In the age of Internet surveillance, private and secure messaging is a necessity. The Electronic Frontier Foundation recently published a thorough analysis measuring the security and privacy of a long list of mobile and Internet messaging services.
Some providers passed with flying colors, others struggled to make the grade and a number just plain failed. Today, we’ll run through the good. Next week, we’ll take a look at the bad.
Nine mobile and Internet messaging services offering strong #security and #privacy controlsTweet
The EFF issued up or down grades to each service for seven categories. For Kaspersky Daily, service providers needed to answer in the affirmative to at least six or more of the following questions to make our list (though we’ll grant honorable mention to any service with four or more checks):
1. Is data encrypted in transit?
2. Is data encrypted so that even the service provider can’t read it?
3. Can you identify the true identity of contacts?
4. Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won’t decrypt existing communications?
5. Is the service’s code open-source and available for public review?
6. Are cryptographic implementation procedures and processes documented?
7. Has there been an independent security audit in the last 12 months?
Which messaging technologies are truly safe & secure? See EFF’s 'Secure Messaging Scorecard' https://t.co/eBVIY9xgGB pic.twitter.com/sBeF0QquAx
— EFF (@EFF) November 4, 2014
Altogether, the seven points are designed to measure which services offer the best protection against government surveillance, criminal snooping and corporate data collection. That said, neither the EFF nor Kaspersky Daily are officially endorsing any of the following programs. The list merely indicates which applications are consistently following best practices.
The Golden Standard: Seven Checkmarks
The EFF reported that six applications managed to meet all seven criteria points.
Chatsecure is a free and open source encrypted chat application for iPhone and Android. It is developed by the Guardian Project and meets each of the EFF’s qualifications, but only when used in conjuncture with the Tor-powered Orbot privacy plugin.
CryptoCat is an open source encrypted messaging service available on the Chrome, Firefox, Safari and Opera browsers, as well as the Mac OS X operating system and the iPhone. CryptoCat’s developers were seeking funds over the summer to build an Android version and to enable encrypted video chat as well.
Signal, RedPhone and Textsecure are Whisper Systems‘ respective secure messaging platform for iOS, and secure calling and texting platform for Android. Each is free and open-source and provides end-to-end encryption and secure storage.
Silent Phone and Silent Text are Silent Circle‘s secure calling and messaging services. You have to pay for these services, but they’re compatible with iOS and Android and work on the traditional desktop too. Silent Circle has also built its own secure smartphone with a modified Android operating system called Blackphone and the company provides enterprise support for corporate clients.
Nearly Perfect: Six Checkmarks
Jitsi is an open-source, encrypted audio and video Internet phone and instant messenger, and desktop sharing service. It supports a number of more popular messaging services, but when paired with the crypto-phone calling service, Ostel, it missed only one of the EFF’s marks: it hasn’t been independently audited in the last year.
Mailvelope is a browser extension for sending encrypted emails under the OpenPGP encryption standard. The service is preconfigured for compatibility with Yahoo, Gmail, Outlook and GMX. It would have been with the golden standard group, if only it deployed perfect forward secrecy.
Adium’s off the record (OTR) messaging for Mac and Pidgin’s version for Windows, are essentially plugins that deploy the OTR messaging into existing chat apps. OTR is a cryptographic protocol for messaging services. The two services are highly rated by the EFF, but neither has been audited independently in the last year.
RetroShare touts itself as an open source, cross-platform, decentralized communication service. Users can securely chat and share files and authenticate one another’s real identities. However, like a number of others falling into the nearly perfect category, Retroshare has not been the subject of an external audit.
Subrosa is another end-to-end encrypted communications platform. It too would have received top-marks if only it were to deploy perfect forward secrecy so that past communications would remain secure if their cryptographic key became public.
Finally we also wanted to give partial credit to any of the services that passed on more than half of the EFF’s questions. Apple’s FaceTime and iMessage do pretty well on security best practices; iPGMail, PGP for Mac (GPGTools) and PGP for Windows (Gpg4win) are solid as well; the SureSpot encrypted messenger for iOS and Android passed with five checks; as did the Telegram’s cloud-based private messaging service; and end-to-end encrypted Threema messaging app.
Check in with us next week for a list of the poorly secured messaging services. You can read the EFF’s full report and see how your favorite chat service stacks up.