What are the security criteria for the messenger? Which is safer - WhatsApp or Telegram? The experts talked about which instant messaging systems can be trusted.
Artem Baranov, Lead Virus Analyst, ESET Russia:
The main requirement for the messenger is end-to-end encryption (E2ЕE) by default... The technology assumes that the messenger stores encryption keys only on the user's device, without sending them to the server. The second criterion is strong encryption protocol... If these conditions are met, no one will be able to access the transferred data.
E2EE supports WhatsApp, Viber and Apple iMessage by default. In a special mode of operation (secret chats), E2EE is available in Telegram, beta versions of Facebook Messenger and Google Allo. Other popular messengers (Microsoft Skype and Google Hangouts) do not encrypt messages.
A sensitive issue in the security of instant messengers is the reliability of the encryption protocol. The only E2EE protocol approved is Signal. It is used by messengers WhatsApp, Facebook Messenger and Google Allo. Viber implements part of the Signal protocol - the Double Ratchet cryptographic protocol and its own implementation. Viber's proprietary technology is not audited, so the security of the messenger did not receive such high ratings as WhatsApp. Apple iMessage and Telegram both use their E2EE implementations.
The most secure messenger is considered to be Signal from Open Whisper Systems, which received the highest ratings from security experts. It uses the open source protocol verified by experts (Signal protocol) and works with it by default.
Instead of a resume
The safest popular messenger is WhatsApp. In second place are Apple iMessage and Viber, in third - Facebook Messenger (beta), Telegram and Google Allo. Skype is insecure. The undisputed favorite is Signal, but its audience is incomparable with the number of users of the mentioned messengers.
Pavel Lutsik, Project Manager for Information Security at CROC:
Most modern instant messengers try to take care of secure messaging in one way or another, or at least position themselves that way. In general, the protection (encryption) of traffic transmitted on the Internet is a global trend followed by all major developers.
In my opinion, the following are the safest messengers:
Telegram
The product uses the complex encryption protocol MTProto and promises $ 200,000 to crack it. Previously, it was considered the safest, but recently, more and more criticism has appeared in its direction in terms of security.
Threema
Uses a secure protocol based on elliptic curves for encryption, as well as a mechanism for adding new contacts directly at the meeting (by reading QR codes).
Silent Text (Silent Circle)
Philip Zimmermann, the author of the well-known PGP technology, takes part in its development. An important feature of the messenger is the ability to delete any already sent message. At the same time, not a trace will remain on any device.
There are more and more messengers that promise to protect users from surveillance - and it is not surprising: people are thinking about who exactly gets access to their data. However, the threats are different: some are more worried about government agencies, and some are more concerned with their ex-girlfriend. Look At Me selected several methods that instant messengers use to protect users and explained their purpose.
Protection from compromising
The main threat for most people is that their messages will be used against them. (the cautionary tale of the Tinder founder only confirms this). It is with this problem that ephemeral services are designed to fight - numerous variations on the Snapchat theme, however, concerning not only photos, but also text messages. Fans of such messengers emphasize that the disappearance of replicas makes communication much closer to offline conversation.
One of the main problems is screenshots, and everyone deals with it in their own way. Many services follow the Snapchat path and warn the user that his interlocutor took a screenshot, others try to hide the username during the screenshot, so that it was impossible to associate the content of the message with a specific person. Finally, still others come up with reading techniques that make screenshots physically impossible.
CyberDust
Messages are not cached (therefore, you need a good internet connection to communicate) and are deleted after 30 seconds or after a day if they remain unread. During the screenshot, the username is hidden.
Infrastructure control
Many developers regard server access as one of the main threats to message security. The Pirate Bay co-founder Peter Sunde, who is currently serving time on a copyright case, is not only a prominent internet activist, but also the developer of Hemlis, a secret messenger that is not accessible to government agencies. The main task of the team is to establish control over the infrastructure and, in particular, to use only their own servers. "Controlling the network is the only thing right now that can prevent surveillance," Sunde told Wired in an interview, but this attitude and refusal to work with open source has led to criticism of the application.
Hemlis
An application that strives to be at the same time secure, beautiful and accessible from the point of view of the user interface - but refuses to use open source and third-party servers.
Encrypting messages
Almost all secret messengers use message encryption(among the most popular methods - AES256, RSA-2048, ECDH521, Diffie-Hellman protocol) at the client-client or client-server level. One of the most famous (at least in Russia) secret messengers - Telegram, which is supported by Pavel Durov - regularly organizes contests for those wishing to crack encryption algorithms; the prize fund of the latter amounted to $ 200 thousand, but no one has managed to do this so far.
