This post continues from the one before, which you can find HERE.
By now you would’ve understood key components that make or break a messaging app and should’ve read the list of common applications we would advise against. Today, we would like to mention three applications we feel are much better in terms of respecting your privacy and security.
SIGNAL: Signal has, unsurprisingly, become the gold standard for encrypted messaging applications. Its Sealed Sender capabilities have managed to reduce a lot of the metadata sent out to their servers, it has a very simple and easy to use interface, allows for group chats, group phone calls and group video chats and it is of course open-sourced and end to end encrypted by default. There are two drawbacks to signal that are still important and should be considered depending on your own threat model. The first one is that Signal is centralised, which means if a government decided to block Signal servers, Signal would not work in that specific country (Belgium has just said they are thinking about doing exactly that!). It means there is a single point of failure, and although it would be very difficult to decrypt any information, all that data is being funnelled through a single point. The second big problem with Signal is that it requires user data in order to set up an account. That user data is also not some silly, throwaway email, they need your telephone number. In many countries around the world, obtaining a SIM card without an ID is a problem in itself, but even when that SIM is anonymous, leaking a phone number that is continuously attached to your device could mean being targeted via connectivity networks and being geolocated by telephone towers. Telephone numbers tend to be something personal, and sometimes you do not wish to give someone you just met your number. Those are the two main drawbacks in an otherwise very powerful application.
Read more at www.signal.org
SESSION: Session App is the youngest app on our list, but it has made incredible progress and we would go as far as saying that we prefer it over Signal. It is a decentralised, open-source app backed by about 1800 nodes around the globe that routes all your traffic through onion routing, which means there is no IP leak and other identifying metadata is stripped off. The biggest and most important feature that makes Session stand out is that you do not require ANY personal information to sign up. No email address. No telephone number. No name. NOTHING. How fucking cool is that?! The fact that they’ve now implemented voice and video calls, onion routed and in a very user-friendly way, has won all the points needed for us to push it to n1! Let’s not forget about drawbacks tho. Because it is decentralised, it takes a little longer for the message to be received by your friend. This is barely noticeable on text and even photos, but it might take a few extra seconds for a video to send or to download! The second, more important drawback is that Session does not enforce Perfect Forward Secrecy. This is a complicated system where encryption keys get substituted regularly so if someone was to steal the key somehow they would only be able to decrypt some messages and not entire conversations. Session does not implement PFS, but as the encryption key is saved in your device, if your device was compromised the text would already be in plain text. Whilst we understand Session’s mitigation against that attack, they should implement PFS for extra security. Session is the app we would advise for all of you to talk to each other on a regular basis.
Read more here: https://getsession.org
BRIAR: Briar is an incredibly interesting application. End to end encryption by default and an open-source application that will only run on Android devices (sorry iPhone users). It runs through P2P connectivity, which means no server or nodes to depend on. When you message someone on Briar, the message travels through the TOR network directly to your friend’s device without depending on any specific centralised systems. Briar is also a very useful tool when the network is down. Police will, during intense riot situations, jam the network in order to stop any form of connectivity. Briar circumvents those problems by allowing users to connect through a Bluetooth mesh or a wifi mesh, without depending on the telephone network. This, of course, has a distance limitation. The drawbacks should be obvious. A P2P connection is not anonymous. The message is encrypted and if someone was sniffing the connection they would not be able to read your texts or see the photos, but the recipient of your text is able to work out the network you connect to and some device identifiers which could be used to de-anonymise you. As mentioned before, it only runs on Android, so compatibility might be a problem. Finally, briar has a usability problem. Because it is P2P and your messages are not stored in a server, they cannot be sent to your friend unless your friend is also connected. Briar is an incredible app and we highly recommend it, but we would advise you to use this app for specific situations and only with people you trust. Briar is without a doubt, the app we would use when the armed revolution starts!
Find Briar here: www.briarproject.org
Keep an eye for our next instalment of this miniseries, which will be a more practical use and advice on how to talk to each other.
Remember that apps only know what you tell them. We will talk about what to say and what not to say in our last instalment about messaging apps!
PRIVACY SHOULD BE FOR EVERYONE.
UA Tech&Sec 101 support.
PS: We volunteer our time, but we cannot volunteer all our funds too in order to keep this project alive. If you have the means and like what we do, please consider donating a few coins. Monero is our favourite way, you can find the wallet address on our website, but if you don’t use cryptocurrencies you can donate over Paypal and Patreon too!
One Reply to “CHOOSING A BETTER MESSAGING APP (LET’S GET ENCRYPTED) – TECHNOLOGY AND SECURITY 101.”
A better alternative is Cwtch, which encrypts your meta data as well. Unlike signal, it does not demand a phone number (and therefore your location), and unlike briar, it’s not developed by a bunch of crypto-scammers, but a group of tech-savvy anarchist women.
Until all cages are empty!