On 08/08/2012 06:37 AM, liberationt...@lewman.us wrote: > On Tue, Aug 07, 2012 at 05:18:02PM -0700, e...@sundelof.com wrote 4.7K bytes > in 111 lines about: > :partial defenses using any technology tool. I may feel too strong about > :tools being discussed as THE solution or THE bulletproof vest so to speak. > > I'm not picking on you Erik, but this comment finally struck me > about what's bothered me with this debate. There is no such thing as 'the > bulletproof vest'.
I don't think anyone is saying we want an "ultimate solution." We have a set of technologies that we're trying to replace with a more secure solution (GChat, Facebook, etc...). It's as simple as looking at the attack vectors that we're concerned users will experience with these existing web-based chat solutions and asking the question of whether CryptoCat improves on any of them. Again, as I see it, there are three possible vectors for attack with existing web-based chat solutions: 1) SSL intercept. 2) Server infrastructure. 3) Operator. These are not theoretical, pie-in-the-sky vectors. These are things that are actually happening, are within the state of the art of an average adversary, and are within the scope of what this type of technology problem could potentially address. My analysis is that the CryptoCat technology does not improve any of these three vectors, and in fact might make the user more at risk to compromise through #1 and #2 than with existing web-based chat solutions (GChat, etc...). So again, I don't believe that those of us who have concerns about CryptoCat are asking for a "bulletproof vest." We're not demanding the "ultimate tool." To use your analogy, I'm looking for a bulletproof vest that's at minimum not rated *worse* than GChat, and ideally is rated some degree higher. - moxie -- http://www.thoughtcrime.org _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
