.Paradoxically, but the fact is that with all the variety of messengers there is usually no need to choose them – people just use what their friends and acquaintances use. But what if secrecy is really important? In this article, we’ll go through the list of modern messengers and see what security guarantees each of them has.
There was a poll on Hacker recently titled “Which messenger do you think is the most reliable for a hacker?”, and the most popular answer (Telegram) was seriously alarming. How far things have gone if even the average Hacker reader has already lost touch with reality after the marketing headcrab attack ?
We compiled a list of messengers to see how each of them performs in terms of security. The selection includes both popular messengers and those that are promising in terms of security. We would like to warn you that we will go as deep into the technical side as necessary for an average user and no further. In many ways we are following the path of the authors of the Electronic Frontier Foundation’s series of articles titled Secure Messaging ScorecardBut we chose other criteria which we think are more important.
CRITERIA FOSS Is the source code of the messenger distributed under one of the free licenses? If yes, is it developed in an open source manner? How closely do the developers interact with the community? Do they accept pulls? These are all important things to consider when choosing.
Degree of centralization Here one of three options is possible: ?centralized – requires a server, can be blocked. Example: VK, Telegram, Facebook; ?federated – network of servers that communicate with each other. Canonical examples: email, Jabber (XMPP), Riot Matrix; ?decentralized (meaning P2P) – each client is both a server.
Possibility of anonymous registration and use For some services the phone may be needed only to protect against spam during registration, respectively, it is very easy to use number lease services for SMS. In other cases messenger is tightly bound to the phone. This is bad in that if the two-factor authentication is not enabled, then when accessing this number you can go into the account and leak all the data. But even if two-factor authentication is enabled, it’s still possible to delete all data from the account. Well, of course, it’s considered a passport registration (we use the realities of the Russian Federation, the other have not brought). But it is not all so bad. There are messengers that allow you to register using a mailbox or account in a social network. There are also those where an account can be created in the messenger itself without being tied to anything.
Presence of End-to-End Encryption (E2EE) Some messengers have this feature by default, others can enable it, but there are also those where end-to-end encryption is simply not present.
Synchronization of E2EE chats Again, this feature is not yet as common as we would like it to be. Its presence greatly simplifies life.
E2EE fingerprint verification notification When starting E2EE chats, some messengers offer to verify the fingerprints of interlocutors, others do not offer it openly. But not all messengers have a fingerprint verification feature.
Banning a screenshot of a secret chat Not the most useful feature, because to bypass the ban you just need, for example, to have a second phone handy.
Group E2EE chats Group E2EE chats are usually not that necessary feature, but quite handy. The “more than two, talk out loud” rule should be left for children.
Notification to verify E2EE fingerprints in group chats When adding a new interlocutor whose fingerprints are not verified to a secret group chat, not all messengers offer to verify their fingerprints. Because of this omission, the meaning of secret chats is lost.
Social Count Protection Some messengers collect user contact information and other data, such as who the user called, how long they talked. On this topic there is. interesting post.
WWW We have selected only some of the criteria that may play a role when choosing a messenger. There are others, but they are not always related to security. A group of scientists from European universities has nicely laid everything out in their paper Obstacles to the Adoption of Secure Communication Tools (PDF). Also, it is always useful to get to know the results of an independent audit if there are any. For example, in the case of Signal, we did an independent audit (PDF).
TELEGRAM License: Formally GPLv3. However, an important part of the development is closed. If you look at the repositories, you can see that lately some movement was observed only in the web version. Alas, as it is, it is more of an illusion of openness Degree of centralization: centralized Ability to register and operate anonymously: none Availability of E2EE: implemented, but as an add-on. Chats are not encrypted by default E2EE chat synchronization: they are not. A secret chat can only be used from one device, it will not be accessible from another E2EE fingerprint verification notification: no. Users can go into the settings themselves to compare fingerprints Prohibit screenshots of secret chats: yes, but it does not work on all devices E2EE group chats: no Social graph protection: no
The messenger created by Pavel Durov’s team is based on MTProto encryption technology. At the moment, it is partially blocked in Russia, but this blockage is a separate topic of conversation. The messenger is controversial. There is a lot of noise around it, but is it justified? There is no source code access, chats are not encrypted by default, there is no social graph protection (all your contacts are stored on Telegram servers), there are no group E2EE chats, E2EE chats are not supported in the desktop version, only in the mobile one, the messenger is centralized, messages are stored on the server (and, as it was already mentioned, not encrypted), and with all that, there is no possibility for anonymous registration. If you want to use Telegram, remember to create secret chats to protect your correspondence. In the mobile version, you need to select the New Secret Chat command to do this. Of the desktop versions, only some (such as one of the two macOS clients) support secret chats. In secret chat, messages are encrypted and are not stored on the messenger’s servers. You also can’t take a screenshot of a secret chat, but nothing prevents you from taking a screenshot of such a chat.
