We live in times when issues such as user privacy are always a hot topic. Since Edward Snowden unveiled the PRISM program in 2013, it has spawned a new era of online communications. We are becoming increasingly aware of the importance of good encryption, something that would not happen if we were not aware that certain government agencies spy on almost everything.
Precisely for this reason, many users increasingly rely on encrypted messaging clients to communicate over the Internet. In the security blog Hackernoon have published a table with different insurance customers , with which we can check which are the ones that offer better privacy.
This particular article has been written by Marcel Ackermann, a computer security expert on the Amazon Machine Learning team in Germany. This has been based on different documents on the encryption protocols used by these applications, such as Signal. He also checked whether these apps had passed any security audits recently, something that was posted by the EFF.
It is very possible that most of the applications that appear in the table do not sound, but that there is an increasing interest in encryption and in them is something that benefits us all, even if we do not know. Thanks to its thrust, applications like WhatsApp have implemented end-to-end encryption.
What do these secure applications offer?
| NAME OF THE APPLICATION | PROTOCOL USED | OS | IS IT DECENTRALIZED? | DOES IT ALLOW GROUP CHAT? | IS IT MULTI-DEVICE? | DO YOU ALLOW OFFLINE MESSAGES? | DO YOU HAVE PFS? | HAVE YOU PASSED SECURITY AUDITS? | DO YOU OFFER ANONYMITY? |
|---|---|---|---|---|---|---|---|---|---|
| Conversations | XMPP + Omemo | Android | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Riot | Matrix + Olm | Android / iOS | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| ChatSecure | XMPP + Omemo | iOS | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Jitsi | XMPP + OTR | Unix, Win, Mac | Yes | Do not | Do not | Do not | Yes | Yes | Yes |
| Pidgin | XMPP + PGP | Unix, Win, Mac | Yes | Yes | Yes | Yes | Do not | Yes | Yes |
| Signal | SignalProtocol | Android, iOS, Browser | No (developers do not want to) | Yes | Yes | Yes | Yes | Yes | Yes |
| Wire | Proteus | Unix, Win, Mac, Browser, iOS, Android | No (developers do not want to) | Yes | Yes | Yes | Yes | Do not | Yes |
| Converse.js | XMPP + OTR | Browser | Yes | Do not | Do not | Do not | Yes | Yes | Yes |
| Gajim | XMPP + Omemo | Unix, Win, Mac | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Psi | XMPP + PGP | Unix, Win, Mac | Yes | Yes | Yes | Yes | Do not | Yes | Yes |
| Salut à Toi | XMPP + OTR | Browser | Yes | Do not | Do not | Do not | Yes | Yes | Yes |
| Xabber | XMPP + OTR | Android | Yes | Do not | Do not | Do not | Yes | Yes | Yes |
| Jbother | XMPP + PGP | Unix, Win, Mac | Yes | Yes | Yes | Yes | Do not | Yes | Yes |
| Jeti / 2 | XMPP + PGP | Unix, Win, Mac | Yes | Yes | Yes | Yes | Do not | Yes | Yes |
| Tkabber | XMPP + PGP | Unix, Win, Mac | Yes | Yes | Yes | Yes | Do not | Yes | Yes |
| RetroShare | RetroShare | Unix, Win, Mac | Yes | Yes | Yes | Yes | Yes | Do not | Yes |
| Antitode | Tox Procotol | iOS | Yes | Do not | Yes | Do not | Yes | Do not | Yes |
| Antox | Tox Procotol | Android | Yes | Do not | Yes | Do not | Yes | Do not | Yes |
| Cryptocat | XMPP + Omemo | Unix, Win, Mac | Do not | No (currently being implemented) | Yes | Yes | Yes | Yes | Yes |
| qTox | Tox Procotol | Unix, Win, Mac | Yes | Do not | Yes | Do not | Yes | Do not | Yes |
| Silent Phone | ZRTP | iOS, Android | Do not | Do not | Yes | Yes | Yes | Yes | Do not |
| Telegram | Telegram Protocol | iOS, Android, Win, Mac, Unix | No (developers do not want to) | No (not encrypted) | No (not encrypted) | Yes | Yes | Yes | Do not |
| uTox | Tox Procotol | Unix, Win, Mac | Yes | Do not | Yes | Do not | Yes | Do not | Yes |
| Surespot | Surespot Protocol | iOS, Android | Do not | Do not | Do not | Do not | Yes | Do not | Yes |
| Ricochet | Ricochet Protocol | Unix, Win, Mac | Yes | Do not | Do not | Do not | Yes | Yes | Yes |
When analyzing the table, it is important to be clear about the criteria it reflects. First, only open source applications are collected, because they are the most transparent, anyone can look at your code and we can be sure that they only comply with what they promise without including any additions. In addition and as we said at the beginning, it is recommended that they have passed through different security audits.
The first point to consider is whether an application is decentralized. In short, a decentralized app is one that does not limit communication to its user group. That is, it usually includes integration with different messaging services, which we can use without leaving it.
On the other hand, the encryption protocol used must be taken into account . Among all the best features offered is OMEMO, an extension of XMPP that allows to encode conversations between two or more extremes.
The table also shows whether or not they offer anonymity solutions. There is a growing group of people who attach importance to remaining anonymous. This means that your accounts can not be connected in any way with a phone number, or with an email address.
The most important thing, especially in the face of encryption, is that they implement a good system of verification of keys. It is the one in charge to verify that, in fact, it is communicating with whom the client says that it is to the other side of the screen. Otherwise, an attacker could pose as the person with whom we want to talk, leaving us at risk.
In this system of verification of keys enters something known like Perfect Forward Secrecy or PFS, that is the term that appears in the table, and serves so that an attacker can not decipher the communications between two or more people in case that the key of one of them is compromised.
It is also interesting to see if the applications allow to be used in different devices, while maintaining the encryption in all of them. In this way we will always have the assurance that our communications are not easy to intervene, either in the mobile or in a computer.
These are the most secure and complete applications
Based on the data gathered in the table, and according to the criteria we have established, the most complete mobile applications would be Conversations, ChatSecure and Gajim. These three use OMEMO encryption, which also incorporates PFS, implement anonymity options and give the possibility of sending offline messages by default.
These three are closely followed by Riot, whose protocol (Matrix with Olm) is very similar to the previous one. Among other things, it also includes PFS and default anonymization options. As a last resort within the most secure applications Signal would enter, which today remains the favorite chat client of Snowden.
As for the desktop world, in addition to the aforementioned Signal (which would be a winner for its benefits) would enter others such as Pidgin, Psi, Jbother, Jeti / 2 or Tkabber, which would represent the best options in terms of encryption, persar of not having PFS.
There are others with good ideas, but they do not shine with their own light, either because they have not done security audits recently (Wire, RetroShare, Tox, Surespot), or because their protocol has significant shortcomings between devices, or does not encrypt group chats, for example).