Comparison of the most private messaging applications according to experts in computer security

We live in times when issues such as user privacy are always a hot topic. Since Edward Snowden unveiled the PRISM program in 2013, it has spawned a new era of online communications. We are becoming increasingly aware of the importance of good encryption, something that would not happen if we were not aware that certain government agencies spy on almost everything.

Comparison of the most private messaging applications according to experts in computer securityPrecisely for this reason, many users increasingly rely on encrypted messaging clients to communicate over the Internet. In the security blog Hackernoon have published a table with different insurance customers , with which we can check which are the ones that offer better privacy.

This particular article has been written by Marcel Ackermann, a computer security expert on the Amazon Machine Learning team in Germany. This has been based on different documents on the encryption protocols used by these applications, such as Signal. He also checked whether these apps had passed any security audits recently, something that was posted by the EFF.

It is very possible that most of the applications that appear in the table do not sound, but that there is an increasing interest in encryption and in them is something that benefits us all, even if we do not know. Thanks to its thrust, applications like WhatsApp have implemented end-to-end encryption.

What do these secure applications offer?

NAME OF THE APPLICATION PROTOCOL USED OS IS IT DECENTRALIZED? DOES IT ALLOW GROUP CHAT? IS IT MULTI-DEVICE? DO YOU ALLOW OFFLINE MESSAGES? DO YOU HAVE PFS? HAVE YOU PASSED SECURITY AUDITS? DO YOU OFFER ANONYMITY?
Conversations XMPP + Omemo Android Yes Yes Yes Yes Yes Yes Yes
Riot Matrix + Olm Android / iOS Yes Yes Yes Yes Yes Yes Yes
ChatSecure XMPP + Omemo iOS Yes Yes Yes Yes Yes Yes Yes
Jitsi XMPP + OTR Unix, Win, Mac Yes Do not Do not Do not Yes Yes Yes
Pidgin XMPP + PGP Unix, Win, Mac Yes Yes Yes Yes Do not Yes Yes
Signal SignalProtocol Android, iOS, Browser No (developers do not want to) Yes Yes Yes Yes Yes Yes
Wire Proteus Unix, Win, Mac, Browser, iOS, Android No (developers do not want to) Yes Yes Yes Yes Do not Yes
Converse.js XMPP + OTR Browser Yes Do not Do not Do not Yes Yes Yes
Gajim XMPP + Omemo Unix, Win, Mac Yes Yes Yes Yes Yes Yes Yes
Psi XMPP + PGP Unix, Win, Mac Yes Yes Yes Yes Do not Yes Yes
Salut à Toi XMPP + OTR Browser Yes Do not Do not Do not Yes Yes Yes
Xabber XMPP + OTR Android Yes Do not Do not Do not Yes Yes Yes
Jbother XMPP + PGP Unix, Win, Mac Yes Yes Yes Yes Do not Yes Yes
Jeti / 2 XMPP + PGP Unix, Win, Mac Yes Yes Yes Yes Do not Yes Yes
Tkabber XMPP + PGP Unix, Win, Mac Yes Yes Yes Yes Do not Yes Yes
RetroShare RetroShare Unix, Win, Mac Yes Yes Yes Yes Yes Do not Yes
Antitode Tox Procotol iOS Yes Do not Yes Do not Yes Do not Yes
Antox Tox Procotol Android Yes Do not Yes Do not Yes Do not Yes
Cryptocat XMPP + Omemo Unix, Win, Mac Do not No (currently being implemented) Yes Yes Yes Yes Yes
qTox Tox Procotol Unix, Win, Mac Yes Do not Yes Do not Yes Do not Yes
Silent Phone ZRTP iOS, Android Do not Do not Yes Yes Yes Yes Do not
Telegram Telegram Protocol iOS, Android, Win, Mac, Unix No (developers do not want to) No (not encrypted) No (not encrypted) Yes Yes Yes Do not
uTox Tox Procotol Unix, Win, Mac Yes Do not Yes Do not Yes Do not Yes
Surespot Surespot Protocol iOS, Android Do not Do not Do not Do not Yes Do not Yes
Ricochet Ricochet Protocol Unix, Win, Mac Yes Do not Do not Do not Yes Yes Yes

When analyzing the table, it is important to be clear about the criteria it reflects. First, only open source applications are collected, because they are the most transparent, anyone can look at your code and we can be sure that they only comply with what they promise without including any additions. In addition and as we said at the beginning, it is recommended that they have passed through different security audits.

The first point to consider is whether an application is decentralized. In short, a decentralized app is one that does not limit communication to its user group. That is, it usually includes integration with different messaging services, which we can use without leaving it.

On the other hand, the encryption protocol used must be taken into account . Among all the best features offered is OMEMO, an extension of XMPP that allows to encode conversations between two or more extremes.

The table also shows whether or not they offer anonymity solutions. There is a growing group of people who attach importance to remaining anonymous. This means that your accounts can not be connected in any way with a phone number, or with an email address.

The most important thing, especially in the face of encryption, is that they implement a good system of verification of keys. It is the one in charge to verify that, in fact, it is communicating with whom the client says that it is to the other side of the screen. Otherwise, an attacker could pose as the person with whom we want to talk, leaving us at risk.

In this system of verification of keys enters something known like Perfect Forward Secrecy or PFS, that is the term that appears in the table, and serves so that an attacker can not decipher the communications between two or more people in case that the key of one of them is compromised.

It is also interesting to see if the applications allow to be used in different devices, while maintaining the encryption in all of them. In this way we will always have the assurance that our communications are not easy to intervene, either in the mobile or in a computer.

These are the most secure and complete applications

Based on the data gathered in the table, and according to the criteria we have established, the most complete mobile applications would be Conversations, ChatSecure and Gajim. These three use OMEMO encryption, which also incorporates PFS, implement anonymity options and give the possibility of sending offline messages by default.

These three are closely followed by Riot, whose protocol (Matrix with Olm) is very similar to the previous one. Among other things, it also includes PFS and default anonymization options. As a last resort within the most secure applications Signal would enter, which today remains the favorite chat client of Snowden.

As for the desktop world, in addition to the aforementioned Signal (which would be a winner for its benefits) would enter others such as Pidgin, Psi, Jbother, Jeti / 2 or Tkabber, which would represent the best options in terms of encryption, persar of not having PFS.

There are others with good ideas, but they do not shine with their own light, either because they have not done security audits recently (Wire, RetroShare, Tox, Surespot), or because their protocol has significant shortcomings between devices, or does not encrypt group chats, for example).

Leave a Reply

Your email address will not be published. Required fields are marked *