Selecting a secure messenger

04-10-2021

Lately secure messenger have been becoming more popular because a certain rich guy tweeted about one. Many have since hopped on the secure messenger hype-train. Which one should you choose though? Should you choose the most popular one? The one Musk promoted? Or maybe the one you are already on is secure enough? Let's see.

Before we start, know that there's no perfect solution, everything will have some kind of problem and even if it doesn't humans are still in the equation so mistakes will always be present. Despite that there are obviously applications that are superior than others and the criteria are as follows:

1. Is the app open source?
2. How does it make money?
3. Does it have end to end encryption and how good is the encryption?
4. What is the jurisdiction?
5. Does it have forward secrecy?
6. Is it decentralized?
7. Can you sign up anonymously?
8. Is it end to end encrypted by default?
9. Does it leak metadata?
10. Has an audit been done on it?

1. The app being open source allows for one to look at the source code and validate that the app does not do anything spooky like send your messages directly to microsoft.
2. If the app makes money by selling your data obviously it's not good, something like donations is way better.
3. Some applications don't offer e2e encryption, only client to server encryption which allows the server to read all the messages, something that is not favourable, or maybe it does have e2eE but it's weak. An example is telegram which had developed it's own encryption standard and has been heavily criticized for flaws and poor security.
4. The jurisdiction of the app is important as if it's based in a country with heavy anti-privacy laws the devs might be forced by law enforcement to hand over user data or implement a backdoor.
5. Forward secrecy means that if a hacker can somehow acquire the key of a message and decrypt it he wouldn't be able to decrypt the next message using the same key, which makes encryption even stronger.
6. Decentralization is the concept of no central authority controlling the network of the app. This is good for the reason that if the entity that controls the 1 and only server of a centralized app decides to censor someone they can do so freely. On xmpp for example anyone can host their own xmpp server which is very good.
7. Anonymity is really important to privacy and security, however phone numbers and emails can link you to your identity. Services that advertise themselves as privacy respecting yet require a phone number, are really suspicious.
8. Many users use the defaults, like windows which is preinstalled to every machine, many people still use internet explorer, why? Because it's preinstalled on their machine. For the same reason my will not use e2eE if it's not on by default.
9. Metadata is data about the actual data like time, location, sender, receiver etc. Metadata might not sound bad but it can actually be deadly, you can construct relationship maps only with metadata, guess pretty accurately the contents of a message just by looking at the dates and the 2 people between. For example if the 2 people are indian and the message was sent in the morning then the content is probably one of their infamous good morning messages.
10. Lastly audits are really useful because they are actual tests done by experts that tell you if the app is secure or not.

Based on the criteria I layed out the best messenger would probably be Briar. However Briar is very user unfriendly, it lacks a lot of features and is hard to use. It's still highly recommended though, you can't get more secure that Briar. What I personally use is XMPP, the only criteria it doesn't meet is that not all clients had an audit performed on them and a bit of metadata can be viewed. Matrix is also ok but more metadata is leaked and it's not completely decentralized as the matrix.org server pretty much gets a copy of all the messages, still encrypted though. Session is another pretty good recommendation the cons of it are: no forward secrecy, based in autstralia which has some pretty bad privacy laws and many have criticized it for being built on top of blockchain. Last suggestion is Deltachat which is a client for email that encrypts your emails and displays them to you like instant messages. Cons are metadata leaks because email, and no security audit.

Why I don't like signal

Signal is what many decided to adopt, it's probably the most user friendly secure messenger. I don't like signal because it needs a phone number, is centralized, is in the US which is a part of the 5eyes and it's developers have displayed some shady behaviour. More concretely the source code for the server was not updated for about a year and then the developers dumped a year's worth of updates in a day. They do not allow third party clients or servers and don't have the app in the fdroid store, saying it's more secure this way which is not true. Lately there was word about integrating a crypto coin to signal which was created by the ones behind signal wishing to make a profit. You can still choose to use it but this is my stance on it and why I don't want to use it.

TLDR

Use Briar if secrecy is your #1 priority followed by Xmpp and Deltachat and last place matrix and Session. Don't use telegram and signal. Obviously the results are my opinion, choose what you want to use but I hope this will help you to make an informed decision.

Links

• What to Look for in a Secure Privacy Focused Messaging App
• Signal's Terrible MobileCoin Betrayal
• Matrix vs. XMPP: Which is Better for Actually Secure Messaging? (Unlike Telegram, Whatsapp, etc.)
• Best Secure Instant Messaging Apps for 2021
• BEST Encrypted Messaging Apps of 2021: Chat Privately!
• Top 5 BEST Messengers For Privacy & Security!
• Matrix? No, thanks.¶