How can businesses be sure the messages they’re exchanging are safe from prying eyes? Encryption is a first step that many service providers are implementing, but digital civil rights organization the Electronic Frontier Foundation has looked deeper to assess the security of some of the most popular messaging platforms.
Apple Inc. came out as a strong supporter of encryption and privacy with its refusal to comply with a court order to unlock an iPhone in an investigation, which has brought to light the power of encryption to keep communications private. Encryption has also been met with resistance such as proposed legislation in California aimed at making it possible to unlock and decrypt any smartphone sold in the state.
But messaging apps themselves can be a possible weak point for digital communications. The EFF’s scorecard of “secure messaging” is the first phase of its new EFF Campaign for Secure & Usable Crypto, which the organization hopes to expand to provide closer examinations of the usability and security of the highest scoring tools.
The EFF found that many popular messaging apps lacked some key security assurances. Low ranking services include AIM, BlackBerry Messenger, Ebuddy XMS, Facebook Chat, Google Hangouts and Chat “off the record”, Hushmail, Kik Messenger, QQ, Skype, SnapChat, Viber, WhatsApp, and Yahoo! Messenger.
Some of the services that were found to comply with EFF’s security guidelines include ChatSecure + Orbot, Jitsi + Ostel, Off-The-Record Messaging for Windows, RetroShare, Signal / RedPhone, Silent Phone, Silent Text, Telegram Secret Chats, TextSecure, and Threema.
The EFF’s criteria includes:
- Encrypted communication in transit so an intercepted message can’t be understood if intercepted.
- The service provider doesn’t have access to the encryption key to ensure that users and not service providers have the keys necessary to decrypt messages.
- The identity of individuals communicating can be verified. This means allowing users to view the fingerprint (or “hash”) of their public keys and the person with which they’re communicating. Or they could use a key exchange protocol like the Socialist Millionaire’s protocol which verifies the identity remote parties without giving away too much information about each party.
- Past communications are secure if keys are stolen, which is done by routinely deleting the encryption keys, and deleting the random values used to derive them so that keys cannot be reconstructed after the fact.
- Source-code has been published for independent review in order to detect bugs, back doors, and structural problems.
- The crypto design is well-documented with detailed explanations of the cryptography used by the application. This documentation would include information such as the sizes of keys used, how keys are generated, stored, and exchanged between users, and descriptions of scenarios in which the protocol is not secure.
- An independent security audit covering the design and the implementation of the app within the past 12 months. It should be performed by a named, independent auditing party.
To protect your online communication against surveillance, the EFF provides practical advice and tutorials, which could help ensure digital communication stay private.