EFF Creates a Messaging Scorecard for IM and Text Security

The Electronic Frontier Foundation has posted a new scorecard for messaging apps. It measures how the different messaging systems compare to one another with regard to security and trust. They used the same general metrics that we use to weigh our own VPN service against other services.

The metrics used to measure how effective a messaging app was at privacy were:

Is the data encrypted in transit? This means that they are evaluating if your messages leave your device in a secure format, so that anyone that happens to be between you and the person you are messaging cannot decipher the message.

Is the data encrypted so that the provider can't read it? This is an important distinction because if the keys are not generated by the device you are using, and the keys are generated by the servers at the company that runs the messaging service, they still have access to your messages because they have the keys to decrypt them.

Can you verify contacts identities? Does the messaging app have a way to verify that you are indeed talking to the person that you intend to.

Are past communications secure if your keys are stolen? This is important because it deals with your device being stolen and used to decrypt your messages. If your device doesn't use throwaway keys (often called ephemeral keys) then it is vulnerable to being decrypted by an attacker.

Is the code open to independent review? This is absolutely crucial. If the code is not open-source then there is no reason to trust that the code does not contain bugs or serious vulnerabilities that the security community does not have an opportunity to check for. For secure software, open-source is absolutely crucial.

Is the security design properly documented? Are the techniques used accepted to be secure? Is there any "mystery code" in the app? It is important to fully document all of the code so that all of the features of the app can be properly understood and audited.

Has there been any recent audit of the code? Have professionals combed through the code to look for bugs and backdoors?

The secure messaging winners:

Chatsecure + Orbot

Cryptocat

Redphone

Silentphone

Silenttext

Textsecure

The Secure messaging losers: (Apps that failed to meet ANY of the criteria, avoid using them!)

Mxit 

QQ 


Note: VikingVPN is a staunch supporter of the Electronic Frontier Foundation, and a sizable portion of our sales go to the EFF every month.

< last
next >