Which messaging technologies are actually secure?
The Electronic Frontier Foundation has evaluated 39 chat clients, text messaging apps, email apps, and technologies for voice and video calls, and found that only six of them fulfil the seven criteria the organization deems necessary for user security:
- Data is encrypted in transit
- Data is encrypted at the provider level
- They offer the option of verifying contacts’ identities
- If encryption keys are stolen, past communications are secure (the app provides forward-secrecy)
- The cryptography design of the app has been well documented
- The app’s code is open to independent review
- The app’s code has been audited.
The six apps in questions are ChatSecure, CryptoCat, Silent Circle’s Silent Phone and Silent Text, and Open WhisperSystems’s Signal/RedPhone and TextSecure (the latter’s code and cryptographic protocol have only recently been audited).
“Apple’s iMessage and FaceTime products stood out as the best of the mass-market options, although neither currently provides complete protection against sophisticated, targeted forms of surveillance,” the EFF explained.
“Many options—including Google, Facebook, and Apple’s email products, Yahoo’s web and mobile chat, Secret, and WhatsApp—lack the end-to-end encryption that is necessary to protect against disclosure by the service provider. Several major messaging platforms, like QQ, Mxit, and the desktop version of Yahoo Messenger, have no encryption at all.
This EFF’s Secure Messaging Scorecard is aimed at pushing companies towards better security but still easy to use software, and at making users make an informed choice regarding the communication tech they use.
“We’re hoping our scorecard will serve as a race-to-the-top, spurring innovation around strong crypto for digital communications,” they say. “In the face of widespread Internet data collection and surveillance, we need a secure and practical means of talking to each other from our phones and computers.”