CryptoCat’s failure to acknowledge that they don’t really understand secure software development

CryptoCat, an open-source encrypted Web-based chat application, recently fixed a flaw that left chats open to relatively simple decryption. This was just one of a series of significant failures in their cryptographic code. Naturally, this caused lots of concern by professionals that occasionally conduct encrypted communications with it. While there has been a lot of criticism of CryptoCat already, what I found particularly interesting is the acknowledgement by CryptoCat developers that "…we will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security”.

No, it’s not. I have a few personal translations of that statement:

  • “making poor choices, failing spectacularly, and then fixing it is the model of open-source”
  • “we'll build broken software, and when others catch it, it proves that the process works"
  • “we'll design and build software, but finding security issues is the responsibility of others"

The failures of CryptoCat are not failures of open-source vs. closed source development, but rather a failure in secure development *process*. They failed to execute effective security practice in requirements, design, implementation and throughout the rest of the software development process. For example, their publicly published a threat model for the product that is rudimentary at best, and never identifies weak cryptography as being a potential risk. Consequently they implemented a terrible series of crypto-blunders.

This is the old model of dealing with security - to patch after release. And it is exactly that (poor) approach that led us into a world full of insecure software. It is also what processes like the Microsoft SDL and other Secure Development methodologies try to solve - building security in from the beginning. CryptoCat seemingly fails to have any understanding of this, yet chooses to build software and asks users to leave their security up to fate. Case in point - after their failings were reported publicly, CryptoCat specifically added a disclaimer to their website to not trust your life with it. That change was about week ago, and unfortunately up to that point users indeed trusted their lives to it.

Securing applications is a complex, proactive undertaking, open-source or not. Those that do not understand the specific security engineering activities required to create secure software should be careful about the claims they make.