SECURE ENCRYPTED MESSSAGING
For messaging apps, End-to-End encryption is the top of the line. It is offered by Signal, Threema, Wire, Session, WhatsApp and others and is often abbreviated E2EE.
Note that there are limits to the protection offered by end-to-end encrypted apps. The app sending an E2EE message sees the message before encrypting it, so the app could save it or send it or send parts of it in an insecure way. Because messages are sent using end-to-end encryption, does not mean that everything leaving the app is always and only sent that way. Likewise, the app that receives an E2EE message might save the message in an insecure manner.
Even if both the sending and receiving app store messages securely, the app still needs to retrieve messages and if either device is seized, the messages probably can be read (there may be an app configuration setting for this). On mobile devices, messages can also leak if the sender's device was hacked, the recipient's device was hacked or the recipient is simply not trustworthy and leaks messages, either on purpose or by accident. Even with messages that self-destruct, the recipient can take a picture of their screen showing a message.
Taking a step back, Android and iOS are probably not the best place for secure communication. On mobile devices, you can not see the end to end encryption, so you have to take it on faith. In contrast, with secure websites, the browser indicates when encryption is used and assorted websites can test and verify the encryption. Also, when looking at a website, you can tell what computer you are communicating with. In contrast, this is hidden when using mobile apps. On Android, someone could be tricked into installing a hacked app from outside the Play store. Even within the Play store, there may be multiple apps with the exact same name. A scam copy of an app can look exactly like the real thing, do what the real app does, but, also leak messages.
PRODUCT COMPARISONS
SIGNAL
Amongst techies, Signal is well regarded for security and encryption. It fails, however, on anonymity, something no one cared about for years and years. Beats me why. Signal is worshiped like a religion despite using phone numbers as userids. It can be critically important to hide who you communicate with and Signal does not do this. This strikes mes as a classic nerd mistake, to focus on technology (encryption in this case) and ignore the human need to be anonymous.
November 8, 2023: Can you teach an old dog news tricks? Signal tests usernames that keep your phone number private by Sergiu Gatlan for Bleeping Computer. Yes and No, seems to be the answer. Signal has a setup an all new test environment for supporting usernames. However, you have to sign up for a new account in their test environment using a phone number and the option to hide your phone number is OFF by default. The feature seems to be a long way off.
I don’t trust Signal by Jan Harasym (June 18, 2020). The author makes a lot of very good arguments. Perhaps the most striking to me was about open source software. Yes, Signal is open source ... in some respects. But not in all respects and probably not the way people assume. Of course, there is the issue of phone numbers. He also points out that the way Signal encrypts your contact list is poor. And, he makes the same observation that I do, that support for Signal seems like a cult. His term is that there is too much support for it. We saw nerd cult behavior with OpenVPN which was the greatest flavor of VPN ... until WireGuard came out, at which point we finally started to hear bad things about OpenVPN. Quoting the blog: "... I am not saying Signal does anything bad, I am really just saying that they could do harm; and the only thing that says they won't is 'trust me' ... I don't think any individual issue I’ve mentioned here is a dealbreaker, and most in isolation can be argued away. For me, though, in the larger context ... I can't really say that I have full faith in Signal. It's fine for me as an insecure messenger, but the user experience is just worse than other insecure messengers. I don't personally have any reason to trust it more than Telegram; other than that people get mad when you say that. Which, is incredibly unconvincing."
This Oct. 2021 blog by Yael Grauer How To Use Signal Without Giving Out Your Phone Number Using a Chromebook and an Old Phone points out many of the problems with the Signal app. Her solution is ridiculous and it too shows why Signal is a poor choice. Others have written the same article: Using Signal Without Giving Your Phone Number by Martin Shelton on Medium (Sept 2017) and How to Use Signal Without Giving Out Your Phone Number: A Gendered Security Issue by Jillian York for Vice (Aug 2017) and How to use Signal without giving out your phone number by Micah Lee for The Intercept (Sept 2017). All these articles are about hiding your main phone number. That is not the same as being anonymous. Not at all.
Other problems with Signal: you can not put the same account on two phones so all your eggs are in one basket, it supports disappearing messages but this has to be configured separately for each person you communicate with and there is no access to the service through a web browser.
If you do use Signal, there are quite a few dos and don'ts. This May 2017 article by Micah Lee is a good guide: How to keep your chats truly private with Signal.
This article, by Vladimir Katalov of Elcomsoft, shows the security is not perfect: How to Extract and Decrypt Signal Conversation History from the iPhone. The article is from August 2019, perhaps things have changed? I don't know.
You are probably safer in you disable the option to generate a link preview in the settings under chats.
