Semaphor: Pros & Cons.

Our specifications sheet:

  • End-to-end, zero-knowledge encryption (note 01).
  • Open-Source (note 02).
  • Administration of users (note 03).
  • Resistance to state-sponsored criminals (note 04).
  • Cost-effective for large user base (note 05).
  • Multi-platform (note 06).
  • Own business domain (note 07).

Semaphor is the leading collaboration tool for groups, whether they are personal or business related. The application allows users to confidentially message, chat, or file share through file encryption, ensuring that there can be no eavesdroppers on the transfer of information. SpiderOak, Semaphor’s parent company, has held the market for users concerned about spyware or malware. The primary reason is due to its reliable encryption.

Advantages of using Semaphor:

  • It has a zero knowledge central server, meaning, data is encrypted as it passes through (note 01).
  • There are no passwords to remember to make it easier to use.
  • Every message and shared file is encrypted, making it secure. The chat is encrypted before the message is sent to other users (note 01).
  • Reviewable source code (note 02 and screenshot 01).
  • Unlimited teams and unlimited available channels (note 03 and screenshot 02).
  • You can upload several files at the same time.
  • You can also start downloading a file before it has even finished uploading from another user’s device.
  • A user does not see all of the channels, only the channels s/he is invited into (note 03 and screenshot 03).
  • You can remove members from a channel as needed. (Screenshot 04)
  • The app is available for both desktop and mobile (note 06).
  • It allows you to create public groups as well as auto-accept any join requests (note 03 and screenshot 05).
  • You can remain anonymous since you can join with email address or a username.
  • It will save messages for 30 days and then delete them.
  • Bots and integrations are also supported as needed by the users.
  • There is a built-in search engine offered (note 08 and screenshot 06).
  • You can easily add a new device with its bar code scanning feature (note 09 and screenshot 07).
  • It allows you to verify addressees by fingerprinting devices (note 10 and screenshot 08).
  • If you change your profile settings, all devices will update with new information. (Screenshot 09)
  • It offers the same features on all types of operating systems, meaning you do not have to adapt to work in another OS (note 11).
  • Semaphor offers both mobile and desktop apps for Windows, iOS, and Android operating systems.

Disadvantages of using Sempahor:

  • It has no app locks, meaning the app is not password-protected if another user picked up the device. Fingerprinting is one solution against this.
  • It can be expensive to use, especially for large groups. At $9 per user/month it may not be cost-effective (note 05).
  • There is only 2 GB of file support available.
  • There are no notifications when there is a join request from new members. You must click on “team settings” to check for new join requests.
  • In order for a specific group member to receive a notification, you have to tag using @username in the message.
  • The desktop app allows for message notifications, but the mobile app will not give you push notifications for messages received. You have to go inside of the app to see if there are new notifications.
  • The app will not work as well on slower internet connections, running the risk of having one message posted multiple times.
  • It is also not always user-friendly. If you have not refreshed your screen, it may show members of the previous channel you were looking at rather than the channel you are currently in.
  • SpiderOak is known for its catchphrase of “zero knowledge,” however that does not include zero knowledge web browsing or zero knowledge backup from mobile devices.
  • You also cannot upload pictures with an end-to-end encryption or edit them from your mobile device.
  • Ipad app is portrait mode only, doesn’t rotate to landscape.

How the Security Works:

  • Instead of a password, which could be forgotten by the user or potentially hacked by an outside source, or state-funded criminal, Semaphor uses a key. The key is randomly generated and made up of random words. A password runs the risk of negating the encryption, making the service safer without a password.
  • Messages are instantly encrypted, meaning they are encrypted even before they leave the original device. This means that the encryption happens on the device itself.
  • You can view what devices have logged onto your account using your key.
  • SpiderOak does not retain any of your information, making it impossible for their system to be hacked. The service does not hold data at all, but instead encrypts any information or files passed between users.
  • If there is an attack on your account by a person or malware, the attacker will be locked out of all of the accounts related to your organization, not just the ones you have access to. This ensures he cannot breech any other accounts.
  • The encryption offered in the Semaphor app is more protected than information stored in a cloud. This is because a cloud is a server elsewhere that is holding onto your date. This app does not retain your data at all, but protects the sent data through your device.
  • You can only see the channels that you have been invited to, protecting the privacy of other channels.
  • Your persona can remain anonymous. Depending on the type of group you are a part of, you are only identified by a user name, which means that other members in the same channel will not know who you are personally, unless you have told them.
  • The encryption ensures that your data cannot be accessed even by state-sponsored criminals who could have otherwise illegally accessed your information.

