If you use Skype, SnapChat, Facebook chat, WhatsApp, or Google off-the-record chat, then it’s time for you to rethink your digital communications strategy and switch to other more secure messaging programs. As part of a campaign to find "secure and usable crypto," the EFF evaluated 39 messaging products ranging from chat clients, text messaging apps, email applications, and voice and video call tools to let us know “which messaging technologies are truly safe and secure.”
The “best” programs for digital communications, according to the EFF’s Secure Messaging Scorecard, are:
The “freebie” options to protect your privacy while maintaining security include CryptoCat, which is a free chat program that works in popular web browsers and on iPhones; ChatSecure for secure chats over iPhone or Android – Android can be combined with Orbot, a free proxy app that uses Tor; smartphone calls can be secure by using Signal for iPhone or by using the RedPhone app for Android; and TextSecure for sending secure texts on Android.
The pay for privacy and security app options with perfect scores included Silent Text for iOS and for Android and Silent Phone for iOS and for Android. The apps are free, but using them means paying a $9.95 monthly subscription.
It’s important to note that the EFF conducted neither vulnerability assessments nor in-depth technical analyses on the encryption applications. The communication products reviewed have a “large user base,” are easy to use and are “strongly secure.” Each messaging tool was rated “on a range of security best practices.” The end game is to identify programs that can protect people’s communications from government surveillance.
As Joseph Bonneau from Princeton University pointed out, “It’s important to realize we’re mostly grading for effort here and not execution. We’re still a long way from being able to state with confidence how much security apps are actually delivering.”
Hopefully that clears up any confusion for those of you who read “How Secure is TextSecure” (pdf). After German security researchers audited TextSecure, they presented “an Unknown Key-Share Attack on the protocol” as well as mitigation strategy that could be applied so that TextSecure’s “push messaging can indeed achieve the goals of authenticity and confidentiality.”
The reason for the thumbs up approval is that the above secure messaging products met all of the following seven criteria: Your communications are protected from snooping eyes because they are encrypted in-transit and encrypted with a key that a provider can’t access; past communications are secure even if the keys are stolen; you can independently verify your correspondent's identity; the code is open to independent review and has undergone an independent security audit; and the crypto design has been well-documented.
Next-best secure communication tools
Six communication tools missed achieving a gold star across the board by one criteria.
The two communication programs deemed insecure if your keys are stolen are Mailvelope and Subrosa.
- Mailvelope provides OpenPGP encryption for webmail and comes preconfigured for Gmail, Yahoo Mail, Outlook.com and GMX. It is available as a Firefox add-on or as a Chrome extension.
- Subrosa is an encrypted communication platform for chatting, voice calls or video chats.
Four messaging programs missed a perfect score because the code has not been audited. Those are:
- Jitsi + Ostel, from the Guardian Project;
- Adium, an off-the-record messaging app for Mac;
- Pidgin, an OTR messaging app for Windows;
- RetroShare, a program to securely chat and share files.
Popular but not very secure chat programs
Other messaging apps fell somewhere in the middle, but here are some that people I know insist upon using. FYI: Just because a chat program is popular doesn’t mean you should be using it. SnapChat, WhatsApp, Facebook chat and Google off-the-record chat scored poorly, only doing well in the two the areas of encrypting messages in-transit and the code has been audited. The only two Skype managed to pass were encryption in-transit and encrypted so the provider can’t read the messages.
"The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren't protected by encryption," said EFF Technology Projects Director Peter Eckersley. "Many new tools claim to protect you, but don't include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message."
Insecure messaging products
No one is suggesting you start sending messages in a bottle, but AIM, BlackBerry Messenger, Hushmail, Secret, Viber and Yahoo Messenger are a few that only passed one, encryption in-transit, meaning if you use these for messaging then it’s time to kick them to the curb. Mxit and QQ failed across the board.
I highly encourage you to review the entire Secure Messaging Scorecard and then take action by using the secure ones that can best protect your privacy from widespread Internet surveillance.