Encrypted chat app CryptoCat isn’t secure by any means

People in the security community often criticize the code behind Cryptocat, an open-source encrypted instant messaging project. Ironically, Cryptocat’s policy of publicly releasing third-party code audits is what generates much of the criticism, which is a reason other projects often choose not to release their audits. On Wednesday, Cryptocat’s founder, Nadim Kobeissi, announced the release of two more code audits, both of which found flaws with the chat program that have now been mostly resolved.

A new report has called into question the effectiveness of cryptographic protocols utilized by the popular browser- and iOS-based chat application CryptoCat. The open-source app contains several flaws, which may permit attackers to compromise OTR (off-the-record) conversations, according iSEC Partners researchers, who performed penetration tests on the software. Users are provided an encrypted platform for conversation through the use of forward secrecy, which in the case of CryptoCat relies upon newly generated keys for each chat session. The process used by the app places the responsibility of verifying a peer’s identity squarely on the users themselves. In other words, a user would need to verify the identity of the person with whom they wish to speak by other secured means prior to initiating CryptoCat, thus negating the entire purpose of the app.