Other ways you can protect your information:

  • You can start by using your own web domain. You can confirm that your VPN is not part of the 14 Eyes to ensure that you will not be spied on by not only your own country, but any other country who participates in the UK-USA Agreement as well. These are the main countries who participate in the covert gathering of information for citizens around the world. Chances are that your information will pass through a server in one of these countries regardless, but if you can ensure that your traffic does not start there, you will be the most protected. The 14 Eyes include:
  • United Kingdom
  • United States
  • Australia
  • Canada
  • New Zealand
  • Denmark
  • France
  • The Netherlands
  • Norway
  • Germany
  • Belgium
  • Italy
  • Spain
  • Sweden
  • Use private browsing when you are hanging out online. This is a setting offered on all major web browsers. The privacy setting will delete cookies, temporary internet files, as well as your browsing history when you close the window, eliminating any link to what you were doing online.
  • You can hide your IP address. By using a VPN, your IP will be encrypted, making you an anonymous internet user.
  • You should also not provide social networks with all of your personal information, making it harder to find out your details.

Alternatives to Semaphor:

There are alternative apps on the market to Semaphor, but none have been proven to be as safe to use as Semaphor. Specifically, many of the apps are open source, making it possible for the original source code to be modified. Open source does, however, give you the option to change the app to meet your specific needs, which could mean an increase in security based on the user’s ability to modify code.

  1. Slack: This was the original popular secure group chat forum and is still available to the market, however, it does not have the “zero knowledge” cloud that SpiderOak is known for.
  2. Riot: Previously known as Vector, Riot is an open source app that works on all major operating systems. It does offer both public and private messaging and is end-to-end encrypted as well as decentralized.
  3. HipChat: A freemium service, like Semaphor and Slack, HipChat is an instant messaging app that is meant for teams to use within companies. It offers a chat history search as well as chat rooms and file sharing.
  4. Mattermost: Build in the model of Slack, Mattermost is an open source format. It markets itself as a Slack alternative, though much cheaper to use.
  5. RocketChat: RocketChat is essentially a clone of Mattermost and Slack, but younger in its development and also open source.

While the alternative apps do provide encrypted data options, they do not have the “zero knowledge” cloud offered by SpiderOak. A “zero knowledge” cloud means that even SpiderOak cannot decrypt any data that passes through it, ensuring that it is only readable between the sender and the recipient, not the channels it goes through. By not being able to read any data transmitted, Semaphor is the safest of the encrypted chat apps, protecting the messages you send as well as any files that are shared between users.

Screenshots:

01: Source code is also reviewable

02: Unlimited teams and unlimited available channels

03: A user does not see all of the channels

04: Remove members from a channel

05: Allows you to create public groups as well as auto-accept any join requests

06: Built-in search engine

07: Add a new device with its bar code

08: Verify addresses by fingerprinting

09: Change your profile settings

Notes:

(1) End to end encryption is achieved as:

  • No central server, data is downloaded to devices.
  • Every message & file is cryptographically secure.

(2) Open source code: Go to: https://spideroak.com/solutions/semaphor/source

(3) Administration of users:

  • You can create new team or join a team.
  • You can create multiple channels and navigate through them.
  • The user can only see the channels he is invited in.
  • Create public teams & auto-accept join requests.
  • Go to: manage team — Permissions.

(4) Resistance to state-sponsored criminals: Police, prosecutors etc. Their crimes are “legal” since they’ve corrupted state institutions. They are the most dangerous sort of criminals, to an individual or to a country. If they’ve done something illegal, they can cover it up any ways they like. They can intercept and read IMAP, POP3, TLS, SSL. They can spoof your email provider SSL certificate. They can have access to your SMS, emails, meaning a recovery option is often an easy attack possibility for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.

(5) Cost-effective for large user base: Don’t meet. $9 per user/month is expensive for big teams (5).

(6) Multi-platform: For Desktop, Go to: https://spideroak.com/personal/semaphor For Android, you can find it in Google play.

(7) Own business domain: That one may present an attack opportunity to state-sponsored criminals through DNS records, so you must host your domain in a place that is going to protect access, not in the same country as your email provider. Look at states that are not part of the fourteen eyes with a record for respecting privacy and democracy. End-to-end protection provides the safeguard in case emails are intercepted.

(8) Built in search engine: Works even offline.

(9) Easy to add new device with bar code scanning: No need to re-enter credentials.

(10) Can verify addressees by fingerprinting devices: List of verified addressees in the apps settings.

(11) Same features on all types of operating systems: For example you can accept join request from a mobile device, you don’t need to use the desktop app to get some admin features.