Differences Between "Secure" Messengers?

What about developing a comparison chart that’s made by Privacy Tools? The one I made is super basic, but the two linked on the site are, imo, too confusing for the average user. The secure chat guide one is the best because it’s searchable. The Secure Messenger site, besides being run by a terrible person, is also too confusing and not sortable.

It could be nice to have an always up to date guide on PrivacyTools, and it could even have an often missing section “is this open source?”

3 Likes

Care to clarify? I’m not sure if I know about this. I am looking at their chart though and some points seem to be misleading, or confusing at the very least.

I think we would add a list if somebody contributed to making one but I’m not who on the team would be able to make a chart at this time. I wouldn’t mind linking to yours in addition to or in replacement of some of the ones we currently have listed, however.

You’re free to link to mine, I wouldn’t complain :slight_smile:

I also don’t mind, when I have time, helping build out a chart for privacytools either.

“besides being a terrible person” was mostly me just being snarky. The guy who created that site couldn’t be further on the opposite side of my political spectrum, so I personally never link to his work. I don’t expect others to do the same. I just get my digs in when I can :wink:

2 Likes

Honestly yeah, most of the stuff on privacytools.io is user-contributed so if you want something added besides a simple tool recommendation the best way to get it on the site is literally add it to the site :stuck_out_tongue:

This definitely isn’t something I personally could work on at the moment, but I’ll ask around with the other team members and see if anyone wants to tackle a project like this.

2 Likes

I second the motion, Dan! I would include Signal, Riot, Briar, Tox, Telegram…what else would you add? Even if it’s not one of the best, it would be helpful to know what flaws there might be with certain messengers (e.g. Whatsapp).

1 Like

I think for sure WhatsApp, FB Messanger, iOS Messenger, etc should be listed so people know what’s doing what compared to popular choices. If you ONLY list good ones, they know nothing about the flaws in the bad ones.

Also, the more info you give someone, the better. They may decide, despite our efforts, to use WhatsApp, and we can at least know we did what we could to inform those who looked.

2 Likes

Oh yes, absolutely! I was only listing a few that I could come up with off the top of my head. Whonix made a similar chart for privacy-centric Linux distros (Whonix, Tails, Qubes, etc.).

1 Like

Telegram doesn’t belong to same category as signal, riot, WhatsApp etc long as they use homemade crypto that has been mocked by real cryptographists.

1 Like

Well someone above mentioned listing the “not-so-good” messengers as well, so people could understand the differences between the high quality ones and others.

2 Likes

It’s one of the most popular “secure” chat apps on the market. If you don’t mention it, and show why it’s not worthy of being there, people will continue to use and trust it.

3 Likes

Oh, it was you, dan! :stuck_out_tongue:

1 Like

So what makes Tox “a dream come true” for you?

I would be against this, this is mostly because comparison charts tend to become outdated and inaccurate very fast. Once that happens , it could harm the trust people have in the rest of our recommendations.

2 Likes

Didn’t think of that. Good point, blacklight!

Does it change very fast though? I mean, we haven’t seen much change in these apps for some time, and usually change that weakens the security of a product would be newsworthy on sites frequented among the privacy circles so I don’t foresee an app changing so drastically we’d need to stop recommending it so quickly that we can’t update the list.

No more so than the apps being recommended in general on the site changing.

1 Like

@jonah I submitted a pull request that links to ThinkPrivacy’s messenger chart tonight.

2 Likes

On a side note, welcome to the community, Cardiak! Hope you like it here!

1 Like

In our opinion, there is no “secure” messenger as long as you don’t conduct threat modeling for yourself.

The EFF didn’t update their Secure Messenger Scorecard for the same reason. They listed some security features and no instant messenger supports all of them:

  • end-to-end encryption (many messaging apps use or are based on the Signal protocol)
  • code quality (using “secure” algorithms doesn’t mean that they are securely implemented)
  • user experience (can users easily send and receive encrypted messages?)
  • service availability
  • encrypted cloud backups (some messengers store unencrypted backups on the internet rendering E2EE useless)
  • secure auto-updating mechanisms
  • messenger of sufficiently high popularity that its use is not suspicious
  • indicators of compromise that are recognizable to an end-user
  • verification of identities
  • aliases instead of phone numbers
  • avoidance of network metadata
  • contact discovery without disclosing your contacts to the service provider
  • reproducible builds
  • binary transparency
  • the same level of security even in group chats
4 Likes

So it looks like there are lots of potential failure points, then.

It’s funny - I was thinking about this earlier with regard to different XMPP clients (Gajim, Pidgin, etc.). Some force you to use OMEMO and others don’t, which is something to consider with the confidentiality of your messages, is it not?