Bitcoin Forum
November 09, 2024, 10:24:21 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Secure messengers: are there any?  (Read 1956 times)
hodlbananas (OP)
Member
**
Offline Offline

Activity: 72
Merit: 10


View Profile
July 20, 2015, 09:32:00 PM
 #1

Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.

Among reports on NSA's surveillance practices, iCloud leaks, "The Snappening" et al. I've started searching for a way to communicate with people online in full privacy, without the risks of my messages and/or media files being read/seen by anyone for whom they are not intended.

Here's what I got:

1. WhatsApp and its direct counterparts: Viber, FB messenger, Skype, and the rest - just your average, very popular messenger app.

Completely out of the question. Anything that doesn't state security as one of its competitive advantages (like Telegram does, for example - more on that one later) can't be relied on, despite some preemptive measures that they're taking. It just doesn't matter how good an app is at encrypting messages, if the NSA are free to tap into the communications unobstructed - which Skype and FB have voluntarily agreed to: they're both part of the PRISM project. There's basically no telling if Whatsapp or Viber or any similar service won't do that too.

2. More security-oriented, sorta underground apps: Telegram, Cryptocat, RedPhone, TextSecure, etc.

All these seem to suffer from one or another inconvenience problem. Cryptocat has no functions, other than messaging texts, and you also have to transfer the chat names to people in person, if you want to really ensure the security. RedPhone only supports voice calls. TextSecure seems to lack such glaring issues and is pretty covenient, but it suffers from one problem, which is native to this category of messengers: the lack of people using them. A messaging app is only as useful as are people that are using it, so if it's so underground that none of your friends/colleagues/etc. use it, then you can't use it as well, no matter how secure it is.

The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

3. Peer-to-peer messengers, completely underground: Bit Message, Bleep, Redact, TextHer, etc.

Most of these have some serious design flaws, which may or may not be fixed in the future: Redact fails to deliver 100% of the messages to the receiver, according to reviews in the Play Store. Bit Message, at this moment, seems to be completely off-limits to mobile devices, since it relies on a PoW algorithm, which will make your phone burst in flames while you're holding it.

Some of them are better and some are worse, but these are all plagued by the lack of their audience, even more so, than the previous category. Redact and TextHer have about 1500 downloads in the Play Store combined. Bleep appears to be the most popular among all of them, with about 100K downloads over the last 10 months or so, which is still abysmal, compared to Telegram's 50 million in the first year.
                                                                                                                                                                                                                                                                                         

So, ultimately it all comes down to this: you have to chose between security weak-spots, low usability/absent features or very low popularity, and you can't have them all at once. Or can you? Maybe I missed something, and there is a messenger, which offers a 100% secure p2p operation combined with convenience of some more popular apps? Share your opinions guys, what do you think?
dsattler
Legendary
*
Offline Offline

Activity: 924
Merit: 1000


View Profile
July 22, 2015, 06:36:40 AM
 #2

Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.

Bitcointalk member since 2013! Smiley
misterycoins
Sr. Member
****
Offline Offline

Activity: 249
Merit: 250


View Profile
July 22, 2015, 12:00:44 PM
 #3

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.
The Bad Guy
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
July 22, 2015, 12:11:02 PM
 #4

What about ICQ , how save is it ?
For privacy I guess you could go with MEGA-CHAT which is made by Kim Dotcom (we all know his problems with NSA and their spying ) but it's still on BETA phase AFAIK

hodlbananas (OP)
Member
**
Offline Offline

Activity: 72
Merit: 10


View Profile
July 22, 2015, 01:50:09 PM
 #5

Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.

Yeah, this one seems all right, a million downloads in the playstore, no data storage/mining by provider. But, like you said, it's not open-source, nor is it p2p, hence not 100% private. Independent experts and service providers can be bought/coerced into disclosing users' personal data. It's doubtful that anyone will bother right now, but when and if it grows, it can become a vulnerable target.

Another problem with it is that it's not free, which means that it won't enjoy a similar level of natural growth that free counterparts, like WhatsApp or Telegram do, and I can't just ask all my friends and colleagues use it. So it's either going to remain on this unpopular level, where I can't really use it, or it will grow and with it will grow the probability of gvt. agencies tapping into it.

