Something that has become popular in recent times is messaging clients like facebook Messenger, Apple Messages, WhatsApp, and Hangouts. The issue is not all of these systems are secure.
Issues with popular methods:
1. WhatsApp – Owned my facebook, closed source, unknown encryption.
2. facebook Messenger – facebook knows everything you say.
3. Apple Messages – Apple acts as key server and can add their own key if they want future messages and only Apple Devices.
4. Hangouts – Google sees everything.
This post will first explain different things that can be done to protect privacy and show a table of my recommendations of clients with the different items I talked about checked or not.
Peer to Peer (P2P) – Making a direct connection to the other person you are communicating with.
This can be both a good and a bad thing. It is a good thing as your messages are not going to a third party server, but it does go through Internet Service Providers (ISPs) which they can view and capture the traffic which isn’t much different from going to a third party. It is a bad thing because an ISP can view which IP address you are communicating with and with this information, they can correlate (build a map) as to who you communicate with.
Self Hosted – You own the server which is used to communicate with your friends.
Self hosted is basically like P2P, as if you own it, basically your friends talk directly to you. While you can self host, you can also use either your friends (mine) server or even a third party (Example: jabber.org allows you to register an account with them).
End to End (E2E) Encryption – Encrypting your messages so that only the person you’re communicating with can read the message.
This is a must when you’re talking privacy, if you encrypt just for the server that doesn’t protect you from the third party. If jabber.org decided to be malicious or was hacked and you were not encrypting your messages using GPG/PGP or OTR, your messages can be read.
Open Source – Proof that the software does what it says.
In my book, this is a must because I like to compile my clients myself. While it can be proof that the software does what it says, if you download binaries from the service you may not know if those binaries are actually the result of the code. The third party could have compiled some secret back door into the binaries, but left those out of the source code. Trusting them to do the right thing is up to you, I’d say if you don’t know how to compile go ahead and use what they provide. If you trust the third party, go ahead and use what they provide.
Server for Transportation of Messages – When you send a message, it is sent to a third party to be delivered to your destination.
If the third party server is taken over by hackers or if the people owning the servers themselves decide to be malicious, they can capture messages and do what they want. Now if you have E2E Encryption, this may not be such a bad issue. But if the encryption is poorly written, then it could be possible for a malicious person to figure out what was in the messages your sent. The only major issue with a server transporting messages is they must know where to transport them to which means they can more easily correlate who is talking with whom.
Server for Key Discovery – Having a server tell you how to encrypt for E2E Encryption.
If the server tells you the public key to encrypt your messages with, it is also possible for them to become a man in the middle with encryption. They can say, here is the user’s public key and have it actually be their own allowing them to decrypt and see the messages then re-encrypt and forward to the person you’re communicating with.
Encryption Optional – Messages can be sent in plain text.
This can be a bad thing as if you or the person you are communicating with decides to not encrypt, your messages goes in the clear and can be read by anyone. For both XMPP and IRC, I have disabled non-encrypted methods of talking to the server so it is only possible when a third party decides to allow non-encrypted for the messages to go in the clear.
Traffic Correlation – Governments or server owners can make a map of who you talk to.
This is something which the NSA does often, they collect phone records to find out who you talk with. If it’s possible for correlation of messages, then they get data they want and can possibly figure out who you are and who you’re talking with by matching other data captured.
Now that you have an idea on what is good and bad for privacy and what clients do what and support what, I will post my own little comments on each client.
To me, Tox seems like something made by a designer and not a programmer as the client isn’t exactly stable on some platforms and when you look at the github page for the mac client they have almost nothing done with code, but things done mostly on the design side.
One thing I personally do not like about Tox is you can’t run it in two places at the same time. I have lots of devices and if I want to leave the house and still be on tox, I’d have to quit the client on my PC and open it on my phone, which I have a hard time getting the client for my phone in the first place.
To sum things up; it looks promising, but needs lots of work.
My ID is DF98B2F03C128CE28970C08EC51D72E645627215B5049B8905E6D6FFA1FA6D00F54195874542
I am not usually on this.
This one is a very interesting concept. The idea is there is three forms of verification, the ID, contact info in your address book, and physical verification via QR Code. You can trust that your messages are going to the right person when you physically verified them.
The main issue with this client is you can only have one identity per device, so I can’t even use it on my computer and my phone if they had a client for the computer.
My ID is TJZMN3TJ
Have not really played with this one because I know none who has it. But I am told good things about it from podcasts.
This is in early stages in my opinion, I haven’t really played with it either.
My ID is 86f4df59a91ea2dc970a22f0c2b053a04eaf364e198faf071e5e0fc91d728d10,GRMrGecko
I am not usually on this.
5. XMPP (Jabber)
This is a protocol which I love, it supports signing into other services like Facebook and Skype and also supports talking to people on other XMPP servers. XMPP is supported on all platforms and can be used fairly secure. If you want to fix issue x, you can do so. For example, Traffic Correlation issue can be fixed by you setting up the server behind a TOR Hidden Service.
My favorite XMPP Server is Prosody, you do not have to setup your own server if you don’t want to as services such as jabber.org exists and you can get an account on my server by contacting me or registering using xmpp. Servers can be enabled SSL and can also force SSL which is a good thing. Make sure that when you connect to any XMPP server that you are using SSL so that your messages at least get encrypted to the server. You can further secure your messages by using OTR or GPG, but I think if you trust the server you’re talking with, there is no need.
My account is firstname.lastname@example.org (x is for XMPP).
6. IRC (Internet Relay Chat)
Mainly designed for chat room style messaging, but also can be used for private messaging with OTR.
I have my own server at irc.gec.im which I hangout in #hangout. IRC is the same sort thing as XMPP where you can fix issues that exists and can encrypt your messages using OTR. I only have SSL enabled on my server at port 6697.
As an overview, I prefer XMPP, and IRC as messaging systems. If you want to talk with me, try using one of those as I am pretty much always on them. You should now have a better understanding of how to protect yourself when talking with friends.