FYI: Two Signal accounts on one device: There is an Android app called Molly that is a fork of Signal. On the September 16, 2022 episode of his Privacy, Security & OSINT podcast, Michael Bazzell discussed how he uses it so that there can be two different signal accounts on the same Android device. Molly is not in the Play Store and even installing it from F-Droid is not standard. On Linux, he uses SNAP to have multiple copies of Signal and multiple interdependent Signal accounts on the same copy of Linux. On macOS, the regular and Beta copies of Signal are separate, so installing each lets you have two Signal accounts on a single copy of macOS.
In August 2022, Twilio was hacked and Signal depends on Twilio to validate phone numbers. See their account: Twilio Incident: What Signal Users Need to Know of the incident. Phone numbers of roughly 1,900 Signal users were exposed to the Twilio breach attacker, who could have attempted to register them to another device. One solution is to on a Signal PIN and enable Register Lock. I read the doc and have no idea what this is or does. I have to wonder if Signal is too big and complicated for non techies to use safely. As for a checklist, in Signal do: Settings -> Account -> Registration Lock and verify that it is enabled.
In October 2022, Graphene OS tweeted about why they do not include Signal in their operating system (a clone of Android without anything from Google included). On a technical level, their points are over my head, except for the fact that Signal is dropping support for SMS/MMS. Even without fully understanding it, they make the point that Signal is far from perfect. Quoting "Signal is now dropping support for SMS/MMS. They also don't care much about keeping their dependencies patched, reducing attack surface or internal sandboxing. It would be an issue for GrapheneOS ... They've made many decisions we disagree with including replacing registration lock PIN with a sync PIN, depending on SGX for security, using SGX as a replacement for the previous private contact discovery and making the secure local backup system in the Android app less useful."
Finally, the Signal website is miserable to useless for a newbie to the software. I see this sort of thing all the time, experts can not understand the perspective of someone new to the subject. When experts write documentation, we get a cheat sheet for experts. We do not get anything that helps a newbie get up to speed.
INTRO: WhatsApp is owned by Facebook which should never be trusted. WhatsApp messages are end-to-end encrypted by default. It supports disappearing chats.
June 2023: Best WhatsApp alternatives for privacy by Douglas Crawford of Proton. This article exists because WhatsApp changed its privacy policy in 2021, and it now shares its users' metadata and transactional data with Facebook/Meta.
Your WhatsApp userid is your cell phone number. The service is unusable without a functioning mobile number, and you cannot hide your number from your WhatsApp contacts. If you swap the SIM card on your phone, and thus start using a new number, will have to change the number associated with your WhatsApp account.
October 2023: Getting bad vibes from a group? Here are 3 options
To limit who can add you to groups and who can see information, such as your status and personal information, go to Settings -> Account -> Privacy
April 13, 2023: A blog from WhatsApp about three upcoming security features: New Security Features: Account Protect, Device Verification, Automatic Security Codes. End-to-end encryption alone is not enough to protect you from account hijacking, device malware, or impersonation.
January 19, 2023: Whatsapp accounts are being hacked using the phone number. If the voicemail system for your Whatsapp phone number uses a default pin code, you are at risk. This from a twitter thread by @ihackbanme. In brief:
You're sleeping. A bad guy tries to login to your account via WhatsApp.
You get a text message with a pincode
The attacker clicks on the option that the SMS didn't arrive and asks for a verification by phone.
WhatsApp calls you. You're sleeping. It goes to Voicemail.
The voicemail stores the automated voice with the pincode
The attackers check your voicemail by trying the default pincode which may be the last four digits of your cellphone number
Then they can log in to YOUR WhatsApp.
After getting in, bad guys setup a 2FA pincode that prevents you from logging back in
November 26, 2022: WhatsApp data leak: 500 million user records for sale by Jurgita Lapienytė for Cybernews. Someone is selling up-to-date mobile phone numbers of nearly 500 million WhatsApp users. A data sample investigated by Cybernews likely confirms this to be true. It is not known how the data was obtained.
Defenses that I read about:
--Beware of unknown numbers trying to message you or call you on WhatsApp
--If you get a message from an unknown WhatsApp number, block the number and do not click on any links in the message
--Configuration suggestions: Settings -> Privacy. Change "last seen and online" and "profile photo" and "about" to "contacts only"
How to Use WhatsApp Privacy Settings by Yael Grauer for Consumer Reports. Published January 8, 2021. Last Updated August 16, 2022.
