Messaging Security

How much Security/Privacy do you get for your Messaging?

Who are you worried about? Security And Privacy Threat Model



Aug'2013: Ben Brooks on trade-offs of hosting your own EMail server at a Mac hosting service.

Instant Messaging

Nov'2014: awesome comparison table from EFF. - AdiumX and Pidgin offer encryption, but obviously that doesn't work if the other party isn't using a client that supports it.

The connection between the GoogleTalk client and the Google Talk server is encrypted, except when using Gmail's chat over HTTP, a federated network that doesn't support encryption, or when using a proxy like IMLogic. End-to-end messages are unencrypted. Google plans to add support for chat and call encryption in a future release. Some XMPP clients natively support encryption with Google Talk's servers. It is possible to have end-to-end encryption over the GTalk network using OTR (off-the-record) encryption.

  • Note that GTalk uses the phrase "OffTheRecord" explicitly, but only to indicate the lack of logging. There is still no encryption involved.

Apple Computer's IMessage is encrypted end-to-end!

Silent Circle is encrypted. 2012-04-25-ZimmermannSilent Circle

  • Matthew Green looks (Mar'2013) at Silent Circle, RedPhone, Crypto Cat, Wick R. Some services actually know and store your private keys, while others operate as a Certificate Authority, allowing you to 'certify' new public keys under your name. Either of these models makes eavesdropping relatively easy for someone with access to the server.
  • Matthew Green explores (Jul'2014) the OTR and Crypto Cat protocols. None of the issues I note above are the biggest deal in the world. They're all subtle issues, which illustrates two things: first, that crypto is hard to get right. But also: that crypto rarely fails catastrophically. The exciting crypto bugs that cause you real pain are still few and far between.

Whisper Systems' Signal

Skype texting - nope, though you can use Pidgin to text over Skype and use its encryption.

Android apps/services?

  • Guardian Project's Chat Secure (GibberBot) is a secure chat client capable of firewall and filter circumvention, surveillance blocking and end-to-end encryption. It works with Google, Facebook, any Jabber or XMPP server, such as Open Fire or eJabberD. Unlike Blackberry BBM’s broken single key security, Gibberbot uses the Off-the-Record (OTR) encryption standard to enable true verifiable end-to-end encrypted communications. To use encryption, the person you are chatting with must also be using Gibberbot, or a compatible app like Chat Secure (iOS), Pidgin (Linux/Windows), AdiumX (Mac) or JitSi.

Note that even if your message body is secure/private, your Meta Data probably isn't, unless you're using a P2P app that doesn't rely on a central service even to find your recipient.

Edited:    |       |    Search Twitter for discussion