The program’s founder, Nadim Kobeissi, wrote Monday that the latest 2.2 version of Cryptocat can log a user into Facebook and pull his contact list in order to set up an end-to-end encrypted conversation.
“Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list,” he wrote.
The move could augment Cryptocat’s user base since new users won’t have the chore of building a new contacts list, although they would need to download Cryptocat’s browser extension or iPhone application to benefit from encryption.
The security of emails and messages was brought sharply into focus by secret documents leaked by former U.S. National Security Agency contractor Edward Snowden revealing sophisticated online surveillance techniques used by the spy agency.
Facebook has said it could enable end-to-end encryption between users exchanging data,but said such technology is complicated and makes it harder for people to communicate.
Messages exchanged using Facebook are protected by SSL (Secure Sockets Layer) encryption, but that only encrypts data between an end user and Facebook. The social networking service would have access to the clear text of those conversations, which potentially could be surrendered to law enforcement under a court order.
If two people are using Cryptocat, Facebook will know an exchange occurred between the two users and the time of their chat. But the messages themselves will only say: [encrypted message].
The fact that Facebook knows two people are chatting, a type of information known as metadata, should not be a deal breaker, Kobeissi wrote. Users presumably know they’re divulging that information already to Facebook by using their service.
“There’s no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats,” Kobeissi wrote. “The usability benefits of being able to quickly see which friends are online and ready for an encrypted chat remain overly substantial for those users.”
Facebook will know, however, that the people are using the application due to the use of a Cryptocat relay to transfer the contacts list, he wrote.
Kobeissi wrote that if a person’s Facebook friend logs into the service and is using Cryptocat, the conversation is automatically upgraded to an encrypted one. If one party does not have Cryptocat installed, the two people may chat, but the text will not be encrypted.
Cryptocat opted not to integrate itself directly into the Facebook chat interface to maintain “layers of separation,” Kobeissi wrote.
“Such an approach would have made encrypted chats over Facebook even more immediate, but would have immersed Cryptocat into Facebook’s network and runtime environment in a way that didn’t satisfy our security precautions,” he wrote.
Cryptocat connects to Facebook as an XMPP client over its outbound BOSH relay. No code from Facebook is loaded or executed within Cryptocat, and the login procedure happens in a sandboxed window, Kobeissi wrote.
Cryptocat version 2.2 is available for Chrome, Safari and Opera. An update to Firefox is due to be released later this week.