What I think this shows is the fundamental problem that any messenger has to face: it's either going to rely on a financially- and/or technologically-intensive solution, which will make it less popular and thus less usable, or decrease the complexity of the underlying solution to attract a larger userbase, in exchange for fundamental flaws, which may ultimately lead to security leaks. I think, when someone finds out a way to integrate a p2p solution in a mobile app in a cheap and computationally efficient way, and markets it right, they will be golden. So far I've failed to find such an app.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

What about ICQ , how save is it ?
For privacy I guess you could go with MEGA-CHAT which is made by Kim Dotcom (we all know his problems with NSA and their spying ) but it's still on BETA phase AFAIK

Look it up, man. I've just found several reports on ICQ's vulnerability, here's just one of them. Anyway, it's pretty apparent, since it uses proprietary software and servers, that it isn't and can't be secure.

I failed to find a mobile version for the MegaChat, is there one?
AtheistAKASaneBrain
Hero Member
*****
Offline Offline

Activity: 770
Merit: 509


View Profile
July 22, 2015, 02:53:43 PM
 #6

I remember a while ago reading about some sort of decentralized skype called Tox. Not sure if the project is still being developed or not.

https://en.wikipedia.org/wiki/Tox_%28software%29
cryptocoiner
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


hyperboria - next internet


View Profile WWW
July 22, 2015, 03:07:20 PM
 #7

bitmessenger maybe?

funkenstein
Legendary
*
Offline Offline

Activity: 1066
Merit: 1050


Khazad ai-menu!


View Profile WWW
July 22, 2015, 05:23:28 PM
 #8

GPG/PGP is the standard solution.   

"Messengers"  are underlying transport protocols.  What keeps something secure is the next layer on top.  A quick check is to say "did a company produce this?"  If the answer is yes, than you aren' t using a secure protocol. 

"Give me control over a coin's checkpoints and I care not who mines its blocks."
http://vtscc.org  http://woodcoin.info
RodeoX
Legendary
*
Offline Offline

Activity: 3066
Merit: 1147


The revolution will be monetized!


View Profile
July 22, 2015, 05:25:25 PM
 #9

You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf
Free bitcoin in ? - Stay tuned for this years Bitcoin hunt!
Spendulus
Legendary
*
Offline Offline

Activity: 2926
Merit: 1386



View Profile
July 22, 2015, 05:48:52 PM
 #10

Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.....
Passenger pigeons.

Can't beat them.
funkenstein
Legendary
*
Offline Offline

Activity: 1066
Merit: 1050


Khazad ai-menu!


View Profile WWW
July 22, 2015, 05:49:18 PM
 #11

You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

Let me get this straight.  This app is designed to run only on fully compromised (back doored) devices right?  

Lets move past that for a second and assume we don't care about those players who have that access, and are just trying to fend off script kiddies and low level advertisers / spamz0rs.

Now, where is my private key stored?  How do I verify that I have the public key of your private key, in other words how do we know there is no MIM going on?  

Is a key fingerprint easily available?  

    


"Give me control over a coin's checkpoints and I care not who mines its blocks."
http://vtscc.org  http://woodcoin.info
RodeoX
Legendary
*
Offline Offline

Activity: 3066
Merit: 1147


The revolution will be monetized!


View Profile
July 22, 2015, 06:01:44 PM
 #12

You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

Let me get this straight.  This app is designed to run only on fully compromised (back doored) devices right?  

Lets move past that for a second and assume we don't care about those players who have that access, and are just trying to fend off script kiddies and low level advertisers / spamz0rs.

Now, where is my private key stored?  How do I verify that I have the public key of your private key, in other words how do we know there is no MIM going on?  

Is a key fingerprint easily available?  


I use only jailbroken phones that I modify. It runs fine on my BLU phone. If you are concerned about what it does then I suggest you download the source and compile it for yourself.
When you want to invite someone it can be done in-app. You just need their username to directly connect to them. This app is not tied to a phone number or an email, or identity at all. Not that my phone is connect to me anyway.  Wink

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf
Free bitcoin in ? - Stay tuned for this years Bitcoin hunt!
roadbits
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000


View Profile
July 22, 2015, 09:00:15 PM
 #13

Is anyone still using TorChat? Does it work well, even though it doesn't seem to updated in a while? is it still a safe working program?
nachoig
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
July 22, 2015, 09:50:35 PM
 #14



The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

I have bad news for you. The cryptograph used in Telegram isn't considered good.
http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html
http://thoughtcrime.org/blog/telegram-crypto-challenge/
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
https://news.ycombinator.com/item?id=6913456

And end-to-end encryption needs to be the default (which doesn't happen in Telegram), otherwise, no one will use it. Although their end-to-end encryption shouldn't be trusted anyway.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

OTR is good, but not for mobile. You and your contact need to stay online all the time because it doesn't work with offline messages. Also, it doesn't work with group messaging.
dsattler
Legendary
*
Offline Offline

Activity: 924
Merit: 1000


View Profile
July 23, 2015, 06:18:28 AM
 #15

Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.

