Posts Tagged ‘encryption’

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.


App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.


When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

I ran across this new app called “Wickr,” available from the iTunes store. I haven’t tested it yet, but it sounds amazing. It is supposed to be available for Android soon. Best of all, the basic version is FREE.

What does Wickr do? It’s an app that sends encrypted communications—photos, video, texts, email—to people you trust. Then, at a predetermined time, that communication will self destruct. It uses Advanced Encryption Standard (AES), Elliptic Curve Diffie-Hellman (ECDH), and Transport Layer Security (TLS) algorithms for encryption, which Wickr talks about here

Caveat: Don’t lose your password! You lose access to your account. Also, make sure that you read the “Frequently Asked Support Questions” before you install the app, so that you understand how it works.

More stories about Wickr: