Web chat client with client-side cryptography.
Beta software - code review highly appreciated.
Cryptocat lets you instantly set up secure conversations. It's an open source encrypted, private alternative to other services such as Facebook chat.
- Cryptocat serves as a server and provides a HTTPS-accessible web interface that works on modern mobile and desktop browsers.
- Cryptocat Chrome is a Google Chrome app that loads code locally and connects to a Cryptocat server only to communicate chat data, thus providing better security.
- CryptocatBot is a native Android app developed in collaboration with the Guardian Project.
- A client-side 4096-bit Diffie-Hellman-Merkle public key agreement engine.
- A client-side AES-256 implementation is used to encrypt data.
- HMAC message integrity verification.
- The identity of chatters can be confirmed via key fingerprints, à la OTR.
- Uses the Fortuna secure pseudo-randomness generator.
- Send encrypted .zip files and images.
- Includes a mobile website compatible with iPhone, Android and BlackBerry.
- Chats are securely deleted after one hour of inactivity.
- Easily invite your Facebook contacts to join your Cryptocat session.
- Send private messages that can only be seen by a single recipient.
- A sleek design with time-stamping, optional audio notifications, fluid-window mode, and mobile support.
- Translations available for French, Catalan, Basque, Italian, German, Portuguese, Russian and Swedish.
A design specification for the Cryptocat protocol is available.
- Noncommercial — You may not use this work for commercial purposes.
- Attribution — You must attribute the work to the Cryptocat project (but not in any way that suggests that they endorse you or your use of the work).
- Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Additionally: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- If your server does not support symlinks, replace the symlinks with copies of the actual files accordingly.
src/server/js/src/directory in order to generate the client-side cryptography code (requires
- Configure settings inside
make build-chrome-zipin order to generate a Google Chrome-loadable.zip
Instructions coming soon.
Cryptocat provides strongly encrypted, secure communications. However, it is not a replacement to GPG. Think responsibly if you are in extreme, life-threatening situations.
Using Cryptocat without HTTPS in a production environment is a recipe for disaster. We severely warn against deploying Cryptocat without HTTPS, unless the deployment is occurring as a Tor Hidden Service.
The code for secure deletion of idle chats after one hour is not included in the Cryptocat git repository. On the production server, it's actually a cron job that checks the modification time of chats and wipes them securely. Those wanting to set up similar functionality should consider writing something similar.
Cryptocat™ is a trademark of and is developed by Nadim Kobeissi. It uses parts of the crypto-js library and the Bitcons iconset. Cryptocat is indebted to Paul Brodeur, David Mirza, Hasan Saleh and Tina Salameh.