Cryptocat is one of the most popular and easiest to use encrypted chat programs in existence today. Whether as a simple browser plug-in or as an iPhone app, Cryptocat has drawn praise (and criticism) for its focus on ease of use rather than power-user tools.
With over 200,000 regular users, Cryptocat has achieved exactly what passes for mass adoption in the world of super-secure apps. But for Nadim Kobeissi, the original developer and current project lead of Cryptocat, there is still much to be done. I spoke with Kobeissi about why he builds privacy apps for ordinary users and his commitment to “fighting against the Ivory Tower” of cryptography.
For those who don’t know, what is Cryptocat?
Cryptocat is a free software project that attempts to make encrypted end-to-end chat accessible to everyone. If you know how to use Facebook chat, then you already know how to use Cryptocat. You can just install it for your browser or your mobile phone and have truly private conversations with your friends. You can have group conversations. You can also send files over it. And also recent versions of Cryptocat can connect to your Facebook account and load your Facebook contacts and if you have other friends using Cryptocat you can have an encrypted conversation that way as well.
How did the idea for Cryptocat originally come about?
Why the focus on the general public?
Cryptography is my main research interest and I’ve always had the opinion that you have to focus on practical, applied cryptography. I see a lot of research being done on really theoretical cryptography. But I don’t like that approach because it’s a very Ivory Tower, academic approach. I really want to focus on the kind of cryptography that has practical benefits to regular individuals in the world. Everything I’ve done related to cryptography has I think embodied the belief that if you want to do cryptography research it’s much more valuable to do stuff that’s related to practical or applied cryptography.
I’m actually releasing a brand new cryptography tool next week at the Hope Conference. It’s a common theme in my work to combine advances in cryptography technologies with advances in usability technologies. I want to fight back against the Ivory Tower of purely academic theoretical cryptography practice. I want to bring cryptography in a direction that makes sense for the average person. Because to me the most valuable research when it comes to cryptography is to focus on what this can bring to the regular individual.
One of the things I appreciate about Cryptocat is that it’s a great privacy tool but you also intersperse fun, like displaying random facts about cats while security keys are being generated.
It’s really just a way of tying together my interest in practical cryptography with more usable technologies. It’s all toward the goal of making products that people find useful and that they’re not intimidated by. That’s the point.
How has the landscape changed since you first started building Cryptocat?
So you have a Kickstarter campaign for Cryptocat currently going on. What exactly are you raising money for?
We’re fundraising for three big, sweeping things. The first is to have an Android app because it’s very high in demand for our users. The second is to have encrypted audio and video chat. If we have that, then Cryptocat can be a drop-in replacement for Skype. The third goal is just to raise funds to be able to pay for server costs and quality assurance costs. Right now Cryptocat’s server usage is not cheap and it’s only going to get more expensive if we offer encrypted audio to everyone for free.
Encrypted audio and video inside the browser seems like quite a challenge. How are you planning to implement that?
We’re investigating using WebRTC, which is a technology that allows us to do this. From looking at it so far, I think we can add some improvements to it to bolster its security. WebRTC is already a technology that comes with end-to-end encryption, so we just need to figure out how to reliably implement it in a way that keeps up with the security expectations of Cryptocat and also integrate it into our existing user interface.
For you personally, what’s the most exciting use of Cryptocat that you’ve heard of?
I think the most exciting thing to hear about was that Glenn Greenwald used it in Hong Kong to talk to another journalist when he was meeting Snowden for the first time. The most interesting thing about that story is that Greenwald used Cryptocat in Hong Kong because his other encryption software had failed. But Cryptocat succeeded because of its usability in the browser. I really think that this single story really epitomizes what Cyrptocat is about. But I could tell you a million other stories.
Well I know Cryptocat is being used in lawyers’ offices, medical offices, sex clinics, and activist groups. A lot of people use Cryptocat to have cybersex, from what I keep hearing.
Well, there are a lots of reasons that people need private communication and that’s certainly one of them.
The take-away I think is that if you make it accessible, people from really different places in the world and really different situations will find it useful.
Why is it important for you that Cryptocat is free and open source software?
First this is an argument that I believe in at the engineering and programming level. I think that encryption software can’t afford to not be open source. I think that in order to evaluate the research and security of any cryptographic software, you need to adhere to , which has been a staple for cryptography for many decades. The principle is simply that you cannot obtain security via obscuring your practices. You have to obtain your security via assuming that the adversary already knows all aspects of the system and nevertheless the system is still secure.
So how does that principle play out with Cryptocat?
The way I enforce this is not only by making Cryptocat open source software, but by making it free software under a permissive license. We document the software and the cryptographic specification and we open up our development process. We hire auditors to do biannual audits and release those audits for the public to examine. It’s a very transparent approach to doing cryptography research. Unfortunately it’s resulted in the misconception that Cryptocat is more broken than other tools because we keep talking about how many different bugs we find and fix. But the real reason for that is because no other software has this level of transparency.