Choosing a Secure and Private Chat
Everyone uses one or two or eight of them in their daily lives. They’re used for everything ranging from the usual chitchats to R&D ChatOps to serious, sensitive business matters. Chats are often chosen by intuition and feeling rather than properly studying how they work and if they are trustworthy.
Have you ever considered what the core differences between two chats are, apart from their name and icon? Did you know that collaboration tools like Slack work very differently than the security and privacy focused Signal?
By reading this article you will gain valuable insight in evaluating the various chat clients you are using. You will learn about encryption, metadata, forced registrations and phonebook access among other topics.
Comparing popular alternatives
In a recent project of ours we needed a secure and private, easy and fast to setup communication channel between multiple organisations. While there are quite a few chat clients and services available, we picked out seven popular options as our starting point.
- Messenger (Facebook)
Yes, there are others such as Threema, iMessage, Wickr, Allo, Riot, Hipchat, Discord, Snapchat etc. You should evaluate them critically if you are using one.
Instead of making complex feature matrixes and clear recommendations, we set out to expand on some of the topics we considered important. Let’s start by filtering out the chosen chat clients by our requirements, starting from the most critical needs of security and privacy.
Round 1. End-to-end encryption, enabled by default
Most chats are indeed encrypted, but encryption can be confusing as there are multiple terms in use. You might have seen terms in transit encryption, at rest encryption and end-to-end encryption being used.
In transit encryption means the data is encrypted whenever it’s being sent to the network; e.g. when it gets transferred to the cloud and back to your device.
At rest encryption means that the data is encrypted when it’s stored; for example in cloud server hard drives or your phone’s storage.
End-to-end encryption (E2EE) means that the particular discussion is encrypted with the participants unique encryption keys and is thus decryptable and readable only by the participants. Without end-to-end encryption the discussion gets encrypted, but with a key that is known by 3rd parties, not just the message sender and recipients. This makes it possible for Someone Else Than You to decrypt, open, read and tamper with the messages.
TL;DR — We need end-to-end encrypted chats.
- Messenger (Facebook)
Slack does not support end-to-end encryption. Data is encrypted in transit and at rest at Slack servers, but not E2EE. With no end-to-end encryption in place, Slack can make “fun” features such as exporting all chat contents including one-to-one direct messages of all Workspace users.
Messenger, Skype and Telegram have an option to switch on “Private conversation” and “Secret chat” on a chat-by-chat basis. These chats are end-to-end encrypted. This behaviour is not enabled by default and cannot be configured to be always on.
End-to-end encrypted private conversations in Messenger, Skype and Telegram are enabled between the two devices used to initiate the “Secret chat”. This makes it impossible to continue the same chat with another device such as when switching from mobile to laptop. Instead, users need to start another Private chat with the new devices, thus “Secret chats” are not persistent over different devices.
“Secret chats” are in Messenger, Skype and Telegram are between two people only. There’s no concept of end-to-end encrypted group chats.
Continuing to next round
For our use case we felt having end-to-end encryption was critical. All of these three have E2EE enabled by default and are capable of E2EE group chats.
Round 2. Respect the privacy: Metadata
While the exact contents of the discussion can be end-to-end encrypted, some of the chat services collect metadata associated with the chats. This metadata can be made available to 3rd parties.
In his article “Why metadata matters”, Kurt Opsahl gives a few examples of what this metadata could reveal (e.g. to a government entity), without revealing the exact communication details:
“They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood’s number later that day. But nobody knows what you spoke about.”
“They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.”
“They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.”
WhatsApp collects and stores metadata including IP addresses and phone numbers associated with the discussions, timestamps, location and contacts data. It also collects users Phonebook contents periodically and stores the data at their servers. More about sharing your Phonebook contacts in a later chapter.
Also, all of the previously disqualified chats collect metadata.
Continuing to next round
It’s worth to mention that Wire collects the IP address and timestamp of every newly registered client (device) and contacts (if you allow access, see Access to Phonebook below) according to Joseph Cox / Motherboard.
Round 3. Forced registration with a phone number or email address
Most of the chats rely on some kind of an User ID. In most cases, it’s mandatory to register with a real phone number or an email address, thus limiting anonymity.
Signal requires a real phone number for registration. It verifies the phone number with a code, so you must be able to receive SMS messages with the number.
Wire requires either a phone number or an email address. It also verifies with a code similar to Signal.