SIGNAL License: AGPLv3. Degree of centralization: centralized Ability to register and operate anonymously: none. Other than the phone number, there are no other options Availability of E2EE: there is E2EE chat synchronization: is E2EE fingerprint verification notification: no. Users are offered to scan QR codes from each other or compare fingerprints Prohibit screenshots of secret chats: can be switched on or off E2EE group chats: is Notification to verify E2EE fingerprints in group chats: no Social graph protection: have
Signal messenger is developed by the American startup Open Whisper Systems, which, apart from two founders, employs only a few people. Signal Protocol, a cryptographic protocol created specifically for it, is used to encrypt messages. It is used for end-to-end encryption of calls (voice and video) as well as ordinary messages. Signal Protocol has since been used by other messengers: WhatsApp, Facebook Messenger, Google Allo. It would seem that in this case any messenger could become as secure as Signal. But as practice shows, it is not. Unlike Signal, where encryption is enabled by default, it is disabled in these messengers. In order to enable it, you need to activate Secret Conversations in Facebook Messenger and Incognito Mode in Google Allo. Although Signal is centralized, the code is open source and distributed under a free license. Signal has support for E2EE group chats, social graph protection, supported timed messages disappearing. However, you should not confuse protection with anonymity. Signal is not anonymous: when registering, you need to specify your phone number, to which the messenger is attached. As for disappearing messages, this trick is also found in other messengers, such as Viber and Telegram (in the secret chat menu, you need to select the Set self-destruct timer command).
VIBER License: proprietary Degree of centralization: centralized Ability to register and operate anonymously: by phone number only Availability of E2EE: is, by default. There are also secret and hidden chats that provide extra security E2EE chat synchronization: no. The secret chat created in the mobile version is not shown in the desktop version E2EE fingerprint verification notification: no Prohibit screenshots of secret chats: there is E2EE group chats: there is Notification to verify E2EE fingerprints in group chats: no Social graph protection: no
Viber is an interesting messenger. On the one hand, it’s proprietary, centralized, ties only to a phone number, doesn’t provide social graph protection. On the other hand, end-to-end encryption is based on the Signal protocol and is enabled by default, even in the desktop version. For added security, there are secret chats with the ability to communicate as a group. Secret chats allow you to set a self-destruct timer for each message: it will be deleted after a set time from your device and from all recipients’ devices. Secret chat messages are protected from forwarding, and screenshots are either banned or leave a notification on the chat screen. To join a secret chat you need to open a chat with a user and select ‘Join Secret Chat’ from the menu. Such a chat will be marked with a lock. Additionally, Viber allows you to create secret chats. To access such a chat, you will need to enter the PIN code you have previously set. This is additional protection in case the phone falls into the wrong hands. To verify fingerprints it is suggested to make a call to the interlocutor, give your ID and then confirm it is correct, but there is no notification that this is necessary for your own security.
WHATSAPP License: proprietary Degree of centralization: centralized Ability to register and operate anonymously: phone number only Availability of E2EE: by default E2EE chat synchronization: is E2EE fingerprint verification notification: is only available if key is changed by the caller. For notification to come, you need to go to settings and enable this function. There is no notification when you start a chat Prohibit screenshots of secret chats: no E2EE group chats: yes Notification to verify E2EE fingerprints in group chats: no Social graph protection: no
WhatsApp uses Signal Protocol, but that in itself makes no guarantees. Of course, this messenger is interesting because it doesn’t store your messages on its servers. Instead, messages are stored on your phone or in cloud services that it syncs with (like iCloud). Also, E2EE is used by default with support for group chats. However, although WhatsApp doesn’t get the correspondence itself, its owners do have access to metadata, including collecting phone numbers from the address book, the time messages and calls were sent, and so on. Imagine that you called “phone sex” at 2:30 and your conversation lasted 24 minutes. Well yeah, no one will know exactly how the conversation went, but that’s not really necessary in this case. On top of that, WhatsApp collects tons of information about the user: their phone model, OS, browser info, IP address, mobile number, and so on. Add to that the proprietary code, and you’ve got a far cry from the anonymity point of view. Maybe no one will intercept your messages, but the messenger itself will know a lot about you.
