Jump to content
Not connected, Your IP: 18.216.104.106
ravenheart

Secure IM Options and Opinions

Recommended Posts

I'm trying to get a few very close but very non techie friends to migrate to a msg'ing mechanism that has a bit more privacy than what they currently use, i.e none at all,   I was wondering if anyone here has experience using such services ,remember I need something that's simple enough that they can migrate to without causing their heads to explode. I was looking at the following options and would appreciate thoughts or personal experience or technical observations on the implementations used.

 

 

Pidgin/Jabber ( tho I don't think they would be able to make sense of OTR/keys/etc)

Torbird

Cryptocat

Bit Message

Riccochet (just found this one, looks interesting, uses Tor, client auto creates onion id)

 

p.s  I just went outside, wow!, when did the world happen?

Share this post


Link to post
Guest

Torchat. 

 

https://github.com/prof7bit/TorChat

 

download, exchange your "string" and chat

 

Havent been updated in a long time. Your options may be more secure, but this one is easy to get your friends to use

Share this post


Link to post

If you ask me, don't make them. Presenting options and explaining what they do and how they work is a much better approach. Staying with what they use now is an option, too.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello !

 

Have you taken a look at Telegram? Even though it's not the most secure, it's argueably better than, say, Whatsapp.

 

You should also check out ChatSecure; it's excellent, in terms of options.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Telegram is not better than WhatsApp, after they started to use E2E encryption from OpenWhisperSystems.

It's actually the same as Signal, just federated on their servers.

 

 

Thomas H. Ptacek

By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER.

Edward Snowden

I respect @durov, but Ptacek is right: @telegram's defaults are dangerous. Without a major update, it's unsafe.

https://twitter.com/tqbf/status/678065993587945472

https://twitter.com/Snowden/status/678271881242374144

https://twitter.com/moxie/status/678219238394298372

https://twitter.com/Snowden/status/678274362609426432

 

In order of appearance, best choices would be:

 

1) Signal

2) Pond

3) WhatsApp

4) Conversations.im (Using either E2E OMEMO/PGP/OTR)

5) Telegram

6) BBM

 

7) Other hipster Tor HS based messengers. They are here since they were never widely audited.

 

The biggest challenge in day to day communication is not the variety or the underlying security of the app choices.

Many times your correspondents are not technical, and if the secure technology is not being served transparently to

them, they will not use it. This is why XMPP had no future until WhatsApp decided to use phone numbers instead of JIDs.

In other words, your messenger would be as secure as the choice of your peers. Luckily now WhatsApp have a great

crypto, although server-side contacts and metadata is still a threat for some.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Be careful with metadata too, it could give enough information, even if the messages are encrypted.

Share this post


Link to post

What use is a messenger without users? You will see that people don't care if it encrypts the messages or not. If they get stored remotely or not. Some of those people showed me the "encryption enabled" message WhatsApp automatically wrote into the chat history of all chats and asked what it meant and if it was dangerous.

WhatsApp's approach is a step forward because they've got a billion registered telephone numbers soon, making encryption easier to use and more common in everyday life. Of course, most security enthusiasts would argue that it's not consistent enough, but if you deny WhatsApp's approach being bad or something, I don't know what to think of you.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

@zhang888

Thanks bro. I know Telegram isn't secure in that way; although perhaps we should distinguish between the normal chat and secret chat? Did they mention secret chat?

The EFF once made a scorecard about it and the secret chat portion got the full 5 out of 5 stars, for their various review points.

Also, I meant better in the sense that Telegram isn't owned by facebook; unlike whatsapp. Thanks for always staying vigilant.

Lastly, how can signal be one of the top ones, if it's from the same company that you hinted at used insecure encryption: OpenWhisperSystems?

I'm surprised you didn't mention ChatSecure. I suppose you don't think they're that secure, haha.

