Cryptocat’s mission is to make encrypted chat accessible and easy to use. With Cryptocat celebrating its third birthday (already!), we’re happy to announce the new Encrypted Facebook Chat feature in the latest Cryptocat 2.2 update.
Facebook Chat as a Cryptocat Buddy List
Cryptocat can now log into your Facebook account for you, fetch your Facebook contacts, and if another contact is also using Cryptocat, you’ll be able to automatically set up an end-to-end encrypted chat. If a Facebook friend later logs in via Cryptocat, your chat will be immediately upgraded to an encrypted Cryptocat chat:
Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list. As a compliment to Cryptocat’s ephemeral group chat feature, Encrypted Facebook Chat lets you view which of your friends are online and allows you to immediately set up encrypted chat with them. Users will still be able chat with non-Cryptocat users from within Cryptocat — although those conversations will not be encrypted (and you should probably ask your friends to upgrade to Cryptocat too, wink wink.)
If both you and your Facebook friend use Cryptocat, your chats will be OTR-encrypted end-to-end and can’t be viewed by Facebook (or Cryptocat’s network.) This is how your chat will look like on Facebook:
Layers of Separation
Our commitment to layers of separation from Facebook’s network and runtime defined how we engineered Encrypted Facebook Chat into Cryptocat. For example, why didn’t we opt to integrate Cryptocat directly into the Facebook Chat interface on facebook.com? Such an approach would have made encrypted chats over Facebook even more immediate, but would have immersed Cryptocat into Facebook’s network and runtime environment in a way that didn’t satisfy our security precautions. In our current design, Cryptocat connects to Facebook in the most minimal way possible: as a regular XMPP client over Cryptocat’s outbound BOSH relay. Not a single line of code from Facebook is ever loaded or executed in Cryptocat. Even the Facebook login process happens in a completely separate, sandboxed window.
What About Metadata?
In Cryptocat group chats, chatrooms, nicknames, and pretty much everything else is completely ephemeral. The amount of registered metadata is minimal compared to Encrypted Facebook Chat. While Cryptocat over Facebook Chat will encrypt your conversations, it’s important to note that Facebook will still be able to access metadata such as the times during which you exchanged messages, or which Facebook friends you had an encrypted conversation with. More obviously, you may also leak the fact that you are using Cryptocat to to others, and the Cryptocat network’s BOSH relay will be responsible for transferring information to your client, including your Facebook Chat contact list.
For a majority of user-cases, this metadata storage is not a deal-breaker. Encrypted Facebook Chat is made for users who are already giving Facebook their contact lists and metadata — there’s no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats. The usability benefits of being able to quickly see which friends are online and ready for an encrypted chat remain overly substantial for those users.
Cryptocat 2.2 with Encrypted Facebook Chat is already available for Chrome, Safari and Opera. If you use those browsers, your copy of Cryptocat has probably already automatically updated itself. We expect there to be some usability bugs and inconsistencies with the first release — opening issues in our code repository is always appreciated.
Updates for Firefox and our Mac desktop client are scheduled to be released by the end of this week. Find a Facebook friend with the latest update and start communicating without compromising your privacy!