A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

SECURE ENCRYPTED MESSSAGING

For messaging apps, End-to-End encryption is the top of the line. It is offered by Signal, Threema, Wire, Session, WhatsApp and others and is often abbreviated E2EE.

Note that there are limits to the protection offered by end-to-end encrypted apps. The app sending an E2EE message sees the message before encrypting it, so the app could save it or send it or send parts of it in an insecure way. Because messages are sent using end-to-end encryption, does not mean that everything leaving the app is always and only sent that way. Likewise, the app that receives an E2EE message might save the message in an insecure manner.

Even if both the sending and receiving app store messages securely, the app still needs to retrieve messages and if either device is seized, the messages probably can be read (there may be an app configuration setting for this). On mobile devices, messages can also leak if the sender's device was hacked, the recipient's device was hacked or the recipient is simply not trustworthy and leaks messages, either on purpose or by accident. Even with messages that self-destruct, the recipient can take a picture of their screen showing a message.

Taking a step back, Android and iOS are probably not the best place for secure communication. On mobile devices, you can not see the end to end encryption, so you have to take it on faith. In contrast, with secure websites, the browser indicates when encryption is used and assorted websites can test and verify the encryption. Also, when looking at a website, you can tell what computer you are communicating with. In contrast, this is hidden when using mobile apps. On Android, someone could be tricked into installing a hacked app from outside the Play store. Even within the Play store, there may be multiple apps with the exact same name. A scam copy of an app can look exactly like the real thing, do what the real app does, but, also leak messages.

PRODUCT COMPARISONS

  1. Website: Secure Messaging Apps Comparison by Mark Williams. A detailed evaluation of 13 secure messaging apps. Only 4 are recommended: Signal, Threema, Wire and Session. The last site update was October 2021, so it may no longer be maintained.
  2. Best WhatsApp alternatives that respect your privacy by Douglas Crawford of ProtonMail (Feb. 2021). An overview and comparison of Signal, Telegram, Threema, Wickr Me, Wire, Element and Keybase.
  3. Arguing against three products: How WhatsApp, Signal & Co Threaten Privacy from TU Darmstadt University (Sept 2020). Researchers performed crawling attacks on WhatsApp, Signal, and Telegram. Maybe not the best choices. Quoting: " ... very few users change the default privacy settings, which for most messengers are not privacy-friendly at all." The Telegram contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service. More here.
  4. On the Feb. 21, 2020 episode of his Privacy, Security, & OSINT podcast, Michael Bazzell recommended Wickr over Wire and Signal. For Signal, he suggested using it with a Google Voice number that is only used with Signal. He did not look into Threema.

SIGNAL

Amongst techies, Signal is well regarded for security and encryption. It fails, however, on anonymity. It is worshiped like a religion despite using phone numbers as Signal userids. It can be critically important to hide who you communicate with and Signal does not do this. This strikes mes as a classic nerd mistake, to focus on technology (encryption in this case) and ignore the human need to be anonymous.

This Oct. 2021 blog by Yael Grauer How To Use Signal Without Giving Out Your Phone Number Using a Chromebook and an Old Phone points out many of the problems with the Signal app. Her solution is ridiculous and it too shows why Signal is a poor choice. Others have written the same article: Using Signal Without Giving Your Phone Number by Martin Shelton on Medium (Sept 2017) and How to Use Signal Without Giving Out Your Phone Number: A Gendered Security Issue by Jillian York for Vice (Aug 2017) and How to use Signal without giving out your phone number by Micah Lee for The Intercept (Sept 2017). All these articles are about hiding your main phone number. That is not the same as being anonymous. Not at all.

Other problems with Signal: you can not put the same account on two phones so all your eggs are in one basket, it supports disappearing messages but this has to be configured separately for each person you communicate with and there is no access to the service through a web browser.

If you do use Signal, there are quite a few dos and don'ts. This May 2017 article by Micah Lee is a good guide: How to keep your chats truly private with Signal.

This article, by Vladimir Katalov of Elcomsoft, shows the security is not perfect: How to Extract and Decrypt Signal Conversation History from the iPhone. The article is from August 2019, perhaps things have changed? I don't know.

FYI: Two Signal accounts on one device: There is an Android app called Molly that is a fork of Signal. On the September 16, 2022 episode of his Privacy, Security & OSINT podcast, Michael Bazzell discussed how he uses it so that there can be two different signal accounts on the same Android device. Molly is not in the Play Store and even installing it from F-Droid is not standard. On Linux, he uses SNAP to have multiple copies of Signal and multiple interdependent Signal accounts on the same copy of Linux. On macOS, the regular and Beta copies of Signal are separate, so installing each lets you have two Signal accounts on a single copy of macOS.

In August 2022, Twilio was hacked and Signal depends on Twilio to validate phone numbers. See their account: Twilio Incident: What Signal Users Need to Know of the incident. Phone numbers of roughly 1,900 Signal users were exposed to the Twilio breach attacker, who could have attempted to register them to another device. One solution is to on a Signal PIN and enable Register Lock. I read the doc and have no idea what this is or does. I have to wonder if Signal is too big and complicated for non techies to use safely. As for a checklist, in Signal do: Settings -> Account -> Registration Lock and verify that it is enabled.

