The state of secure/encrypted and easy-to-use messaing softwares

So there was the Snowden revelations. The NSA was being very bad, the USA was being very bad, everyone on the planet was having his e-mails and communications intercepted, analysed and spied on.

Some people around the World started to feel very angry about that, and some started to work on solutions to protect private communications, well, private.

The problem is it’s been quite a while now, and I just feel we’ve been hit by a wave of news about new software bringing this security, safety, encryption and everything you want, except most of these projects are either still in pre-alpha (and therefore unusable), either impossible to audit because they are not open-source, either not really secure after all.

Examples include:

  • Telegram
  • Cryptocat
  • Bitmessage
  • TextSecure/RedPhone/Signal
  • … (please add the ones you know to the list)

Building a software is not extremely complicated. Building a secure software that you can really call secure is a different thing, because you step from the “tech hacker/tinkerer” world to the “mathematics/cryptography” world. As a friend of mine was saying, it’s extremely hard to test cryptographic processes because the point of those processes are to make it impossible to find back the original data!

I’m now using a computer at home, a computer at work and a smartphone in between. I would like to find a system that allows me to keep in touch with people (or groups of people) in a seamless way while being sure that the messages I’m sending are encrypted the way I’m told they are.

What do you people think about this?

I’m using Telegram to talk to friends. There have been complaints that it’s not totally secure, that it’s not as perfect as it should be, and so on, but I think that it’s certainly better than the non-secure alternatives, and they’ve done a good job of making an open API, allowing third party clients, and providing an app for my Ubuntu desktop and my iPhone, and those apps are really nice – well designed, well put together, robust, pretty, and easy to use.

Thanks for the quick feedback. I didn’t know there was desktop clients (I mean, I heard about the CLI version a while back but I thought it stopped there). Did you try the group function? Does it work well?

Haven’t tried groups, I’m afraid!

Silly question sil, but to use Telegram, your friends have to have it also, or it’s one way communication?

From the Telegram FAQ

Q: What is Telegram? What do I do here?

Telegram is like SMS and email combined — fast, versatile and powerful. You can send messages, photos, videos and files of any type (doc, zip, mp3, etc) to people who are in your phone contacts and have Telegram. You can also create groups for up to 200 people. With Telegram you can do all of this on any number of your devices, both mobile and desktop.

Your friends need it as well. It’s basically the same as WhatsApp or Viber or similar things, except that they focus on security. (As noted, not everyone thinks they succeeded.)

A friend and I have been using OTR to encrypt chat. Supposedly, our conversation is encrypted end-to-end. I can see in the gchat logs that the only thing Google gets to see is encrypted messages.

One downside to this approach is the key exchange isn’t super secure unless you go through the trouble of exchanging keys face-to-face or via some more secure method.

Pidgin/Adium handle OTR very well, but their implementations are slightly different.

Are there otr-capable apps for many platforms? One of the things I’ve very much liked about telegram is that they have a desktop and a mobile app for me and for my friends (Ubuntu, Mac, windows, iOS, android) and a web app meaning that whichever platform I use I’ll be able to have telegram. Power of an open api, eh, WhatsApp?

1 Like

I’ve only used it as a plugin to adium, but IM+ supposedly supports OTR.

Yes I’ve tried OTR with pidgin, but honestly the key management is too much of a hassle… I do it with the one super nerdy friend using Tor all the time, but I wouldn’t ask others to use it. Moreover, OTR does not support group chats if I’m not wrong.

Mark Atwood got me to install TextSecure on my work phone (a Galaxy S2 running Cyanogenmod) so he could send me messages when we were in Atlanta for the Openstack conf. I had no end of problems with it, starting with the fact that half way a conversation TextSecure on my phone got stuck saying it was decrypting message. I can’t remember if I had to reboot the phone or uninstall/reinstall the app to fix this, but I kinda put me off. Add to that the fact it tries to take over as the regular SMS app but doesn’t have all the features of the stock Cyanogenmod one I use. By the time I came home again the app was removed.

Many of these kinds of apps require a data connection, which is fine for most of the US cities (good luck getting a slot to get any data in JFK airport, I’ve never been able to even with full signal), but in the UK cell coverage is not always great. Out here my work phone (Vodafone) only has a 2G signal, the nearest 3G antenna is well over 20 miles away. I have 3G on my personal phone here (LTE coming in a couple of years) but there are blackspots where I don’t get a data connection. In all these cases SMS would work, but apps like TextSecure won’t work so well.

Don’t get me wrong, secure chat is great. But until things like cell networks catch up I’ll stick to SMS with my wife about buying milk and encrypted email when I need secure things.

The problem about secure messaging is that there’s no standard yet. I really hope for a standardized secure and company independent protocol with open and well tested back end. One good approach would be using email with PGP, it just needs different clients that show conversations as chat.
Until now I’m stuck with Whatsapp. I don’t even know one single friend of mine that using an alternative.

The thing is, it needs to be simple too. This is the issue with email and PGP - it is a pain to set up and requires some learning. For a truly ubiquitous secure messaging solution to work it needs to be as simple as using GChat/WhatsApp etc.

Sure but it’s possible to automatically generate a public/private key pair on first use of the service and upload the public key to a server. That’s everything needed or am I missing something?

That’s exactly why I like Telegram.

1 Like

I haven’t tested the group chat feature yet, but there is already something missing in the desktop version of Telegram: Secret chats. This is one of the only different feature from whatsapp… Secret chat means the messages are never stored on the server AND can be deleted from the devices after a given time.

This is not implemented in the desktop version yet, unfortunately…

Hm, so it is. That’s disappointing; I haven’t used the secret chat stuff (which is what you need if you’re to be secure from the Telegram team themselves), but I just assumed it was available on desktop as well as phone, and it’s only in the mobile versions (and apparently in the unofficial OS X desktop client).

What happened to darkmail ?

There is also Protonmail that is quite good as an encrypted email service, but yeah I totaly agree.

  • One of the problem in my opinion is that most alternative advertise as hardcore secure, and make you look like a crypto-neerd-anarchist when using it. So it’s super hard to convince your friends to make the switch.
    That blackphone ad is pretty representative in my opinion.
  • Also, in the long run there is a question of the buissness model. Since you don’t make money from the data, I am not sure that so many people would pay for a service they could have for free.
    Telegram only exist because Pavel Durov has decided to pay for the developement and servers.

  • To reach mass adoption you should compete on security but also on user experience, and that last part is pretty hard, especially when competing with company that have billion of dollars.

Please respect our code of conduct which is simple: don't be a dick.