Yeah, this one seems all right, a million downloads in the playstore, no data storage/mining by provider. But, like you said, it's not open-source, nor is it p2p, hence not 100% private. Independent experts and service providers can be bought/coerced into disclosing users' personal data. It's doubtful that anyone will bother right now, but when and if it grows, it can become a vulnerable target.

Another problem with it is that it's not free, which means that it won't enjoy a similar level of natural growth that free counterparts, like WhatsApp or Telegram do, and I can't just ask all my friends and colleagues use it. So it's either going to remain on this unpopular level, where I can't really use it, or it will grow and with it will grow the probability of gvt. agencies tapping into it.
<snip>

Really? It's 1.99 for lifetime use, even whatsapp charges you 0.99/year after the first year!
You're right about the closed source though, that is a showstopper IMHO.

Bitcointalk member since 2013! Smiley
superpanos2
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
July 23, 2015, 08:47:52 AM
 #16

You could use tox or bleep.
Bleep is closed source though
ThomasVeil
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
July 23, 2015, 11:01:08 AM
 #17

Nxtty: Anonymous, End-to-end Encryption, uses Blockchain, has permanent message destruction - but it's not Open Source as far as I see.
Here's nxxty on google play, the Apple version is planned.
hodlbananas (OP)
Member
**
Offline Offline

Activity: 72
Merit: 10


View Profile
July 23, 2015, 01:32:27 PM
 #18

bitmessenger maybe?

See OP.

GPG/PGP is the standard solution.   

"Messengers"  are underlying transport protocols.  What keeps something secure is the next layer on top.  A quick check is to say "did a company produce this?"  If the answer is yes, than you aren' t using a secure protocol. 

Completely agreed!

Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.....
Passenger pigeons.

Can't beat them.

Yeah sure, encryption of both the destination and the message itself (if you're up for a little cryptography) is nice, but the messages are quite easily interceptable, and there is less than 100% deliverability, even without anyone trying to disrupt your communications. I'll pass.
hodlbananas (OP)
Member
**
Offline Offline

Activity: 72
Merit: 10


View Profile
July 23, 2015, 01:48:38 PM
 #19

You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

It's better than Bleep, I guess, but marginally (open source, with a similar number of downloads in stores).



The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

I have bad news for you. The cryptograph used in Telegram isn't considered good.
http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html
http://thoughtcrime.org/blog/telegram-crypto-challenge/
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
https://news.ycombinator.com/item?id=6913456

And end-to-end encryption needs to be the default (which doesn't happen in Telegram), otherwise, no one will use it. Although their end-to-end encryption shouldn't be trusted anyway.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

OTR is good, but not for mobile. You and your contact need to stay online all the time because it doesn't work with offline messages. Also, it doesn't work with group messaging.

Well, like I said, I don't trust Telegram to be 100% secure, nor anyone should, since it's not p2p, but it's the best option out there, as far as popularity/security ratio goes, in my opinion. And I can also force end-to-end encryption on those I communicate with by starting secret conversations myself.

Anyway, I'm not a fanboy of Telegram and will gladly switch to a better alternative, when it appears on the market, but for now I don't see a more secure option, which won't leave me unable to communicate with my network of contacts, due to them not caring enough to download Bleep or SureSpot.
herzmeister
Legendary
*
Offline Offline

Activity: 1764
Merit: 1007



View Profile WWW
July 23, 2015, 01:54:53 PM
 #20

I use XMPP+OTR (with Pidgin on Desktop and Xabber on Android), Tox (qTox on Desktop), TextSecure, Bitmessage, and RetroShare on a daily basis. Each serve their (different) purpose. I'd like to see the all-in-one solution, but oh well...

https://localbitcoins.com/?ch=80k | BTC: 1LJvmd1iLi199eY7EVKtNQRW3LqZi8ZmmB
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!