INFO End-to-end encryption is no guarantee that your messages won’t be intercepted. It can be bypassed or some kind of vulnerability can be exploited, as was already the case with WhatsApp.
BRIAR License: GPLv3 Degree of centralization: decentralized Ability to register and operate anonymously: exist Availability of E2EE: yes, by default E2EE chat synchronization: no E2EE fingerprint verification notification: When adding a contact it is necessary to scan the QR-code of the interlocutor from the screen of his phone, there is no other option to add it. We consider that the notification has Prohibit screenshots of secret chats: E2EE group chats: there is Notification to verify E2EE fingerprints in group chats: it is possible to add to the group chat only the interlocutor of those whose QR codes have been scanned. We also consider that there is a notification Social graph protection: is
.Briar – is not a very popular messenger: probably not even all our readers know about it. But it’s good: it’s based on decentralized mesh technology, it can work via Bluetooth or Wi-Fi directly or via the Internet (in the latter case it will connect via Tor). Briar is open-source, there’s anonymous registration and usage, and chats are encrypted by default, and not stored on Briar servers – so your messages in encrypted form are stored only on your phone. There is social graph protection (nobody leaks your address book to anybody). There is group E2EE chats, but no synchronization of E2EE chats between devices because you cannot use the same account on different devices. Against the background of all the other messengers, Briar looks very good if you want anonymity of communication. But it has some disadvantages: there is no iPhone version and no voice calling. If you can still put up with the lack of calls, then without a version for one of the major platforms the circle of communication will be even narrower.
.TAMTAM License: proprietary Degree of centralization: centralized Ability to register and operate anonymously: registration via Google mail or Odnoklassniki is possible Availability of E2EE: no Social graph protection: no While creating “TamTam” nobody made an emphasis on security, and you should keep this in mind. The only thing that may attract attention to it is the possibility of registration via Google mail or Odnoklassniki. However, message encryption is not supported (or developers do not report it), and there is no social graph protection. That is, no matter how you sign up, it will still be clear who you are without additional measures. In general, even as a replacement for Telegram, this messenger is not suitable, despite all the aspirations of its developers.
VKONTAKTE License: proprietary Degree of centralization: centralized Ability to register and operate anonymously: phone number only Availability of E2EE: no Social graph protection: no Again we pass by: hardly anyone in their right mind would think of using Vkontakte as a means to communicate anonymously. Messages are stored on the social network’s servers, no encryption, registration by phone number only – basically, the full set of things we’re trying to avoid here.
JABBER (OMEMO) License: various free licenses Degree of centralization: federated Ability to register and work anonymously: have. Registration with a mailbox, Facebook or Twitter account Availability of E2EE: is. OMEMO add-on is required. E2EE chat synchronization: there is E2EE fingerprint verification notification: no notification, but possibility exists Prohibit screenshots of secret chats: no E2EE group chats: yes Notification to verify E2EE fingerprints in group chats: no Social graph protection: no If old Jabber sticks out in the company of modern messengers with fun stickers and voice calls, it’s still largely irreplaceable in terms of privacy. It’s federated, supports anonymous logging, E2EE encryption (you need an OMEMO extension), including group. Yes, the capabilities aren’t mind-boggling, but Jabber is time-tested and also has implementations on every possible platform. ChatSecure for iOS, Conversations for Android, Pidgin for Linux and so on, the list is huge.
RIOT (MATRIX) License: Apache Degree of centralization: federated Ability to register and operate anonymously: there is Availability of E2EE: yes, by user choice E2EE chat synchronization: yes E2EE fingerprint verification notification: is Prohibit screenshots of secret chats: no E2EE group chats: alright Notification to verify E2EE fingerprints in group chats: Yes, there is . Social graph protection: there is What the creators of this messenger are good at is the ability to come up with cool names. In fact, Matrix is a communication protocol, and Riot is a client application (there are others, including one for console). You can use both the web version, and programs for iOS and Android. Overall, this is another little-known federated messenger with support and synchronization of E2EE chats, including group chats. Registration is anonymous, with no tethering to a mobile phone number or email. Voice and video calls are supported. Encryption of messages in Riot can be enabled or disabled – a lock icon next to the message sending field indicates it. Also, if a user whose devices are not verified by others appears in a secret group chat, the chat partners will see a message about it when they try to send a message. Overall, Matrix looks like an interesting option, only its novelty combined with the fact that the protocol is its own can be confusing.
.INFO Group chats always have less security due to a simplified key distribution mechanism.
TOTALS We will not recommend any messenger. We have provided you with all the data and the choice is yours, especially since there are many to choose from. The table below will help you to do so.
valid fullz and credit cards 2020