Earlier this week, open-source encrypted chatting app Cryptocat announced it was introducing a new feature: Encrypted Facebook Chat.
The app’s creator, Nadim Kobeissi, announced that the latest version (2.2) of the software would allow Facebook users to chat away online to their hearts intent without fear that the social network could see what they were saying by using end-to-end encryption.
According to Kobeissi, Encrypted Facebook Chat with Cryptocat automatically integrates with your Facebook address book to find other Cryptocat users, and exchanges keys to delivers OTR (Off-The-Record) end-to-end encryption, hiding any discussion from the eyes of Facebook (and one presumes, any intelligence agency looking over Facebook’s shoulder).
“Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list”
Anyone not running Cryptocat who intercepts the messages shouldn’t be able to read them.
That’s not to say, however, that Facebook can’t find out anything about your conversation.
Although individual messages will just appear as “[encrypted message]”, Facebook will still, for instance, be able to collect metadata about who on Facebook you had an encrypted message chat with, and when.
Cryptocat believes that on balance that isn’t a problem for those who choose to message via its encrypted Facebook chat service:
In Cryptocat group chats, chatrooms, nicknames, and pretty much everything else is completely ephemeral. The amount of registered metadata is minimal compared to Encrypted Facebook Chat. While Cryptocat over Facebook Chat will encrypt your conversations, it’s important to note that Facebook will still be able to access metadata such as the times during which you exchanged messages, or which Facebook friends you had an encrypted conversation with. More obviously, you may also leak the fact that you are using Cryptocat to to others, and the Cryptocat network’s BOSH relay will be responsible for transferring information to your client, including your Facebook Chat contact list.
For a majority of user-cases, this metadata storage is not a deal-breaker. Encrypted Facebook Chat is made for users who are already giving Facebook their contact lists and metadata — there’s no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats. The usability benefits of being able to quickly see which friends are online and ready for an encrypted chat remain overly substantial for those users.
I have a question, however. Is anyone who is serious about encrypting their online communications really going to be comfortable connecting with Facebook to have those conversations?
If privacy is so important to you, isn’t Facebook the very last place you are likely to be hanging out?
Wouldn’t you take any sensitive conversations away from Facebook, and have them some place where *no* meta data is being collected about who you are talking to, and when? It’s also in question whether Cryptocat can sway the skeptics who may remember the service’s rocky history when it comes to security.
I’m all for blowing a loud raspberry in Facebook’s face, but I’m a little dubious about how much something like this would be used by the average guy in the street. But hey, what do I know - maybe Facebook users will surprise me.
Talking of Facebook - as expected, they’re not going to sit idly by and allow some 23-year-old upstart like Nadim Kobeissi mess with their ability to collect information about their users.
The social network has just announced that its Chat API/XMPP Services (relied upon by Cryptocat’s new feature) will be shut down by April 30th 2015. In other words: goodbye Facebook Encrypted Chat.
So, you have just under a year to make the most of Cryptocat’s integration with your Facebook buddy list - which should be plenty of time to find more secure ways to communicate.
If you want to give Cryptocat a try - you can download it from the Cryptocat website.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.