What is Cloakcast? Why use it?
Cloakcast is a suite of tools for chatting
Using (a soon-to-be-released version of) Cloakcast means
that a malicious, totalitarian third party can't tell...
● Who you're communicating with
● What you're saying to them, nor
● When you're communicating <-- the unique part
...even if they're sniffing the traffic of whoever you're talking
to. In a future iteration, they may not even be able to tell
you're using Cloakcast at all.
Who cares if They know when I'm
chatting, and with whom?
● Trivial to correlate web traffic with chat
traffic, encrypted or not
● With no encryption over GTalk...
○ I visit URL gov't considers suspicious (e.g.
○ I send URL to $friend over GTalk
○ $friend visits URL
● With Pidgin + OTR over GTalk...
○ I visit URL gov't considers suspicious
○ I send URL to $friend over GTalk but it's encrypted
○ $friend visits URL
○ ...still pretty damn obvious who's talking with who
about what! Cloakcast solves this.
How does/will Cloakcast work?
1. Client Sending 2. Server 3. Client Receiving
● Original text (from ● Decrypts outer- ● Decrypts outer-most
user, or random most layer layer (from Server)
garbage/decoy) ● Re-encrypts with ● Decrypts inner layer
● Encrypts using recipient's PGP (encrypted by
recipient's PGP key key original sender)
● Encrypts using ● Original text
Server's PGP key Cloakcast Server
Uniqueness: Client sends
message to Server once per
second. If the user types a
message that second, that's
what gets encrypted and
My sent. If the user doesn't type Your
anything, a "garbage",
Client decoy message gets sent Client
"Which connected user are you
● ...only it's better than this
● I've been talking about this like it's a
conversation happening in real-time
● It doesn't have to be
● Messages stay in a user's inbox until read
○ [EDIT: this will likely change in an upcoming version]
● Malicious parties only see data encrypted
with the Server's key or recipient's key
○ ...assuming you're using an uncompromised server,
in which case they know who's chatting, but not
when nor what about
Cloakcast Release Schedule
● Conceived, started July 9
○ Finished July 15
○ Basic PGP-encrypted chatting in terminal
○ Expected out in late July or August
○ WebSocket chat in browser
○ Connect through Tor?
■ Cloakcast and Tor don't compose
super nicely due to the 1-second
Future Feature Ideas
● Multi-server support ● Public key swapping within
○ No server sees entire Cloakcast?
conversation ● Use OTR (instead of
● Request data from server at PGP/GPG)?
adjustable rate ○ Maybe use mpOTR?
● Use HTTPS on port 443 ● Multiple concurrent 2-person
○ Extra encryption layer chats
○ Hides destination url ● Group chat + PGP sucks
● Can your ISP even tell ○ O(n^2) keys :-
you're using Cloakcast? ● Platform???
○ Maybe, using DPI, ○ Distributed system :-)
maybe not (HTTPS) ○ Compute, scrape, etc
● Tor tunneling ● Legit auth
○ Cloakcast will help ○ "Client: prove you can
against timing attacks decrypt $this to check
What is Go?
● Programming language open sourced by
Google in 2009
● Reached stable v1.0 in late March 2012
○ Fast and Concurrent
○ Statically typed (in a good way!)
○ Simple and Powerful
○ Avoids typical trade-offs
■ Fast, static typing, painful v. Slow, dynamic, fun
● My favorite programming language
○ That's right: Python is #2
SOON: Run Cloakcast on your
Screenshot taken 2012.07.03 (3 weeks ago)
● Start here: http://tour.golang.org/
● Articles: http://golang.org/doc/#articles
○ Also see http://blog.golang.org/
● Then read http://golang.org/doc/effective_go.html
● My Go snippets (in go/ and go-r60/ dirs):
● More at Go homepage: http://golang.org/