Protection from everything
If all the proposed methods are not enough, then you should choose from the options, which sacrifice user-friendliness, but do not require any personal data to communicate, including a phone number. So, some developers assign a unique number to each user, avoiding the real name, while others add new functions, such as the use of bitcoins. The popular metaphor for such applications is "military-style secrecy," but an anonymous expert interviewed by The Telegraph questioned the state's level of secrecy: "It's actually much better than what the military and intelligence services use."
All large and small corporations cooperate with law enforcement agencies, subject to the laws of the countries in which they operate. Google, Apple, Facebook, Skype, WhatsApp, Viber and many other social networks and instant messengers share a certain amount of user data with the authorities. Someone merges more, someone less, but the bitter truth is that everyone does it.
Showcase freedom fighters will give away all your secrets without batting an eye. For example, the creators of the popular Viber messenger, which, according to Russian law, were obliged to transfer servers to the territory of the Russian Federation, complied with the requirements of the authorities at the end of last year. Officially, this step is explained by the need to store personal data on servers inside the country, but we all know the true motives: the point is the desire of the special services to gain access to the correspondence.
Under "easier" in this case, we mean that surveillance does not even require interaction with operators of cellular networks: all the necessary tools are at the disposal of the relevant authorities. The same applies to WhatsApp, Skype and other instant messengers, not to mention regular SMS. Moreover, not only special services can read your correspondence, but also competitors, enemies, and in general anyone who uses the services of special services. They are inexpensive and easily googled on request "SMS printout".
Under any of our articles on the topic of SMS, enterprising businessmen offer their services
When law enforcement agencies cannot get the data they need with the leverage they have, they take drastic measures. Literally in early March, the vice president of the Latin American branch of Facebook was arrested for refusing to cooperate with the Brazilian police. The subject of controversy was information about users of the social network, allegedly involved in the distribution of drugs.
In December 2015, a Brazilian court blocked WhatsApp (owned by Facebook) in the country after refusing to provide information about the correspondence of the alleged criminals. As a result, everyone suffered: the police cut off about 100 million local users, causing a violent reaction on social networks and the outrage of the head of Facebook, Mark Zuckerberg.
Even more revealing in the fight for the privacy of personal data is the confrontation with the FBI, which has not yet been resolved. The secret services talk about preventing terrorist attacks and ensuring national security, not wanting to admit that crime cannot be defeated in this way. At the congressional hearings, Apple's chief legal adviser said that even if the intelligence services had the opportunity to hack any iPhone, the criminals would find ways of secret communication anyway, and cited the Telegram messenger as an example.
There is a trick against scrap
The Apple representative is right: there are a lot of secure correspondence methods and they were not invented yesterday. The brainchild of Pavel Durov, Telegram is the first to come to mind because of its popularity and unbreakable reputation: no one has yet received an award of $ 200,000 for hacking encrypted Telegram correspondence, appointed back in 2013.
This invulnerability is explained by the very principle of operation of secure messengers in general and Telegram in particular. The latter uses the specially developed MTProto protocol and two-layer encryption with a 256-bit AES key: they provide high speed and reliability. And in Telegram, in addition to regular chats, there are so-called Secret Chats. In them, correspondence is encrypted without the participation of the server, and all messages are sent directly from the sender's device to the recipient's device (peer-to-peer). Even if we assume that the data can be intercepted, it will simply be impossible to decrypt it without the keys stored on the devices of the participants in the conversation.
Another advantage of P2P transmission is that the messenger cannot be blocked: when there are no servers, there is simply nothing to block.
The governments of authoritarian countries often sin by blocking unwanted services. For example, everyone knows about Facebook blocked almost all over China. In October last year, due to the refusal to provide the ability to spy on users, it was first partially, and then completely blocked in Iran. Such situations can be avoided using a P2P connection, which Pavel Durov promised to implement after this incident.
A similar approach is used in various secure messengers with end-to-end encryption. The method of transferring keys may differ, but the principle remains the same: information is sent directly from device to device without the participation of intermediate servers.
Something like this may soon appear on Facebook Messenger as well. Journalists for The Information have unearthed some pretty interesting comments in the iOS application code. They point to a certain analogue of Apple Pay, which allows you to pay for goods and send money to users, as well as the accompanying functionality of secret chats. It is still difficult to judge how such conversations are implemented: Facebook can follow the Telegram path and implement encryption, or it can simply add the ability to hide individual correspondence and contacts. In any case, even if the decision is made in favor of the first option, it will not be so easy to attract users and prove to them that secret chats in Messenger are really safe.
How to be
For those for whom the reliability of the communication channel plays an important role, you should pay attention to secure messengers with the mentioned encryption. They will come in handy not only for paranoid people, but also for everyone who is connected with business and has access to any more or less important information that is not intended for prying eyes. There are a huge number of available solutions, but we will not consider all of them, but will focus on the three most convenient ones.
