(no title)
magikarp | 12 years ago
I believe that we've been truly open source, transparent and accountable for our code since day one. There are other projects who are currently similarly open and transparent (I respect TextSecure for this,) but I can't say this is the standard in this field.
We've always solicited and compensated feedback from security enthusiasts, hobbyists and world-famous cryptographers alike. Over the past year, we've had the opportunity to grow into a product that examined what is fundamentally responsibly possible in the browser, and we've even landed ourselves as a primary use-case for the W3C's Web Cryptography working group. We've produced a true, responsible alternative for people who just don't know how to use anything more complicated than Facebook Chat, and we've made it clear that we are not trying to replace PGP or other iron-clad 30-year old solutions. We're trying to help mom and pop users.
Regarding our past vulnerabilities, I can't think of a fuller disclosure than dedicating an entire talk to detailing every single one of them: https://blog.crypto.cat/2013/11/documenting-and-presenting-v...
We also carried out a study to verify whether users were indeed clicking on the security warnings on our website: https://blog.crypto.cat/2013/11/yes-cryptocat-users-are-read...
We want to do things right. We are truly open source, truly honest, transparent and we take immediate steps for mitigation every time. We will continue to solicit audits and feedback for our more experimental browser client, but also hope to have a more grounded product in our upcoming Objective-C (iPhone) and Java (Android) apps.
Overcoming a bad reputation is extremely more difficult than keeping a good one. We have been less lucky than other projects. The fact that we used experimental platforms and coupled that with overly loud disclosure of all the failures those platforms lended us meant that we couldn't keep face as easily as other projects.
But that said, I can't but resent the continued accusation that after three years at this, myself and all other volunteers (a wide range) working on this haven't matured enough to know what we're doing, and haven't proven that we care very much to do it right. It's very relieving to hear that the community at HN can understand this and see that we have been proceeding responsibly for quite some time now.
mst|12 years ago
The thing is, in the case of a significant percentage of people attempting crypto, it's not that they don't care, it's that they simply aren't capable of it. Jumblefucks like the telegram launch (which was too disorganised to be a clusterfuck, frankly) keep that fact fresh in everybody's mind.
What's interesting to note, though, is that people are now largely complaining about the fact that vulnerabilities have been found, rather than your response to them. I think maybe that's a more useful metric for how competently you're dealing with it than pure positive/negative response is, under the circumstances.