[On the security and privacy of] messaging tools

Messaging, either using your computer or smartphone is becoming a big deal lately in terms of security and privacy. Whether you are discussing with a friend for this cool queer movie you saw, or for details about a demonstration you are organizing, you might want to do this without making it really easy for organizations or individuals to eavesdrop.

Important notice: There is no (and probably never will be) 100% security/privacy over the Internet. When you want to really privately discuss something with someone, better do it in person and with all the reasonable measures (no phones around, in a trusted (bug-free) environment, etc.).

In the following we will discuss the main requirements that a messaging program should meet, and present the best choices for communicating as secure as possible through the Internet.

First of all you might be wondering, what’s the big deal, or what exactly is the problem with using the usual stuff (skype, whatsapp, viber, facebook messenger, etc.). There is a plethora of questions that we have to ask including: is the code of the program open to everyone?, does it use state-of-the-art encryption?, can the provider (e.g., facebook) decrypt your data?, has the tool been audited from an external entity? And much more. But let’s take each one of the important questions and go a bit deeper.

Is the code open?

All programs consist/are-made-out of code. With respect to this, one can distinguish programs to open-source (when the code is available for everyone to see) and closed-source (code private; only the respective company has access to it). It is important to know that when the code is closed, NOBODY can safely state that the program is only doing what is intended to do. This means that it could be possible that a program implements spying mechanisms (backdoors) that can be enabled whenever asked (e.g., from the police). Furthermore, when the code is closed, it is hard to assess the quality of it, especially from a security/privacy perspective.

Encryption and *the key*

When discussing about encryption (i.e., if data transferred can be “seen” by others or not) it is important to understand two things. The first one is of course the existence of encryption itself.This means that when Judith sends the message “performativity is important” to Silvia, Mikhail that was eavesdropping in the communication would not understand anything.

The other one, and most confusing is the location in which the cryptographic keys are saved.

The good news

Except from some rare cases (e.g., kik, and QQ) most current versions of messaging applications do encrypt their data (yes even skype, or whatsapp).

The bad news

The big question however is not the existence of encryption but rather who owns the decryption keys. This is also the most important security problem of the majority of applications (among others: viber, facebook chat, yahoo messenger, and skype OWN the keys; this basically means that they potentially have access to all your communication data).

Basically you can think of this, as if there are two ways to have encryption, one is that the key is owned by the user -good choice- and the other one that is owned by the company (its servers more specifically) -bad choice-. In the first option this means that all communications are end-to-end encrypted and the only way to decrypt is to use a key that is stored on the users’ device.

Recent code audit

Another important criterion is whether the program has been independently tested for security flaws. This means that an other entity that is an expert on security has analyzed both the architecture as well as the implementation of the program for security flaws. This is actually becoming common lately, so a number of programs do meet this requirement.

Other requirements

Many other requirements exist. For instance the documentation of the system’s design, and the ability to keep the past communications secure even when the cryptographic key is stolen. In addition, the ability to verify the identity of the person we are trying to contact (even when the service provider is compromised) is also of great importance.

And the winner is…

Smartphones

TextSecure (android) provides end-to-end encryption, with the keys being saved in the users’ side. The identity of the recipient can be verified, and all past communications cannot be read even when the key is stolen. In addition, the code is open to review, the security design is properly documented and there has been a recent code audit. This basically is one of the few apps for smartphones that meets all the requirements! Another alternative that I haven’t tested is ChatSecure (for android and apple).

Computers

By far the best choice is Pidgin along with the off-the-record plugin. I will have a dedicated post on Pidgin along with the off-the-record plugin soon, to describe how to install and what are the benefits of using XMPP/Jabber in contrast to other protocols.

More info

A lot of the information stated here is adapted from the super cool work done by the EFF (Electronic Frontier Foundation, also check here.