Secret Telegram chats
Thanks to the widespread use of the messenger, secret chats can be called an ideal option. They guarantee the security of the information sent, have the function of self-destructing messages (including photos and files) after a certain time and do not allow sending correspondence to other people. For added security with one user, you can create multiple conversations and discuss different topics in them.
Creating a secret chat is simple: click the New Message → New Secret Chat icon and select the desired contact. It will be possible to start a correspondence as soon as the person appears on the Web. Due to the lack of intermediate servers, it is impossible to send a message offline. Moreover, all unsent messages are stored only on your device. You can understand that the chat is secret, and not ordinary, by the lock icon next to the contact's name.
Unlike Telegram, it was initially designed for maximum security. The messenger is also quite popular in its niche, it is free and has clients for all desktop and mobile platforms. Confide uses end-to-end encryption and does not store messages anywhere other than the sender's and recipient's devices. Moreover, the messenger does not even display the entire text of the received message, but breaks it into blocks and shows it in parts when you hover the cursor or touch it with your finger. Read messages are immediately destroyed. Those who want to save the content using a screenshot of the screen will fail: the text will be instantly deleted, and the sender will receive a notification about the failed attempt of the interlocutor.
An account in Confide is tied to an email, after registration you can connect your social networks and allow access to contacts. If someone you know has the application installed, you can safely correspond, send photos and documents.
And this application is already for the real paranoid. It is paid, not so convenient, has a less user-friendly interface, but is even more focused on security and only works with direct encryption. No phone number or email is used here. For Threema to work, you need a pair of keys that you will generate yourself when you first start: one of them is private and stored on your device, the other is public and sent to your interlocutor. After that, you will be assigned an identifier by which you can be found. You can add a contact by email or phone (if a person has linked them to an account), as well as by scanning a QR code in person (this is the safest option).
Threema allows you to exchange not only text messages, but also photos, videos, documents and geotags. There are apps for iOS, Android and Windows Phone.
Signal
What do you think about secure messengers: is it worth switching to them or is it just for the paranoid? Tell us if you use secure chats, and if so, which ones you preferred and why.
Telegram, Wickr and other secure alternatives to WhatsApp
To bookmarks
The answer to the question why Telegram hit the jackpot is largely on the surface. Despite the fact that the application was originally announced as a test of the MTProto protocol and has not yet managed to acquire at least some decent set of functions, in the "Year of Snowden" its creators focused most of all on security.
The most effective PR move in this regard was undoubtedly the courageous Pavel Durov to hack his personal Telegram correspondence for 200 thousand dollars, announced on December 17, 2013. Even if some hacker could find a flaw in the protocol itself and get the full amount, it would still benefit the messenger: after the vulnerability is removed, it would become even safer in the eyes of users.
At the same time, Telegram itself, in a sense, simply did not interfere with its own success. The application performs basic functions flawlessly: it looks cleaner and more accurate than WhatsApp, and even works noticeably faster, while remaining undemanding to the quality of the network. For a reason, in mid-August 2013, Yang Kum. Many people are stopped from switching to Telegram by its small user base (“I have all friends in WhatsApp, but here are two and a half people!”) And the lack of some functions, for example, the transmission of voice messages.
Silent Text
Platforms: iOS, Android
Another reason for Telegram's success is the fact that its competitors are, to put it mildly, unfriendly. For example, the free application of the American messenger Silent Text first of all asks to enter a certain "activation code", the purpose of which can be found out only by visiting the website of the Silent Circle company.
It also turns out that Silent Circle is not only not friendly, but also not cheap. A subscription to Silent Circle Mobile costs about $ 10 per month or $ 100 per year. For this money, the user receives cryptographic protection for the transmission of voice, video, text messages and files up to 100 megabytes.
Silent Circle is able not only to encrypt messages through the SCIMP protocol of its own design, but also to recall messages already sent at the request of the user, erasing all traces of their existence. In the application, you can set the time after which an open message will be deleted from the recipient's device. However, the authors do not guarantee protection against forwarding or even a screenshot: therefore, sending messages is still necessary to a trusted person.
Threema
Platforms: iOS, Android
A really worthy competitor to Telegram is the Swiss messenger Threema. You need to pay $ 2 for him once, but he pays much more attention to the security of correspondence. For example, the first time a user visits an app, they need to slide their finger across the screen to generate a unique identifier.
Threema authors recommend adding new contacts when meeting by scanning a QR code with an identifier from a friend's screen for reliability. Then they will be assigned the maximum verification level. If you wish, you can use less reliable methods: synchronize contacts or enter the ID manually by transferring it through insecure channels.
Not inferior to Telegram in design, laconic and stylish, Threema feels not far behind in speed. Of course, the authors of the application guarantee that all messages are encrypted right on the device, and only the recipient and no one else can read them.
