Part 1 explains why you might decide to use secure messaging.
If you decide you want to use a secure messaging app, here are some factors you might consider:
- How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
- How user friendly is it?
- How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
- What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
- How many people do you know who use it? Could you persuade your family and friends to use it?
- How much does it cost?
- What happens to the message if the receiver is not using the same program as the sender?
- Does it notify you first and offer other message delivery options or does the message encryption fail?
- For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
- Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
- Does the app include an anonymizer, such as Tor?
- While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?
The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:
- Off The Record (OTR)
- XMPP, which stands for the Extensible Messaging and Presence Protocol, is sometimes referred to as Jabber.
- Mproto is short for “Mobile Protocol.” The specifications are detailed here.
- Silent Circle Instant Message Protocol (SCIMP)
- Z (Zimmerman) Real Time Protocol (ZRTP) is a cryptographic key-agreement protocol used to exchange Diffie-Hellman keys. It uses Secure Real-Time Transport protocol (SRTP) for encryption between two endpoints during a Voice over Internet Protocol (VoIP) phone call.
I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.
App Name | Cost | Platforms | Protocol | Notes |
ChatSecure + Orbot | Free; open source; GitHub | iOS, Android | OTR, XMPP, Tor, SQLCipher | |
CryptoCat | Free; open source; GitHub | Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger | OTR – single conversations; XMPP – group conversations | Group chat, file sharing; not anonymous |
Off-The-Record Messaging for Windows (Pidgin) | Free | Windows, GNOME2, KDE 3, KDE 4 | OTR, XMPP, file transfer protocols | |
Off-The-Record Messaging for Mac (Adium) | Free | Adium 1.5 or later runs on Mac OS X 10.6.8 or newer | OTR, XMPP, file transfer protocols | No recent code audit |
Signal (iPhone) / RedPhone (Android) | Free | iPhone, Android, and the browser | ZTRP | |
Silent Phone / Silent Text | https://silentcircle.com/pricing | Desktop: Windows | ZRTP, SCIMP | Used for calling, texting, video chatting, or sending files |
Telegram (secret chats) | Free | Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux | Mproto | Cloud-based; runs a cracking contest periodically |
TextSecure | Free | Android | Curve25519, AES-256, HMAC-SHA256. |
Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html