Despite the end-to-end message encryption ... "when you use the app, you may be sharing more information than you realize with your contacts, anyone else with your phone number, and parent company Meta, which also owns Facebook and Instagram." Very long article. Some of the topics covered:
WhatsApp can make encrypted backups. See this feature description from WhatsApp: About end-to-end encrypted backup (undated)
From I Accidentally Hacked a Peruvian Crime Ring by Albert Fox Cahn for Wired (Dec 2021). The article makes a strong case for securing an account with an optional PIN or two factor authentication. And, despite the WhatsApp end-to-end encryption, Facebook knows who your contacts are, what groups you belong to, and when and to whom you send messages. Quoting: "With a simple subpoena ... they can get much of your account information. With a full warrant, the platforms can provide records on every aspect of your digital network (apart from the message itself). They can record who we communicate with, how often, the groups we're part of, and the identity of every member, along with your full contacts list. Even worse, WhatsApp can do this in nearly real time, transforming a 'privacy-protective platform' into a government tracking tool."
September 2022: WhatsApp will soon let users hide their online status from their friends. From: Some lucky WhatsApp users can now hide their online status by Chandraveer Mathur for Android Police.
Private WhatsApp groups are not very private. See Google Is Letting People Find Invites to Some Private WhatsApp Groups by Joseph Cox of Vice (Feb 2020)
How to minimise targeted ads on social media: WhatsApp from Privacy International (May 2019)
Upgrading WhatsApp Security by Martin Shelton on Medium (Feb. 2017)
You are safer when WhatsApp does not automatically download stuff (pictures, audio, video, documents) because you never know if the file is malicious. To prevent automatic downloads:
Articles from WhatsApp about Privacy and Security. None are dated.
THREEMA
From my research, Threema seems to be the best encrypted communication app. Steve Gibson, of the Security Now podcast, prefers it. The Mozilla foundation gave Threema an excellent rating on their Privacy Not Included website where they considered it a Best Of product. Sven Taylor of Restore Privacy also liked it. The app is developed in Switzerland, and has more than 10 million users, including the Swiss government and the Swiss army. It has passed two independent security audits.
Threema does text and voice messages, voice and video calls, groups, distribution lists and file sharing. Users are identified in the system with a randomly generated 8-digit Threema ID. Users must create a username and password to log into the app. Optionally, users can link their Threema account to an email address or a phone number and give it access to their contacts. Again, this is optional. The mobile app costs $5 in the US, a one-time charge. There is a version for Windows, macOS and Linux, but the mobile app is still required. There is also a web interface, but it too requires the mobile app.
January 10, 2023. Messenger billed as better than Signal is riddled with vulnerabilities by Dan Goodin for Ars Technica. Academic researchers examined Threema and found 7 vulnerabilities. They privately told Threema about this and some/most of the problems were fixed. Is secure enough in January 2023? I don't know, I need to find an independent expert. Quoting: "Matteo Scarlata and Kien Tuong Truong, two of the ETH researchers who co-authored the paper, said that all the flaws stem from a single trait: the use of a custom protocol rather than an established one that has stood the test of time." The researchers also said "... that a company whose main product is based on cryptography, should always have a cryptographer at hand to assess its security and to propose already-existing protocols when possible, for example the battle-tested TLS instead of creating their bespoke client-to-server protocol". In Threema's response they claimed the bugs were in an old outdated protocol. They failed to say that it was only old because it was revised based on this recent research.
From the Privacy Not Included website of Mozilla: Threema Reviewed on Sept. 8, 2021. Quoting: "Threema is one of the best privacy-focused messaging apps we have seen, with its end-to-end encryption, no phone number required to sign up, and its commitment to not collect user data. "
GOOGLE ANDROID MESSAGES
Under the right conditions, messages sent with the Google Messaging app on Android are fully encrypted.
The first condition is that you must be using the Messages by Google app, not a messaging app from the hardware vendor or from your cell service provider. Then too, all participants must have the RCS option enabled (see Turn on RCS chats in Messages). When messages are encrypted, a padlock icon will appear inside the send button and timestamps. This feature was added to group chats around August 2023. For more see messages.google.com.
FACEBOOK MESSENGER
Not end-to-end encrypted by default, but it can be enabled. It might be called Vanish Mode or a "secret conversation". Encrypted conversations are not available on the Facebook website.
June 27, 2023: Meta is rolling out new parental control tools for Instagram and Messenger by Ivan Mehta for Techcrunch. The new system pre-emptively blocks unwanted DMs on Messenger and Instagram, and nudges teens to take a periodic break. See it at the Meta Family Center.
January 2023: Facebook/Meta is planning to add more users to the end-to-end (read, fully) encrypted version of Facebook Messenger over the next few months. Users will be chosen at random and notified by Facebook. The fully encrypted version of Messenger now supports link previews, chat themes, user active status, and Android floating bubble mode. More.
In August 2022, Facebook turned over their badly encrypted chat logs to the police who arrested a teenager for getting an abortion. See This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion by Jason Koebler and Anna Merlan of Motherboard. Just after this s--- hit the proverbial fan, Facebook started testing end-to-end encryption for certain Messenger chats. I don't know how they define "certain" Here is their press release about this. Do not trust Facebook.
