If some muppet hacks Facebook, every single private message I ever sent could end up in the public domain. With that in mind, I avoid ever posting anything on Facebook which I’m not willing to have posted in public at some point.

When I want to chat with someone online and don’t want my messages stored anywhere or intercepted, I use a very cool little browser plugin called Cryptocat. Since it works as a browser plugin, it isn’t susceptible to mailicious code injection at the server level like other online encryption tools (such as my own End2End encryption plugin for WordPress).

The downside to Cryptocat, is that you need to muck around swapping keys and ensuring the other person is online to use it. But with the latest release of Cryptocat, they have added Facebook integration. This allows you to chat with your Facebook friends so long as they also chat to you via the Cryptocat interface. If they aren’t on Cryptocat right then, you can simply ask them to hop on Cryptocat, and continue the conversation in an encrypted fashion after they have joined.

This adds a much needed usability improvement and makes the transferral of encryption keys simpler.

Demonstration of the Cryptocat Facebook integration. Unencrypted messages show up in red and encrypted ones in blue. If the user logs off of Cryptocat, a warning message is left at the top of the screen, but you can still keep messaging them without encryption.

Demonstration of the Cryptocat Facebook integration. Unencrypted messages show up in red and encrypted ones in blue. If the user logs off of Cryptocat, a warning message is left at the top of the screen, but you can still keep messaging them without encryption.

Problems

I have not dived into the code, but it is immediately obvious on using it, that this tool does not block some basic meta data from being sent back to Facebook. They can see who you are chatting with, how big each message is and when you send the messages. They can’t see what the message is though as they only see an encrypted blob. All of this is outlined on the Cryptocat website and is not a secret. I think it is a good idea to be aware of this though, in case you are needing to take extreme security precautions. This simple encryption should be sufficient for most peoples purposes though.

Another problem, is an annoying bug in the interface which prevents you from scrolling down the list of online users. Hopefully they’ll fix this in the next version, but for the mean time you can access the rest of your friends list by hovering the cursor over the list and using a scrollwheel or two finger scrolling to access the rest of your friends.

I had one friend who refused to use it as it insisted on requesting her “name, profile picture, age range, gender, language, country and other public info”. I suspect this information is only used within the Cryptocat browser plugin and not sent back to their server, but I did not see this explicitly stated on the Cryptocat website, so I’m not certain. Hopefully the Cryptocat people can clarify this for us.

When you view your messages in Facebook itself, they are listed as being encrypted. You will never be able to obtain those messages back from Facebook again.

When you view your messages in Facebook itself, they are listed as being encrypted. You will never be able to obtain those messages back from Facebook again.

Conclusion

This is an excellent way to set up crude encrypted chat. It’s not perfect, but encrypted chat probably never will be. For crude encryption and avoiding our almighty government overlords, hackers and other annoying nosey parkers snooping through our stuff, this seems to be an adequate solution for most peoples purposes.