Bad news for Cryptocat as it debuts Encrypted Facebook Chat

Mere days after Cryptocat creator Nadim Kobeissi announced that the latest update of the popular software will allow Facebook users to use encrypted chat, the social network has made known its intention of shutting down its Chat API/XMPP Services by April 30th 2015.

As Kobeissi himself pointed out in a number of occasions, Cryptocat can’t foil the NSA if they are specifically after your encrypted communication, but can hamper mass surveillance efforts. It’s an easy way to add some privacy to your social interchanges.

“Cryptocat can now log into your Facebook account for you, fetch your Facebook contacts, and if another contact is also using Cryptocat, you’ll be able to automatically set up an end-to-end encrypted chat. If a Facebook friend later logs in via Cryptocat, your chat will be immediately upgraded to an encrypted Cryptocat chat,” Kobeissi announced proudly on Monday. “Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list.”

As a reminder, regular Facebook chats are encrypted between users and Facebook’s servers, but Facebook has access to the content. With the new Cryptocat, if two users use it and chat over Facebook, the chats “will be OTR-encrypted end-to-end and can’t be viewed by Facebook (or Cryptocat’s network.)”

Unfortunately, the chat metadata will, while minimal, be registered by Facebook, so the company knows (and can share the knowledge if required) who you have been taking to.

“For a majority of user-cases, this metadata storage is not a deal-breaker. Encrypted Facebook Chat is made for users who are already giving Facebook their contact lists and metadata — there’s no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats,” Kobeissi pointed out.

“I think there are huge benefits to providing encrypted chat on “walled gardens’ like Facebook or Twitter. For better or for worse, a lot of people use these platforms-¦ In all these systems messages get logged at the server and it’s not clear for how long they stay there,” Matthew Green, well-regarded cryptographer and research professor at the Johns Hopkins Information Security Institute, commented the announcement.

But he also said that he worries about Facebook not liking this new Cryptocat option, and opting for thwarting it by shutting down or altering its API. As it turned out, his concern wasn’t misplaced, but whether Facebook’s move was a reaction to the news or not it’s difficult to tell.

Some people think it is. “Facebook shutting down XMPP support just when OTR clients over Facebook got usable, coincidence? I think not,” commented Frederic Jacobs, a developer of encrypted messaging software and security researcher who works for Open Whisper Systems.