[cryptography] DeCryptocat

Nadim Kobeissi nadim at nadim.cc
Fri Jul 5 00:58:33 EDT 2013


On 2013-07-05, at 6:15 AM, Matthew Green <matthewdgreen at gmail.com> wrote:

> 
> 
> On Jul 5, 2013, at 12:01 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> 
>> Nadim Kobeissi:
>>> 
>>> On 2013-07-05, at 3:15 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>>> 
>>>> Nadim Kobeissi:
>>>>> Hello everyone,
>>>>> I urge you to read our response at the Cryptocat Development Blog, which strongly clarifies the situation:
>>>>> 
>>>>> https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
>>>> 
>>>> Has there been a rotation of the certificate and keying material for all
>>>> services that serve CryptoCat chat traffic?
>>> 
>>> Rest assured we're working on it as an extra precaution (as mentioned in the blog post). Also, our services use SSL forward secrecy.
>> 
>> I'm not really assured and I think I should clarify something that is
>> perhaps slipping past like a ship in the night. I went to crypto.cat in
>> Chrome only to find myself not connected in a forward secure manner.
>> 
>> According to ssllabs[0], CryptoCat supports some odd SSL/TLS configurations:
>> 
>> Protocols
>> TLS 1.2     Yes
>> TLS 1.1     No
>> TLS 1.0     No
>> SSL 3.0    Yes
>> SSL 2.0  No
>> 
>> Further more - it appears that CryptoCat supports
>> SSL_RSA_WITH_RC4_128_SHA, as well as other non-forward secure modes Is
>> there really any reason to support such a mode with 3DES in 2013 for
>> this kind of service?

TLS1.1 and 1.2 are both supported, actually, in addition to SSL 3.0.

AES-GCM is already prioritized over RC4, but unfortunately most browsers don't support AES-GCM yet, which is why RC4 remains as the secondary choice. In the case that AES-GCM is not supported, we use RC4 instead of AES-CBC in order to mitigate for BEAST. If you have alternate suggestions to this, please let me know.

We've just removed some of the more obsolete suites that use 3DES. They were unlikely to be used anyway due to their very low priority.

>> 
>> Also, I'm not sure if this is obvious but it appears that many users may
>> be using SSL 3.0:
>> 
>> Chrome 27     SSL 3     TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  Forward
>> Secrecy     128
>> Firefox 21     SSL 3     TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  Forward
>> Secrecy     128
>> Internet Explorer 10     SSL 3     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>> Forward Secrecy     128
>> Safari iOS 6.0.1    TLS 1.2     TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
>> Forward Secrecy     128
>> Safari 5.1.9     SSL 3     TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  Forward
>> Secrecy     128
>> 
>> RC4 is not my favorite choice when all the other crypto has failed.
>> 
>> Do you know how many users are impacted? How many users are actually
>> choosing the forward secret protocols?
>> 
>> All the best,
>> Jacob
>> 
>> [0] https://www.ssllabs.com/ssltest/analyze.html?d=crypto.cat
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list