation. Open source doesn’t mean anything. Of course a reputable company can screw up sometimes and release a piece of software that has a bug or vulnerability in it but these vulnerabilities are squashed fairly quick and that company will let their users know.

So which tools do you recommend?
I have looked (and am looking) into a lot of them but i try not to publish anything until i have my facts straight. I have tested and researched GPGTools for email encryption to TrueCrypt for drive encryption and have yet to find a product i would recommend. GPGTools take forever to update their software to be compatible with the latest OS so when you update you are suddenly left without GPGMail and TrueCrypt, while useful, is fairly complicated to use. Instead i recommend using OS X’s built-in tools for drive encryption and have made no recommendations yet for e-mail encryption as i have not yet found one i like. When it comes to encrypted messaging i use Adium which supports Off-The-Record (OTR) encryption and authentication. I used iMessage a lot until recently but since i’m now unclear if my transmissions are safe or not i try to use Adium as much as possible. Adium is just my preferred messenger, there are many others that implement OTR as well.

– Research a tool before you use it.
– Research the company that created the tool.
– Properly test a tool before implementing it.
– As soon as you pick and implement a tool, always keep an eye out for news about bugs, vulnerabilities and of course updates.

Related post: How a flaw discovered in the future can compromise encryption used in the past

Comments and feedback welcome.