It’s possible to circumvent these limitations with a prepaid SIM card or disposable email service such as Mailinator, Temp Mail or Guerilla Mail. Some services try to prevent using disposable emails, but we tested Wire to work happily with Mailinator.
Tie — Continuing to next round
Round 4. Access to Phonebook
Nearly all chat clients try to access your contacts the first time you start them up. This is to make it easier to see who’s using the chat, who’s online etc. Operating systems notice this and allow users to control the access.
By sharing your contacts you expose other peoples private information to third parties and furthermore extend your trust to the service. Other way around, if someone you know shares their phonebook contacts with a service, the service gains information about you, even when you have never even heard of it before, let alone used it.
Both Signal and Wire ask for permission to access the phonebook to pre-populate your contacts but neither forces you to do so. If you deny the access, you can still use the apps and add individuals manually with either their username, email address or phone number. Some services such as WhatsApp refuse to work and make it impossible to use the service without the access to your phonebook.
Protect your own privacy and the privacy of others.
Tie – Continuing to next round
Round 5. Two Factor Authentication (2FA) support
Two Factor Authentication (2FA) adds another layer of security to your user account in addition of a password.
2FA can be, for example, a six digit code sent to you as SMS message, generated by tools such as Google Authenticator or a physical device such as RSA SecurID token. You are most likely familiar with the concept in online banking with the bank identifier number sequences.
Signing in to a service with 2FA requires you to input your username and two secrets: password and the 2FA code.
Neither Signal or Wire support 2FA.
Edit: As our reader Sysadming helpfully pointed out, Signal has support for Registration Pin Lock which is effectively 2FA. Detailed discussion can be found from the responses.
Some of the previously disqualified chats such as Slack and Telegram have support for 2FA.
Tie — Continuing to next round
Round 6. Cost and ease of access
As a Corporation employee, it might be cumbersome to get an expense report through and even the smallest cost can cause friction and uncertainty. Our use case required that users from multiple organisations can easily come and go, so we can’t afford to have any friction in the rollout.
All of the mentioned chat clients including Wire and Signal are free to download and use.
Wire and a few others have subscription based enterprise functionalities available for 💸. Signal does not have any enterprise offering we know of.
Tie — Continuing to finals
Both of the remaining contestants are good citizens: Signal and Wire are secure and private. But as said in the beginning, there is not going to be a clear recommendation at the end.
Anticlimax-y much? Hope not.
We set out to enlighten ourselves and you on how to evaluate different chat services security and privacy. At first, most chats seem very similar but after eating the red pill it becomes easier to spot fundamental differences between them.
This article only scratched the surface, but you should have better understanding and tools to evaluate your own standing now. Privacy and security matters. What chat is used should be a conscious choice based not on intuition, but information. An informed choice.
For the use case specified at the beginning: “secure and private, easy and fast to setup communication channel between multiple organisations” we are going to use Wire. The choice will be re-evaluated from time to time, as things tend to change over time.
In the daily life at our company Badrap we use not one, but two chats simultaneously. They are used for two different purposes and compliment each other. Slack is used for collaboration due to its excellent integrations to 3rd party services like GitHub. Wire is used for private 1:1 and group conversations.
It may sound there’s overhead and cognitive load, but it seems to be intuitive when you have set clear context for each. There’s little to no “what chat should I use now”. One just automatically switches between.
We never share any sensitive, personal or private information in Slack.
We believe non-end-to-end encrypted chats need an E2EE side channel for private and sensitive matters.
- Secure messaging? More like a secure mess by Nate Cardozo, Gennie Gebhart and Erica Portnoy
- Long since abandoned EFF: Secure Messaging Scorecard is not recommended for evaluating purposes anymore
- Secure messaging apps comparison by Mark Williams
- Why I told my friends to stop using WhatsApp and Telegram by Romain Aubert
- Why metadata matters by Kurt Opsahl
- WhatsApp security and in-depth technical explanation
- Signal security
- Telegram security and FAQ for the Technically Inclined
- Wire security and security whitepaper and 3rd party security audits by Kudelski Security and X41 D-Sec
- Slack security and security whitepaper
- Messenger (Facebook) security (link not found)
- Skype security
What’s your take?
We hope you found the article useful. We’re interested if you had considered the differences before and whether we missed something that should’ve been told, but wasn’t.
Leave a few claps or comment back and share your experiences!
Edit 2018–05–07: Added Signal 2FA mention.