World Library  
Flag as Inappropriate
Email this Article


Cryptocat chat interface.
Screenshot of Cryptocat 2.1.5
Original author(s) Nadim Kobeissi
Developer(s) Cryptocat contributors [1]
Initial release 19 May 2011 (2011-05-19)
Stable release 2.2.2 / June 12, 2014 (2014-06-12)
Written in JavaScript, Objective-C
Operating system Cross-platform
Available in English, Arabic, Bulgarian, Burmese, Catalan, Chinese, Danish, Dutch, Farsi, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Tibetan
Type Secure communication
License Affero General Public License
Website .catcrypto

Cryptocat is an open source web and mobile application intended to allow secure, encrypted online chatting.[2][3] Cryptocat uses end-to-end encryption and encrypts chats on the client side, only trusting the server with data that is already encrypted. Cryptocat is offered as an app for Mac OS X or as a browser extension for Google Chrome,[4] Mozilla Firefox, Apple Safari, Opera and as a mobile app for iPhone.

Cryptocat's stated goal is to make encrypted communications more accessible to average users.[5][6] The chat software aims to strike a balance between security and usability—offering more privacy than services such as Google Talk or Internet Relay Chat, while maintaining a higher level of accessibility than Pidgin.[7]

Cryptocat is developed by the Cryptocat team and is released under the GPLv3 license.


  • History 1
  • Features 2
  • Architecture 3
    • Encryption 3.1
    • Network 3.2
  • Security concerns 4
  • See also 5
  • References 6
  • External links 7


Cryptocat developer Nadim Kobeissi said he was detained and questioned at the U.S. border by the DHS in June 2012 about Cryptocat's censorship resistance. He tweeted about the incident afterwards, resulting in media coverage and a spike in the popularity of the software.[8][9]

In June 2013, Cryptocat was used by journalist Glenn Greenwald while in Hong Kong to meet NSA whistleblower Edward Snowden for the first time, after other encryption software failed to work.[10] In November 2013, Cryptocat was banned in Iran, shortly after the election of Iran's new president Hassan Rouhani who had promised more open Internet laws.[11]

Along with Threema and Surespot, Cryptocat was ranked first in a study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group in June 2014.[12] In November 2014 Cryptocat scored 7 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard.[13]


Cryptocat allows any desktop with a modern web browser to quickly set up an end-to-end encrypted chat environment. The browser's accessibility is frequently touted by the project as the reason why it chose the platform.[14] Cryptocat is currently compatible with Google Chrome,[4] Mozilla Firefox, Apple Safari, Opera and also offers an application for iOS devices.

Cryptocat uses the Off-the-Record Messaging (OTR) protocol for encrypted private messaging, allowing two parties to chat in private. Cryptocat also uses its own group messaging protocol to allow for group instant messaging conversations. Since Cryptocat generates new key pairs for every chat, it implements a form of perfect forward secrecy.[15] Cryptocat also offers encrypted file and photo sharing, allowing users to send documents and photos to each other using end-to-end encryption.

Cryptocat also may be used in conjunction with Tor in order to anonymize the client's network traffic. The project also plans to create an embedded version for use with Raspberry Pi devices for use by non-profits.[16][17] As of July 2013, a Commotion-compatible version was in development.

Since 2013, Cryptocat has offered the ability to connect to Facebook Messenger to initiate encrypted chatting with other Cryptocat users.[18] According to the developers, the feature was meant to help offer an alternative to the regular Cryptocat chat model which does not offer long-term contact lists.[19]



Cryptocat uses the Off-the-Record Messaging (OTR) protocol for encrypted private messaging, allowing two parties to chat in private. For group messaging, Cryptocat uses a group chat protocol deploying Curve25519, AES-256, and HMAC-SHA512, all industry standards for cryptography applications. All messages sent in Cryptocat, including group chat messages and file transfers, are end-to-end encrypted, which means that they can only be read by the intended recipients and not by the network during transit. Cryptocat provides cryptographic properties of confidentiality, integrity, authentication and forward secrecy for all conversations, and also provides deniability for file transfers and private OTR chats.

In 2014, Cryptocat made improvements to user authentication, making it easier for users to authenticate and preventing MITM attacks.[20] The improvements came after an audit by iSec Partners criticized the previous authentication model as insufficient.


Cryptocat's network relies on a XMPP BOSH configuration, which only relays encrypted messages and does not store any data, according to the project's privacy policy.[21] The project uses ejabberd and nginx in order to provide the XMPP-BOSH relay. In addition to the Cryptocat client's end-to-end encryption protocols, client-server communication is protected by TLS/SSL.

Cryptocat also publishes its server configuration files and instructions for others to set up their own servers for the Cryptocat client to connect to.[22]

In 2013 Cryptocat's network migrated to Bahnhof, a Swedish webhost housed in mountainous Cold War nuclear bunker which has also hosted WikiLeaks and The Pirate Bay.[23]

Security concerns

Some versions of Cryptocat have been questioned for utilizing the browser to encrypt messages,[24] which some researchers feel is less secure than the desktop environment.[25][26][27] More recent versions have relied on browser-native random number generation[28] which is considered more secure.

In 2012, following concerns about the security of SSL as a whole, Cryptocat's SSL certificate was pinned in Google Chrome and Chromium.[29]

In June 2013, security researcher Steve Thomas pointed out a security bug that could be used to decrypt any group chat message that had taken place using Cryptocat between September 2012 and April 19, 2013.[30][31] Private messages were not affected, and the bug had been resolved a month prior. After Thomas's research was released, Cryptocat issued a security advisory and requested that all users ensure that they had upgraded.[31] Since 2011, a warning regarding the experimental nature of the project has been in place on the website's front page and within the software itself. The Cryptocat blog posted a warning, informing users that group conversations they had using the software in the past may have been compromised.[31]

See also


  1. ^ Cryptocat. "Cryptocat". Retrieved 2014-06-22. 
  2. ^ Dachis, Adam (9 August 2011). "Cryptocat Creates an Encrypted, Disposable Chatroom on Any Computer with a Web Browser".  
  3. ^ Giovannetti, Justin (4 February 2012). "Encrypted messages: chatting safely with Cryptocat". OpenFile. Retrieved 8 April 2012. 
  4. ^ a b "Cryptocat on the Chrome Web Store". Retrieved 2012-07-28. 
  5. ^ Greenberg, Andy (27 May 2011). " Aims To Offer Super-Simple Encrypted Messaging".  
  6. ^ Curtis, Christopher (17 February 2012). "Free encryption software Cryptocat protects right to privacy: inventor".  
  7. ^ "Using His Software Skills With Freedom, Not a Big Payout, in Mind". New York Times. April 18, 2012. 
  8. ^ Jon Matonis (2012-04-18). "Detaining Developer At US Border Increases Cryptocat Popularity". Forbes. Retrieved 2012-07-28. 
  9. ^ "Developer's detention spikes interest in Montreal's Cryptocat". 2012-06-08. Retrieved 2012-07-28. 
  10. ^ Greenwald, Glenn (May 13, 2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books. p. 59.  
  11. ^ Franceschi-Bicchierai, Lorenzo (21 November 2013). "Iran Blocks Encrypted Chat Service Despite Claims of Internet Freedom".  
  12. ^ Christian Heutger. "Die Ergebnisse unseres großen Messenger-Tests" (in Deutsch). Retrieved 2014-06-26. 
  13. ^ "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 2014-11-04. 
  14. ^ Cryptocat. "Documenting and Presenting Vulnerabilities in Cryptocat". Retrieved 2014-06-22. 
  15. ^ Cryptocat Multiparty Protocol Specification Retrieved 2013-12-28
  16. ^ Knowles, Jamillah (3 March 2012). "Raspberry Pi network plan for online free-speech role".  
  17. ^ Kirk, Jeremy (14 March 2012). "Cryptocat Aims for Easy-to-use Encrypted IM Chat".  
  18. ^ Norton, Quinn (12 May 2014). "Cryptocat Creates an Encrypted, Disposable Chatroom on Any Computer with a Web Browser".  
  19. ^ Cryptocat. "Cryptocat, Now with Encrypted Facebook Chat". Retrieved 2014-06-22. 
  20. ^ Cryptocat. "Recent Audits and Coming Improvements". Retrieved 2014-06-22. 
  21. ^ Cryptocat. "Cryptocat Privacy Policy". Retrieved 2014-06-22. 
  22. ^ Cryptocat. "Server Deployment Instructions". Retrieved 2014-06-22. 
  23. ^ Nadim Kobeissi. "Cryptocat Network Now in Swedish Nuclear Bunker". Retrieved 2013-02-09. 
  24. ^ "JavaScript crypto in the browser is pointless and insecure."
  25. ^ Matasano Security – Matasano Web Security Assessments for Enterprises
  26. ^ Thoughts on Critiques of JavaScript Cryptography | Nadim Kobeissi
  27. ^ HOPE 9: Why Browser Cryptography Is Bad & How We Can Make It Great on Vimeo
  28. ^ "Mozilla Developer Network – window.crypto.getRandomValues"
  29. ^ Google. "Google Chromium source code commits". Retrieved 2013-09-09. 
  30. ^ Steve Thomas. "DecryptoCat". Retrieved 2013-07-10. 
  31. ^ a b c Cryptocat Development Blog. "New Critical Vulnerability in Cryptocat: Details". Retrieved 2013-07-07. 

External links

  • Official website
  • GitHub repository
  • Cryptocat at iTunes Preview
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.