Cryptocat, Now with Encrypted Facebook Chat

Cryptocat’s mission is to make encrypted chat accessible and easy to use. With Cryptocat celebrating its third birthday (already!), we’re happy to announce the new Encrypted Facebook Chat feature in the latest Cryptocat 2.2 update.

Facebook Chat as a Cryptocat Buddy List

Cryptocat can now log into your Facebook account for you, fetch your Facebook contacts, and if another contact is also using Cryptocat, you’ll be able to automatically set up an end-to-end encrypted chat. If a Facebook friend later logs in via Cryptocat, your chat will be immediately upgraded to an encrypted Cryptocat chat:

Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list. As a compliment to Cryptocat’s ephemeral group chat feature, Encrypted Facebook Chat lets you view which of your friends are online and allows you to immediately set up encrypted chat with them. Users will still be able chat with non-Cryptocat users from within Cryptocat — although those conversations will not be encrypted (and you should probably ask your friends to upgrade to Cryptocat too, wink wink.)

If both you and your Facebook friend use Cryptocat, your chats will be OTR-encrypted end-to-end and can’t be viewed by Facebook (or Cryptocat’s network.) This is how your chat will look like on Facebook:


Layers of Separation

Our commitment to layers of separation from Facebook’s network and runtime defined how we engineered Encrypted Facebook Chat into Cryptocat. For example, why didn’t we opt to integrate Cryptocat directly into the Facebook Chat interface on Such an approach would have made encrypted chats over Facebook even more immediate, but would have immersed Cryptocat into Facebook’s network and runtime environment in a way that didn’t satisfy our security precautions. In our current design, Cryptocat connects to Facebook in the most minimal way possible: as a regular XMPP client over Cryptocat’s outbound BOSH relay. Not a single line of code from Facebook is ever loaded or executed in Cryptocat. Even the Facebook login process happens in a completely separate, sandboxed window.

What About Metadata?

In Cryptocat group chats, chatrooms, nicknames, and pretty much everything else is completely ephemeral. The amount of registered metadata is minimal compared to Encrypted Facebook Chat. While Cryptocat over Facebook Chat will encrypt your conversations, it’s important to note that Facebook will still be able to access metadata such as the times during which you exchanged messages, or which Facebook friends you had an encrypted conversation with. More obviously, you may also leak the fact that you are using Cryptocat to to others, and the Cryptocat network’s BOSH relay will be responsible for transferring information to your client, including your Facebook Chat contact list.

For a majority of user-cases, this metadata storage is not a deal-breaker. Encrypted Facebook Chat is made for users who are already giving Facebook their contact lists and metadata — there’s no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats. The usability benefits of being able to quickly see which friends are online and ready for an encrypted chat remain overly substantial for those users.

Available Now

Cryptocat 2.2 with Encrypted Facebook Chat is already available for Chrome, Safari and Opera. If you use those browsers, your copy of Cryptocat has probably already automatically updated itself. We expect there to be some usability bugs and inconsistencies with the first release — opening issues in our code repository is always appreciated.

Updates for Firefox and our Mac desktop client are scheduled to be released by the end of this week. Find a Facebook friend with the latest update and start communicating without compromising your privacy!

  • HacKan & CuBa co.

    I love this!! it’s fuckin’ awesome! :D

  • Ryan Hellyer

    This is very cool. Thanks for implementing this. Unfortunately the only person in my Facebook friends list who is online right now and uses Cryptocat, also refuses to agree to the Facebook permissions request, so I haven’t been able to try it out :/

  • Ryan Hellyer

    It failed quite badly when I tried to use it. I could see the first twenty people online, but the rest of them (including the person I wanted to try it with) were not displayed. I could see them in the source code, but they were hidden and there seemed to be no way to scroll downwards.

    • Ryan Hellyer

      A friend of mine figured out a temporary hack to enable you to scroll. If you use two finger scrolling or a scroll wheel, whilst the cursor is over the list, then you can move the list up and down. Hopefully that gets fixed in the next version though :)

  • becompassionate

    @ryan_hellyer:disqus – you speaking of a desktop or phone or something?

  • becompassionate

    It didn’t pick up all my contacts when I loaded it. Can I remove those I never chat with and add those that I do?

  • c0dered111

    Will be this available for android?

  • BasalGuilder

    Does this work with other implementations of OTR? I also use an OTR client (xabber/pidgin) to chat over Facebook’s XMPP service.

  • enigma

    This tool is awesome!!!!!!!!!!!!!!!!!!!kudos….

  • Prem Badu

    When I try to login to Facebook via Cryptoca, the program keeps generating keys.
    I have waited already for 1 hour now and it is still “generating” keys.
    Can somebody explain or help me with this?

    • Nicolò ‘Nik’ Zanetti

      Same problem.
      I’m using Opera, and it’s updated.

  • Jimmy978

    Great in theory, however the reality…

    Yeah babe I wanna….

    Oh yeah…

    —– MEANWHILE —–

    IP addresses 100.123.555.222 and 101.123.555.200 are having a Cryptochat conversation over Facebook. They might be R̶u̶s̶s̶i̶a̶n̶s̶ ̶A̶l̶ ̶Q̶a̶e̶d̶a̶ ̶I̶S̶I̶S̶ IS terrorists disguising themselves as a couple.

    Call Mark.

    That would be really cool, yes we can send a custom script to just that user which will drive-by install any executable program you guys want. In fact why don’t I make a special NSA app that has a button you guys can use for any user. I’ll code it tonight, we’ll have a good ol’ Facebook Hackathon.

    Well done Mark, you’ve earned 3 more pics of Marissa Meyer naked.


    OK, one Cryptochat key coming up…. oh nice they are using PGP too, oh hahahaha and Tor. Hehehehe I so trojaned his ass.

    Cool. I’ll made an API to do it all automatically if the target is using Windows, Google Apps for Android, iOS or OSX…


    OK, what I am basically trying to say is that this app is only as secure as your OS is, which is only as secure as your computer hardware is.

  • Opperdienaar

    This seems vulnerable for a man in the middle attack, you don’t need a pre agreed key