14 DAY TRIAL // In case you’re using an older variant of Cryptocat, you are advised to update your installation immediately.
Crypto expert Steve Thomas claims to have identified a vulnerability that exposes all Cryptocat chats from the period between October 17, 2011, and June 15, 2013. He has even developed a tool, DecryptoCat, to demonstrate his point.
“Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs,” he said.
“I would suggest not using Cryptocat as there's no telling how long it will be until they break their public key encryption.”
However, Cryptocat developers have a totally different version of the story.
They say that only Cryptocat versions between 2.0 and 2.0.42 are plagued by the vulnerability. They also highlight the fact that the security hole identified by Thomas can only be used to crack group conversations.
According to Cryptocat developers, the period between versions 2.0 and 2.0.42 covered around 7 months, time in which hackers could have easily cracked group chats via brute force attacks.
Besides addressing the vulnerability found by Thomas, Cryptocat 2.0.42 also implements some changes in how keys are generated, breaking compatibility with previous versions.
This is what the notice published at the time looks like: “IMPORTANT: Due to changes to multiparty key generation (in order to be compatible with the upcoming mobile apps), this version of Cryptocat cannot have multiparty conversations with previous versions. However private conversations still work.”
Cryptocat says the two issues are not connected, as Thomas claims in his blog.
“Private chats are not affected: Private queries (1-on-1) are handled over the OTR protocol, and are therefore completely unaffected by this bug. Their security was not weakened,” Cryptocat developers explain.
“Our SSL keys are safe: For some reason, there are rumors that our SSL keys were compromised. To the best of our knowledge, this is not the case. All Cryptocat data still passed over SSL, and that offers a small layer of protection that may help with this issue.”
Cryptocat is available for download here.