Security Update: Our First Full Audit

Update: We’ve written a follow-up to this post.

Cryptocat has just finished receiving its first full audit from the team over at Cure53. In addition to this audit, we’ve also received some feedback from independent security researcher Daniel “koolfy” Faucon. As a result, we’ve addressed many important security issues which have been pushed in the latest Cryptocat update (version 2.0.22.) We strongly recommend that everyone update immediately. As a result of the changes we’ve had to implement in this version, many features are not compatible with prior versions of Cryptocat.

In the latest update:

  • We have addressed an initialization vector reuse error in our multiparty encryption scheme which could allow a third party to retrieve plaintext. The problem lay with the accidental re-use of nonces in AES-CTR encryption. This problem does not affect private conversations, only group conversations. It has been independently discovered and reported by Daniel “koolfy” Faucon and the Cryptocat Project owes him its most sincere thanks and appreciation. Thank you, Daniel!
  • Update: Regarding the retrieval of plaintext, the third party could be the messaging server or any party with access to the ciphertext as it is communicated or after it is communicated, with the condition of there being enough intercepted ciphertext from multiple parties. In the default setup, Cryptocat relays messages via SSL to our Content Distribution Network (Cloudflare,) which then relays it via SSL to the default Cryptocat messaging server. In this default setup, both our CDN and Cryptocat’s messaging server have access to the ciphertext, but do not log it (we have verified this with Cloudflare.)
  • We have addressed a variety of non-crypto bugs discovered by the audit performed by Mario Heidrich’s team Cure53. Their professional audit (the first for our project) has discoveries ranging from critical vulnerabilities (in some cases even allowing for remote code injection) to low/non-critical bugs. We have pushed fixes for the issues they have raised and are immensely grateful for/impressed by the depth of their report.

Overall, we are pleased to have been able to get a full audit completed within the first month of Cryptocat 2.0′s availability as a public beta. However, we are also strongly regretful of the existence of these critical security errors, and hope that our fixes will be automatically pushed to users as quickly as possible. We are going to make use of our relationship with independent auditors as much as possible so that these kinds of vulnerabilities don’t make their way into Cryptocat in the future.

Fix commits:

Update: As of November 9th, the full audit report is available for public download.

As always, please report any kind of bugs or issues you find with Cryptocat, including improvements you would like to see added. Thank you for helping us make Cryptocat better.