According to both the blog post and ISEC, you had a pathetically easy man-in-the-middle attack against all of your code, including deployed code in real world use, not just the "buggy" IOS client. I'll be grateful for you taking the time to read on what we're doing and I am more than happy to discuss with you and answer your questions. Read what we're doing to improve the security of accessible encryption and our reasoning for publishing these audits. The blog post's last section ("On the Significance of Audits") discusses why it is that Cryptocat has seen more audits published about it than other encryption projects. Again, please, read the blog post for context (and also for the results of another audit we comissioned in parallel.) We've done our best to address these issues and are working towards an open discussion on how to improve accessible encryption. I'd appreciate it if you could please upvote this comment and help me contextualize this audit. It's very unfortunate that this audit is being taken out of context like this and used to attack our effort. While this audit definitely does find some vulnerabilities and room for improvement, none of the critical bugs in this audit ever made it to Cryptocat for iPhone's release. Many of the bugs it found are due to the fact that it was reviewing a prototype with debugging features (such as NSLog) turned on. This audit was commissioned by us and concerns a pre-release version of Cryptocat for iPhone. This audit document alone does not give enough context. I strongly urge you all to please read our blog post regarding this audit. Hi, I'm the lead developer for Cryptocat.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |