It *is* safer than Facebook, for both the reason Douglas lays out below and for the fact that *just to have a Facebook account* you're technically required to use your real name (yes, I know lots of people break this rule, but it's also something lots of people don't think about).
That said, fair point about Google. Again, not a technologist, so I'm taking those of you who are on your word at the moment. On Mon, Aug 6, 2012 at 6:21 PM, Moxie Marlinspike <mo...@thoughtcrime.org>wrote: > > > On 08/06/2012 05:28 PM, Jillian C. York wrote: > > A /safer /web-based tool than Facebook chat with a GIANT WARNING is far > > better than everyone continuing to hold their discussions in insecure > fora. > > I think this sentence is really the essence of the problem. Why do you > assume it's safer? > > CryptoCat has the word "crypto" in it, positions itself as a > cryptography project, and has a stated emphasis on security, so it's > easy to conclude that whatever it's doing is at least somehow better > than what Facebook or Google are doing. > > However, my position is that Google Chat is currently more secure than > CryptoCat. To be more specific, if I were recommending a chat tool for > activists to use, *particularly* outside of the United States, I would > absolutely recommend that they use Google Chat instead of CryptoCat. > Just as I would recommend that they use GMail instead HushMail. > > The security of CryptoCat v1 is reducible to the security of SSL, as > well as to the security of the server infrastructure serving the page. > Any attacker who can intercept SSL traffic can intercept a CryptoCat > chat session, just as any attacker who can compromise the server (or the > server operator themselves) can intercept a CryptoCat chat session. > > This effectively means that CryptoCat is not a "cryptography project," > in the sense that whatever cryptography it delivers does not affect or > improve upon the existing attack vectors of chat tools that we're trying > to "replace" like GChat. > > So I believe it comes down to a question of who we trust to provide a > more secure SSL and server-side infrastructure. No offense to Nadim, > but at this point I believe that Google does a better job. It'd be > tough to do better, given the amount of dedicated people and resources > they have specifically focused on that problem, as well as the amount of > advanced information they have access to concerning coming SSL attacks, > etc. > > - moxie > > -- > http://www.thoughtcrime.org > _______________________________________________ > liberationtech mailing list > liberationtech@lists.stanford.edu > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list > moderator in monthly reminders. You may ask for a reminder here: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech > -- *+1-857-891-4244 |** jilliancyork.com | @jilliancyork * "We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality" - *Vaclav Havel*
_______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech