Cryptocat is an encrypted opensource chat program available for Windows, Linux and Mac. Cryptocat was funded by the Open Technology Fund which is a US taxpayer funded project to to further independent efforts towards a more secure and private Internet. The Open Technology Fund has also funded projects such as Open Whisper Systems Signal app and Mailvelope.
During Cryptocat’s tumultuous start in 2012-2013 the software was found to have some serious vulnerabilities. Cryptocat’s developer Nadim Kobeissi responded with full disclosure, immediately issuing security patches then publicly thanking and crediting the security researchers responsible for the discoveries. Today Cryptocat has come a long way and has matured into a reliable secure chat software option for those looking for simple and secure chat communication.
Cryptocat has adopted a variant of Signal‘s Double Ratchet Algorithm which provides the encryption between users. The developers refer to the algorithm as “self-healing” because it automatically disables an attacker from accessing the cleartext of future messages after having compromised a session key, making Cryptocat a more secure means of communicating.
Some of Cryptocat’s points and features:
Free & Open Source
Cryptocat will always be free software, released under the GNU General Public License. This means that anyone will always be able to fully review the source code underlying the Cryptocat client. Furthermore, there will never be any commercial offshoot of this software, and it will always exist for its own sake. As such, there will be no incentive or motive for the software to grow, to acquire more users, or to in any way compete with other software. Its only goal is to exist as good software for those who ask for it.
Encrypted by default. Every message is encrypted, always
Cryptocat encrypts all of your communications before they leave your computer: the service provider is unable to access them, even if they wanted to. While the Cryptocat servers still receive information regarding your buddy list and linked devices, they commit to protecting this information to the best of their ability. In terms of the Cryptocat client itself, in addition to technical safeguards such as forward secure encryption, certificate pinning, code signing, open source publication, they pledge that the code that protects the privacy of your communications shall not be tampered with.
- No Long-Term Encryption Key: By basing its cryptography on the innovative Double Ratchet algorithm, Cryptocat’s chat encryption generates a fresh encryption key for every message. The theft of a device therefore only compromises the last small handful of messages, and only allows the user to impersonate the victim’s device until that key is disassociated from the user’s account.
- Forward and Future Secrecy: If, at any point, the state of the encryption keys for a conversation is compromised, the conversation’s security will self-heal with fresh key material, preventing the compromise of any past or future messages. Simply put: Cryptocat is Forward secure. Chats are safe even if your keys are stolen.
- Multi-Device Support: Cryptocat supports linking multiple devices to a user’s account through its implementation of the OMEMO standard. Cryptocat extends this to allow recipients to authenticate contacts on a per-device basis and to see which device was used to send a particular message. If a device’s identity keys are stolen, only that device may be impersonated, and the owner may unlink it from their Cryptocat account using any other device.
To be clear, no one is claiming that Cryptocat is invincible. But all empirical analysis of the current cryptographic protocol indicates that it stands a better chance than PGP in terms of surviving a compromise or an active attacker.
Light on Metadata
With Cryptocat, users can create random, one-time-use usernames without needing to provide a phone number or email address, or anything really. The only metadata the Cryptocat server sees is that a random username was used to send a message to another Cryptcat user. The Cryptocat server does not retain any other information, including account creation time, IP addresses used to login, or anything else. Someone spying on the your network will only be able to see that you at some point used Cryptocat, but cannot identify which username you used, or with whom you communicated. Once the message is communicated, Cryptocat users may choose to delete their account, which completely erases any trace of the account on Cryptocat’s servers.
Receive messages even when offline
For up to 30 days your messages, images, or video will be deliverable to other Cryptocat users even if they are offline.
File sharing with Friends
Sending a file to a friend over Cryptocat is easy, and only you and your friend will be able to access any files sent, thanks to Cryptocat’s strong encryption. Simply open a chat with your desired contact. Then either drag and drop the file into the chat window, or click the file icon at the right of your chat window, or press Alt+F.
If you get an error saying that your file type is unsupported, that’s okay: simply add your file to a .zip archive first and try again. If your friend is offline, that’s okay too: so long as they log back in within the next thirty days, they will still be able to receive and download your file.
You can also send 1 minute video chat clips to your friends.
Note that Cryptocat currently imposes a file size limit of 200MB per file.
If you are looking for a simple and secure chat program to use, you might want to consider Cryptocat. Everything about this software is made to be an easy yet secure way to communicate right out of the box, so anyone can use it without a difficulty. Unfortunately Cryptocat does not have apps for phones. If you are looking for a one solution for all, the Signal app has a desktop client.