Shub-nigurrath
May 23rd, 2014, 02:19
Hi all,
there's a lot of development around the secure instant messaging nowadays (also thanks to Mr. Snowden), but most of those which are claimed to be secure, actually revealed not to be. The problem lays behind the handling of the crypto things, which as you know are a real pain in the ass for anyone in the world. The problems of most of the available systems are that often are not peer-reviewed, or too young, or have poor math (e.g. poor random) or, more often than you think, release data for side-channel attacks. In some cases they also revealed to be purposely not secure for commercial reasons (like Snapchat). This so far the status of the latest news which I collected, about the main known programs. However I would love other suggestions and improvement on this list and eventually a shared effort on peer-reviewing these things, we could also consider opening a wiki page on the CRTL web (?)
OTR
• Of course the first mention goes to the grandfather of all these systems which is OTR, actually probably the most secure one: peer-reviewed, stable and used since years. But again not all the implementation of OTR are secure enough. Pidgeon is quite secure, but there are also other systems like IM+ on iOS
Telegram, the state of security, not so good..
• http://security.stackexchange.com/questions/49782/is-telegram-secure
• http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
Snapchat state of security. Well it is not indeed a crypto chat system, but it has some sort of security/privacy functionalities
• http://www.theguardian.com/media-network/partner-zone-infosecurity/snapchat-photos-not-deleted-hidden
Whatsapp
• whatsapp started encrypting their data. This is from their faq: http://www.whatsapp.com/faq/general/21864047
• But apparently did not get it right: http://www.pcworld.com/article/2053480/doh-basic-flaw-in-whatsapp-could-allow-attackers-to-decrypt-messages.html
• What that means is that if the police/NSA have your encrypted conversation, they can decrypt it.
There are other systems I still have not investigated..
• https://whispersystems.org/
• Zimmermann Blackphone
• Cryptocat, http://www.net-security.org/secworld.php?id=16857
• XMPP latest encryption improvement http://thehackernews.com/2014/05/xmpp-makes-encryption-mandatory-for.html
• TOX, which is system suggested in several underground forums (http://tox.im/)
• ProtonMail, http://thehackernews.com/2014/05/protonmail-nsa-proof-end-to-end.html?m=1
.. And what about the voice channels?
there's a lot of development around the secure instant messaging nowadays (also thanks to Mr. Snowden), but most of those which are claimed to be secure, actually revealed not to be. The problem lays behind the handling of the crypto things, which as you know are a real pain in the ass for anyone in the world. The problems of most of the available systems are that often are not peer-reviewed, or too young, or have poor math (e.g. poor random) or, more often than you think, release data for side-channel attacks. In some cases they also revealed to be purposely not secure for commercial reasons (like Snapchat). This so far the status of the latest news which I collected, about the main known programs. However I would love other suggestions and improvement on this list and eventually a shared effort on peer-reviewing these things, we could also consider opening a wiki page on the CRTL web (?)
OTR
• Of course the first mention goes to the grandfather of all these systems which is OTR, actually probably the most secure one: peer-reviewed, stable and used since years. But again not all the implementation of OTR are secure enough. Pidgeon is quite secure, but there are also other systems like IM+ on iOS
Telegram, the state of security, not so good..
• http://security.stackexchange.com/questions/49782/is-telegram-secure
• http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
Snapchat state of security. Well it is not indeed a crypto chat system, but it has some sort of security/privacy functionalities
• http://www.theguardian.com/media-network/partner-zone-infosecurity/snapchat-photos-not-deleted-hidden
• whatsapp started encrypting their data. This is from their faq: http://www.whatsapp.com/faq/general/21864047
• But apparently did not get it right: http://www.pcworld.com/article/2053480/doh-basic-flaw-in-whatsapp-could-allow-attackers-to-decrypt-messages.html
• What that means is that if the police/NSA have your encrypted conversation, they can decrypt it.
There are other systems I still have not investigated..
• https://whispersystems.org/
• Zimmermann Blackphone
• Cryptocat, http://www.net-security.org/secworld.php?id=16857
• XMPP latest encryption improvement http://thehackernews.com/2014/05/xmpp-makes-encryption-mandatory-for.html
• TOX, which is system suggested in several underground forums (http://tox.im/)
• ProtonMail, http://thehackernews.com/2014/05/protonmail-nsa-proof-end-to-end.html?m=1
.. And what about the voice channels?