Immediately after the news of the sale of WhatsApp, Threema's user base doubled: out of 200,000 new users, 80% were from Germany. The Swiss company is hindered by the $ 2 price tag and the excessive security level for most people from gaining the same growth rate as Telegram.
Confide
Platforms: iOS
Confide is another nice and, moreover, free messenger with the declared encryption, which, unlike Threema, takes a step in a really interesting direction: the message arrives at the recipient in the form of several lines of rectangles that open only when the user hovers over them. Thus, the full text of the message is never displayed on the screen.
If the recipient nevertheless tries to take a screenshot, he will automatically be thrown into the list of contacts, and the message itself will be immediately deleted. At the same time, the sender will receive a signal that an attempt was made to “remove” his message. Moreover, Confide does not store messages as such: they disappear after reading anyway.
SJ
Platforms: iOS
Another "extreme" messenger with encryption is (abbreviated from Safety Jabber). Its price in the App Store at the time of this writing is 1690 rubles. For this money, the developer offers a truly uncompromising crypto messenger, in which the user can independently choose key pairs when sending messages.
Messages in SJ are encoded using the OpenPGP algorithm, and the contact list is encoded using the less secure AES. At the same time, in the application, you can also communicate through any other services that support Jabber, but without reliable encryption.
Despite its impressive cost, the SJ app looks clumsy, to put it mildly. It still has not received a flat design in the style of iOS 7. However, the audience of this messenger pays, obviously, not for the appearance.
Wickr and TigerText
Platforms: iOS, Android
The main page of the official Wickr website greets visitors with a quote from CNET: "Wickr is a crypto app for the iPhone that can be used by a 3-year-old child." In practice, Wickr noticeably loses both in simplicity and in design of both Telegram and Threema. Plus, it's already available for Android.
Wickr is marketed as an app that leaves no residue. It destroys your messages not only on users' smartphones, but also on servers. In addition, the program itself has a full and final erase function, after which the messages cannot be restored even by special means.
Wickr provides encrypted transmission of almost all kinds of content, including images, audio and video. It does not allow you to copy or forward messages or content to third parties, and also prevents you from taking screenshots. The authors promise military-grade encryption.
Wickr also has a "half-brother" - a very similar in spirit, but slightly less popular TigerText application. It has a much more attractive design (without the excess of red and lurid graphic elements). TigerText can also delete messages from the recipient's smartphone and server without leaving a trace.
Heml.is
Platforms: iOS, Android
The release of Heml.is has not yet taken place, but it cannot be ignored, if only because of how loudly he declared himself. When many similar projects fail on various crowdfunding platforms, this is to collect the required amount in July 2013
In theory, the safety of personal information is not too worried about an ordinary user, until he is touched by the theft of confidential data. At least several times a year, hackers manage to break into another cloud storage or secure messengers and declassify spicy photos of celebrities from the world of cinema, music and sports.
But if the desire to see the most prominent part of Jennifer Lopez's body is understandable, then what attracts hackers to the accounts of ordinary people? The answer lies on the surface - it is money, or rather, the possibility of obtaining it. What data can attackers gain by accessing a user's personal profile? There is a lot of information that can do a disservice to its rightful owner:
- PIN and CVV-codes of bank cards;
- Current account numbers;
- Code words;
- Details of deposits and credit cards.
And the list of dangerous information is not limited to this. Of course, many users, having seen this list, thought to themselves that they should not be vigilant, and perhaps a narrow-minded person would be so free to store the PIN code from a bank card in his account in the messenger. Of course, situations are different.
A simple example: a freelancer has completed a set of work by agreement and must receive payment for his services. Communication with the customer takes place through a popular application, and the contractor is asked for the card or wallet number in the WebMoney e-commerce system. Familiar situation? The need to transfer such information arises every hour around the world, which is why scammers are constantly looking for perfect hacking methods.
Characteristics of the best secure messengers
The risk of disclosing confidential data always exists, no matter how secure from a technical point of view the application is. However, this does not mean that at any moment the user can detect the disappearance of money from his bank card.
The information in the notification will tell you the name of the device from which you logged in, and warn you about the possibility of changing the password if someone else made the authorization. The described practice is just one of dozens of methods to ensure the security of confidential data. There is rivalry between popular messengers in this aspect. To retain active users and attract new audiences, world-renowned corporations spend millions of dollars annually on monitoring system security.
A distinctive feature of the safest messenger is the need to confirm the login to the account from a new device. This measure allows you to prevent theft of confidential data. The essence of the method is as follows: if an attacker steals data to log into a user account and tries to use it, for example, to log in to a profile using his smartphone, a notification message will be sent to the account owner's email or linked phone number.
