[tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 14 23:28:27 UTC 2013 

#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
--------------------------------------+-------------------------------------
 Reporter:  kaepora                   |          Owner:  erinn                        
     Type:  enhancement               |         Status:  new                          
 Priority:  normal                    |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  Tor bundles/installation  |        Version:  Tor: unspecified             
 Keywords:                            |         Parent:                               
   Points:                            |   Actualpoints:                               
--------------------------------------+-------------------------------------

Comment(by mikeperry):

 For the record, "trying out" CryptoCat for TBB-alpha means "Mike finally
 devotes the mental energy to actually look through the bugtracker, look at
 the code, and finally use the damn thing with a test account." I haven't
 had time to do that yet, and I won't until sometime either next week or
 the week after, once we're done with stabilizing FF17. My earlier comments
 were meant to say "Holy crap, get this thing audited for XSS issues again,
 or I won't even do that much."

 I am glad you did that, and I wanted to offer you some words of
 encouragement.

 I took a second to look through your bugtracker, and there are several
 bugs in there that I would consider blockers even for TBB-alpha (which by
 the way, wouldn't mean it would go into the subsequent TBB-stable
 automatically). I didn't know that your "Multi-Party OTR" implementation
 wasn't actually mpOTR. That is a blocker for us. I think it either needs
 to support mpOTR or CryptoCat simply shouldn't allow group chat at all. I
 don't believe it is safe for you to cook up your own crypto protocols and
 deploy them. Instead, you should be using existing peer-reviewed protocols
 to the letter.

 Issue #180 is also concerning. If it actually still applies to the
 CryptoCat XPI, that is a potentially bad sign in terms of storage
 utilization and architecture. Based on this, there may be other issues
 with how the extension is architected that freak me out.

 People may also still successfully convince me that we need to stub out to
 native code for any primatives you use. Depending on how successfully I am
 convinced of that, it may also be a blocker (possibly even for TBB-alpha,
 but right now I think it might be more important for TBB-alpha to be a
 playground for crazy prototype shit).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:42>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list