APPLE IMESSAGE
iMessages are end to end encrypted between Apple users. Blue messages are encrypted, green are not.
iMessage supports group chats.
Encrypted chats can be backed up to iCloud, where all bets are off. Apple gives your iCloud data to assorted government agencies as the law requires. Consider disabling iCloud backups and checking that it remains disabled as iOS is upgraded to new versions.
Apple says they can not read encrypted iMessages and we are supposed to assume that this means no one can. That is not necessarily true. Apple can add a government agency to an existing chat. In this case, Apple can not read anything, but the government agency can.
Focusing on encryption is relatively easily, verifying the identity of the person you are communicating with is a whole other thing, complicated by the fact that one person can use multiple iOS devices. iOS 17.2 is scheduled to have a new optional feature, called Contact Key Verification, that improves this identity verification. Bad news: How it works is complicated both at the technical level and at the user interface level. After reading about it, I was lost. Good news: This is not intended for everyone to use. It solves a problem that only people with significant reason to believe that spies or governments want to compromise their communications.
From this article: Upcoming Contact Key Verification Feature Promises Secure Identity Verification for iMessage by Glenn Fleishman for Tidbits (Nov. 8, 2023). "Apple relies on increasingly outdated notions of end-to-end security for your messages with other people. While the company has regularly applied fixes to iMessage and its Messages apps to improve security and privacy, it hasn’t kept up with industry lessons and innovations."
One part of this system that I did understand is that the identity verification has to occur outside of Apple's world, which is good. Quoting the above article: "... you want a separate out-of-band pathway that can’t be subverted. Security experts typically recommend you do this in person or by secure end-to-end video where you can see each other (FaceTime, or Zoom with its end-to-end option enabled). You should also be able to rely on a non-secured voice call, but you may want to have established some answers or code words to eliminate the possibility of an attacker using an AI voicebot to fool you - with a sufficient sample of the target’s speech, they're pretty good."
BRIEF SUMMARY OF OTHER MESSAGING APPS
A BETTER ALTERNATIVE
One problem with any app on a mobile operating system is the operating system itself. Cellphones are spying machines. I think the best security has to reside on a different OS. One aspect of this is that the end user can not see the encryption. With a web browser, there is a lock icon that insures data is encrypted in transit. There is nothing like this with mobile apps. Another aspect is Location tracking. Mobile Operating Systems really want to track their location. Some people know how to deal with this, but many do not.
Another problem with the above Secure messaging apps is that they require software to be installed and learned. For many non techies, this can be too much to deal with.
My suggestion for secure communication is to use plain old simple boring webmail. Anyone can use webmail, even non techies. But not all webmail, of course, just webmail between two users of the same secure email provider. Two good choices would be ProtonMail and Tutanota, there are probably others.
I am out of step here with every techie in the world.
Neither ProtonMail nor Tutanota can read messages sent between their customers. Both offer free and anonymous accounts. Using webmail means that the browser can prove that encryption is being used. Webmail can also be used on a Chromebook running in Guest mode. Guest mode offers a virgin OS, with no information about you at all, and it is guaranteed to leave no trace of your actions. Guest mode insures the only running software is the Chrome browser. It can not be infected with malware.
With ProtonMail, the world can see the FROM and TO address of emails between two ProtonMail users. Since these can be anonymous, no big deal. The world can also see the subject line and the name of any attached file. Forewarned is forearmed. The world can not see the body of emails or the contents of attached files. Not just the world, the Proton company itself has no access.
FYI: ProtonMail includes protection from Homograph attacks and Enhanced tracking protection.
When it comes to erasing messages after you send them, a Chromebook in Guest Mode is your best bet. Guest Mode erases everything when you log out. Everything. At the operating system level. There is no need to worry about how and where sent/received messages are saved. If a Chromebook is seized by law enforcement, there is nothing on the computer to indicate that webmail was used.
The secure Email company knows the pubic IP address that you connect to their service from. If they were compelled, they might have to provide this information to law enforcement. There are three defenses: use a VPN, use Tor or never connect from a place associated with you (home and office, obviously). This needs to be done when creating an account too. If you pay for a VPN, then the VPN provider knows who you are. To combat this, use a free limited account from ProtonVPN or Windscribe or Tunnelbear or another company. Or, pay for the VPN in cash or with a gift card. Or, have someone else pay for the VPN service.
This page: 7 views per day (over 474 days) Total views: 3,515 Created: August 15, 2022 |
This Page Last Updated November 27, 2023 | Site Page Views TOTAL 737,633 | Site Page Views TODAY 227 | Previous Website View 13 seconds ago |
Website by Michael Horowitz @defensivecomput |
top |
Website Average Daily Page Views: November 2023: 687
See the
website change log
|