There is this very misinformed blog post that’s been going around concerning Cryptocat’s development roadmap that I need to address, simply because not only is the post so fundamentally incorrect on its technical assumptions, but it goes around being written in a surprisingly authoritative tone:
The blog post suggests that becoming a local browser app means that Cryptocat no longer uses JavaScript cryptography. This is nonsense: JavaScript is a language, and since browser apps/plugins are written in an HTML5 framework, we will still be using JavaScript to implement cryptographic functions. The only thing that has changed is the method of code delivery. Cryptocat research, even with this change in code delivery, remains within the purview of JavaScript cryptography research, not abandoning it but improving it by suggesting a different method of code delivery. The articles that the blog post links to attack JS crypto code delivery methods, and we are answering those concerns:
- We have not ”Abandoned JS crypto” and “officially declared” that JavaScript crypto is “wrong.”
- We have not ”declared that you cannot do serious crypto in pure JavaScript”
- We have simply changed the method of JS code delivery into a local browser plugin, in order to further advance the security of JS cryptography.
I have absolutely no idea where the author pulled his conclusions from and I’m really surprised as to how certainly he posits them in his blog post.
The author goes on to posit that a browser extension be used in order to provide a standard cryptographic API for browsers. This is redundant for two reasons:
- The W3C is already working on a standard cryptographic API for browsers (Cryptocat is part of this working group.)
- There exists a variety of vetted, very well-designed standard libraries for client-side browser crypto, such as the Stanford JavaScript Cryptography Library and Crypto-JS (which I personally prefer.)
When writing a blog posts that takes ideas as granted facts, please make sure you know what you’re talking about.