 

Thanks


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

On Telegram, grugq pretty much concluded it all:

https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a#.2e08f4o98

 

 

OpenWhisperSystems never used any "insecure encryption". This is the project that develiped Axolotl,

which is now considered the best available protocol for IM by many security researchers, and this is what

made WhatsApp encryption possible, and if you want some buzzwords, here:

 

Edward Snowden @Snowden Retweeted @OpenWhisperSystems

I use Signal every day. #notesforFBI (Spoiler: they already know)

 

 

ChatSecure is ok but with horrible user experience, and lack of OMEMO/Axolotl support. For modern

day to day messaging with "regular people", PGP and OTR are not enough, and I don't expect all my

peers to be security experts. This is why I recommended Conversations.im, which overcame many of

those issues, which ChatSecure is aware of and now try to improve, especially with their fork called Zom.

The good news is that ChatSecure are soon starting to implement OMEMO (Which is based on Axolotl)

and we will soon see it in production. So yes, it means that for now, ChatSecure is a little behind.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post
Guest

"telegram's defaults are dangerous."

E

This must be that it's easy to chose a "normal" chat instead of the E2E-chats that are marked by a lock?

 

I've had several aquintances repeatedly open a new, "normal" chat after being schooled on this by yours truly many times 

Share this post


Link to post

where does imessage fit into this discussion?

 

To the trash can actually. A messenger that cannot be compatible around at least 2 independent platforms

is a huge UX issue by itself. This includes me, as an Android user.

 

The biggest risk with iMessage is carrier grade/state level attacks on the SS7 protocol. As some of you might

know, many government adversaries can hijack your global phone number and route it to their network using

flaws in the SS7 signaling system, effectively hijacking SMS messages.

A practical attack on it was demonstrated by PTsecurity:

https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf

 

So a singe hijacked SMS message would be enough to impersonate an iMessage user, without the other party

having any real knowledge that the keys have been swapped. Something that is solved by other superior implementations,

i.e. Signal.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Aslong as my mates use secret chat i will carry on using TG instead of FBs Whatsapp.

I found signal was was a good idea but half the time the message failed to send and it was very dated by the time u got a reply.

Surespot seems like a decent one (no phonenumber), Wickr is alright like but I can't understand why it's not OS???

 

TBH the majority of people just use facebook messenger or a SMS!!! Crazy what some of them say!

Share this post


Link to post

 

Hehehe, "press files".. it won't change the fact that Threema is still closed-source, therefore it's difficult to review it appropriately.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Yes correct but in the document it say including a Review of the Source Code

 

Cnlab Security did the audit i dont Know them

Share this post


Link to post

See? Who are they? It won't change the sobering fact that Threema is closed-source, no matter how many reviews you do.

 

(Sent via Tapatalk - this generally means I'm not sitting in front of my PC)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Also, to all the Pidgin fans around here, you might not want to trust it the way you do today.

There were numerous remote code execution vulnerabilities in it, as well as in the libpurple library,

and I am aware of a few exploits for it right now in the wild.

 

The Cisco Talos team itself found about 20 vulnerabilities in it only in the past month or two:

http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html

 

At least 4 of them allows the attacker to craft a special message that will cause your client to

execute arbitrary code. Since the vulnerability is IM based, the attacker has many attempts to

exploit your system (each attempt can be delivered using an XMPP message) so this makes it

very reliable, and possibly cross platform.

 

 

If you want to run an XMPP client on the desktop, and you suspect that you might be targeted,

at least you have to use a memory-safe client, i.e. one that is written in Python/Java/Golang etc.

 

A great example for this is probably Coy: https://coy.im/about/ which is based on Adam Langley's

xmpp-client in Golang. Which makes it very safe against remote exploitation using memory based

remote exploits, which are more than 90% of exploits toady.

 

The people at Tails are well aware of those issues and want to drop Pidgin to the trash can as soon

as Coy will be more stable (actually it is stable, but some plugins are buggy).

 

Reference:

https://tails.boum.org/blueprint/replace_Pidgin/

https://labs.riseup.net/code/issues/8574


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post
Guest

Looks like telegram removed the "regular chat"  after snowdens tweet. Only E2E now

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...