Why I told my friends to stop using WhatsApp and Telegram
Romain Aubert
7K134

It is always interesting (or rather entertaining) to read articles about security and mobile chats. I tend to favour real encryption (end-to-end), so these articles are useful.

However I have been trying probably more of these than the average person, and not just “trying” but actually trying to get people to use it for normal things and not just testing. (As a sidenote: I did not try non-free programs, so Threema and alike are out of scope.)

The main result was that it is not enough to have strong security, or often it’s not even important to the average people you’re commincating with; what matters most is features and even more importantly usability. While security awareness is almost extinct people want nice and easy to use interfaces, cross-compatibility, multidevice access, and exactly that’s where the best programs are failing. Signal is probably reach the bar of usability, it works (barely, from the usability point of view), its [non-security] features are few and lacking [and they happily ignore feedback regarding that] but provide the bare minimum; others, like Tox, are well below usability requirements (but offer security assurances well beyond the usual bunch, like no central servers, anon participants and untraceable metadata, like Tor based chats). People simply don’t use it due to the ugly interface and lacks of features. Still, these are open-source code, which is best security-wise. So if you can: use Signal or (an)Tox or XMPP+OTR/OMEMO (like Conversations).

Open source ends around here. All following are closed, stating unverifiable claims about their security. (As a sidenote Signal protocol isn’t really “open” in the “open standards” sense as it’s been repeatedly mentioned that it’s unimplementable without reverse engineering signal code, and there have been legal wrangling between implementors and OWS.)

Security-wise Wire would be nice only if its interface wasn’t absolutely crappy, but it does have a potential.

Wickr seems to be interesting but I don’t quite find compulsory message destruction useful to me.

As the list of “non-metadata invasive code” ends, we reach the “metadata risky” bunch. I have to partially disagree regarding Telegram, since its secure chat feature believed to be pretty secure, bar the not-quite-as-secure-as-they-wished crypto they are using (which is pretty much still good unless you’re against the NSA or the GRU). The usability is also pretty good. My current preferred application for secure chats would be WhatsApp due to it’s easy to use interface, good crypto and wide availability, and I don’t quite worry about traffic analysis in chats, apart from that they may not even do that.

That’s the point where end-to-end ends (haha), from here your messages are visible to the server operators. Still, worths mentioning that this is still better than using dubious “security” of some chat where literally anyone can read the messages, including your local, possibly resource-bound national government.

Telegram (normal chat) is still pretty good, as well as most Google stuff (Hangouts), since they’re at least properly encrypted and their intentions are — despite what people would like to assume — not evil. (FaceTime has been mentioned in my list but I haven’t tried it honestly: it’s been said to be somewhat secure but lacking identity verification.)

Unlike the next bunch, which I only mention to show that I’m aware their existence but… Viber, Facebook Messenger, Skype, Snapchat, these are all “said to be” smoke-and-mirrors. I say that since I am no security auditor, they are all closed source and all I know is that the net is full of “capture ZZZ messages” programs, and the companies behind these are considered distrusted by me.

As a summary: for the Snowden Business™ use Signal or Tox. For everyday chat use Wire, Conversations (xmpp+omemo, if you don’t need audio/video, but then you can use SIP+ZRTP+SRTP) or WhatsApp (if you do), or Telegram secure chats (if you fancy graphics).

Don’t take me as a professional opinion, even if I sound like one.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.