Up to 21 people can chat in Cryptocat using the same encryption key, there is no need to install or download any software, this online chatroom will work at any computer or mobile device with a browser.
The first thing you will need to know to use this secure chatroom is the chatroom name, there isn’t any list of available chatrooms, they are all secret and unless you know what they are called you can’t join in, but you can create a secret chatroom and send a link to the chatroom to your friends. Once you log in you will be asked to move your mouse around to gather random data to help get entropy, you can chat in clear text in the box or enter a password inside a blue bar and then only those who know the password will be able to read the messages, the other people in the chatroom will read the text “encrypted“, in case you use a very weak password to encrypt the communications Cryptocat will let you know of its strength.
Chatroom messages are ciphered using symmetric AES256, anything you type is encrypted and verified for integrity before leaving the computer, encryption is performed in the browser using a script (crypto-js library), a SSL certificate secures the data transmission in between the browser and the chatroom, even if someone compromised Cryptocat servers all they would see is encrypted data, Cryptocat itself can not decrypt the conversations, the messages are wiped after 30 minutes of inactivity, and if you want to add anonymity the chatroom could be accessed through a proxy like tor to hide your computer IP (visible to the server), the chat doesn’t use Java.
Cryptocat encrypted chatroom
The only downside I found is that you need to transmit the passphrase through a secure channel, that is the weakest point, the more people involved in the encrypted chat the more possibilities someone will leak out the passphrase due to negligence. This site should be of great value for activists using an Internet cafe for communication or those in fear of their ISPs surveillance on them, keyloggers would then be the only possible weapon, using a different public computer for each Internet session will make it difficult for someone to plant a targeted trojan.