Finally, the Signal website is miserable to useless for a newbie to the software. I see this sort of thing all the time, experts can not understand the perspective of someone new to the subject. When experts write documentation, we get a cheat sheet for experts. We do not get anything that helps a newbie get up to speed.

WHATSAPP

I don't use WhatsApp, so all I can offer are links. That said, WhatsApp is owned by Facebook which should never be trusted. Messages are end-to-end encrypted by default. Your userid is your phone number. It supports disappearing chats.

From I Accidentally Hacked a Peruvian Crime Ring by Albert Fox Cahn for Wired (Dec 2021). The article makes a strong case for securing an account with an optional PIN or two factor authentication. And, despite the WhatsApp end-to-end encryption, Facebook knows who your contacts are, what groups you belong to, and when and to whom you send messages. Quoting: "With a simple subpoena ... they can get much of your account information. With a full warrant, the platforms can provide records on every aspect of your digital network (apart from the message itself). They can record who we communicate with, how often, the groups we're part of, and the identity of every member, along with your full contacts list. Even worse, WhatsApp can do this in nearly real time, transforming a 'privacy-protective platform' into a government tracking tool."

Private WhatsApp groups are not very private. See Google Is Letting People Find Invites to Some Private WhatsApp Groups by Joseph Cox of Vice (Feb 2020)

September 2022: WhatsApp will soon let users hide their online status from their friends. From: Some lucky WhatsApp users can now hide their online status by Chandraveer Mathur for Android Police.

How to minimise targeted ads on social media: WhatsApp from Privacy International (May 2019)

Upgrading WhatsApp Security by Martin Shelton on Medium (Feb. 2017)

You are safer when WhatsApp does not automatically download stuff (pictures, audio, video, documents) because you never know if the file is malicious. To prevent automatic downloads:

  1. iPhone: Configuring auto-download from WhatsApp. By default, it automatically downloads images over a cellular connection. Audio and video will automatically download on Wi-Fi. To change this: WhatsApp -> Settings -> Data and Storage Usage. Tap on photos, audio, videos and documents and choose Never, Wi-Fi, or Wi-Fi and Cellular.
  2. Android: Configuring auto-download from WhatsApp. By default, it automatically downloads images over your cellular connection. Other types of files? Doesn't say. To configure: WhatsApp -> More options -> Settings -> Data and storage usage -> Media auto-download. There is no Never option, instead you have uncheck a bunch of checkboxes as per the video.

BRIEF SUMMARY OF OTHER MESSAGING APPS

A BETTER ALTERNATIVE

One problem with any secure app on a mobile operating system is the operating system itself. Cellphones are spy machines. I think the best security has to reside on a different OS. Another problem with all of the above options is that they require software to be installed and learned. For many non techies, this can be too much to deal with.

My suggestion for secure communication is to use plain old simple boring webmail. Anyone can use webmail, even non techies. But not all webmail, of course, just webmail between two users of the same secure email provider. Two good choices would be ProtonMail and Tutanota, there are probably others.

I am out of step here with every techie in the world.

Neither ProtonMail nor Tutanota can read messages sent between their customers. Both offer free and anonymous accounts. Using webmail means that the browser can prove that encryption is being used. Webmail can also be used on a Chromebook running in Guest mode. Guest mode offers a virgin OS, with no information about you at all, and it is guaranteed to leave no trace of your actions. Guest mode insures the only running software is the Chrome browser. It can not be infected with malware.

With ProtonMail, the world can see the FROM and TO address of emails between two ProtonMail users. Since these can be anonymous, no big deal. The world can also see the subject line and the name of any attached file. Forewarned is forearmed. The world can not see the body of emails or the contents of attached files. Not just the world, the Proton company itself has no access.

When it comes to erasing messages after you send them, a Chromebook in Guest Mode is your best bet. Guest Mode erases everything when you log out. Everything. At the operating system level. There is no need to worry about how and where sent/received messages are saved. If a Chromebook is seized by law enforcement, there is nothing on the computer to indicate that webmail was used.

The secure Email company knows the pubic IP address that you connect to their service from. If they were compelled, they might have to provide this information to law enforcement. There are three defenses: use a VPN, use Tor or never connect from a place associated with you (home and office, obviously). This needs to be done when creating an account too. If you pay for a VPN, then the VPN provider knows who you are. To combat this, use a free limited account from ProtonVPN or Windscribe or Tunnelbear or another company. Or, pay for the VPN in cash or with a gift card. Or, have someone else pay for the VPN service.

 This page: 11 views per day (over 42 days)   Total views: 444   Created: August 15, 2022
This Page
Last Updated

September 19, 2022
Total Site
Page Views

 420,737
Site Page
Views Today

  40
Previous
Website View

1.6 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022