What's more, Cryptocat is prominently featured with a perfect score ("score" being their word) above the fold, with TextSecure at the bottom of the list. Alphabetization would be a credible explanation for this if EFF hadn't already made the editorial decision to hide many many more applications behind a "show all applications" dropdown.

I think they may have changed this, as it now defaults to showing all applications and then featured applications is select-able. It's also alphabetized. I doubt there was some nefarious reasoning, but I could be wrong.

What was the logic behind what they chose to feature? They buried PGP, the most important secure messaging tool on the Internet, but had Cryptocat at the top of the list with a perfect score.

I don't like words like "nefarious".

You are correct, however how they've displayed the page still doesn't sit right with me. There are a lot of unrealistic points being made with it's current form.

Sorry to the EFF guys reading this, I understand what you wanted to do however the execution wasn't perfect so we're nitpicking. News.YC crowd is a finicky bunch.

For the record, we aren't endorsing CryptoCat or any of the other tools that got 7/7: ChatSecure, TextSecure, Signal/RedPhone, SilentText, SilentPhone, or the ones that are close like Pidgin+OTR, Subrosa, Surespot, Telegram, Threema or iMessage.

Getting those scores is a sign that those projects are taking the right approach. Lots of codebases have horrific bugs, including OpenSSL, older versions of the SSL and TLS protocol itself. We believe that focusing the community on the task of moving the best projects forward is more constructive than

Testing the tools that are scoring highest for usability, and doing deeper examinations of their designs and codebases, is going to be a future component of this campaign.

That sounds like a good start - but I still think the way you're presenting this data is somewhat misleading. I agree that many codebases have horrific bugs, and ultimately exploits will eventually come to light in existing applications.. However instead of listing many different available applications, why not just list what works for "right now"?

For instance: "Encrypted so the provider can’t read it?" on Skype's messaging just isn't true. If a subpoena was issued to Microsoft for conversation data, it'd be available.

I think it'd be better to stand up what does things right, and for everything else say why you're not listing them as effective. Approach is all well and good, but to an anonymous journalist/source being pursued a groups - approach over execution could be the difference between freedom and imprisonment (or worse).

Sorry, I tried to reply here yesterday but was rate-limited out of the conversation :/

Our aim with this project is to not give advice about what works "right now", because we aren't convinced there are any secure messaging options right now, especially when the usability dimensions of security are taken seriously.

Instead, what we're trying to do is articulate the things that both large companies and open source projects need to be doing to move in the right direction.

Since this is phase 1 of a multi-part campaign, we're going to take a closer look at the usability and further security properties of tools that are doing well on the Scorecard in subsequent phases.

On Skype, before launch it wasn't clear clear to us whether the NSA's reported Skype intercept capability came from breaking or having Microsoft backdoor the crypto (which would mean they loose the second checkmark) or by having Microsoft hand out a false public key for the other party (which is possible due to the lack of a check mark in the third column). We have an ongoing conversation with Microsoft about this and are reviewing Skype's ratings at the moment.

Oh I see, so the intended outcome is to raise awareness with the general public and shed light on issues with existing software they use in hopes that the powers at be take notice?

You may not intend to endorse CryptoCat, but it sure looks like it.

You should provide a simplified rating or some end user friendly explaination that is hard to ignore. It's confusing and misleading to say something is secure but there's no way to e.g. verify keys.

To be fair to the article (if not to Cryptocat), the EFF page doesn't give an analysis of the quality of the encryption. The code has been audited, but it doesn't mean the results were satisfactory.

That said, the fact that the page gives bright green happy checkmarks across the board for Cryptocat does become misleading for people who may not know a ton about it.

So it's like a Mitch Hedburg joke? "Yeah this program has been audited by the world's best cryptographers. They said not to use it. " The EFF is doing everyone a disservice by taking such a stance.

Reading about the history of CryptoCat doesn't convince me that it was written by people who knew what they were doing. Look at the RSA key size chronology: 768, 512, 600, 1280, 1024, 1048, ... http://tobtu.com/decryptocat.php