Sallubrious

Encrypted Messengers

22 posts in this topic

Posted (edited)

Is anyone else using any encryption software to communicate by phone ?

 

There are a few kinds available that are all very similar and very easy to use. They replace the standard messenger in your phone and then you can send end to end to encrypted messages (you still have the option to send a regular SMS), SMS,MMS, calls and video calls to other people running the same system. They allow for encrypted group messages and they all have a companion desktop app that runs on your computer so you can send your messages using a computer keyboard and not have to use the dinky little phone keyboard.

 

A few of the more common ones are Signal, Telegram and Whatsapp.

 

Signal and Whatsapp both use the same protocol and all their messages are encrypted by default. Telegram uses a different protocol and you need to choose to send an encrypted message. They all have have features like self destructing messages and the ability to delete messages which has its benefits if you don't want sensitive information hanging around on your phone for someone else to discover.

 

The last time I checked Telegram seemed to be leaving more of a trail of metadata (particularly for unencrypted messages) but Signal eliminates most of the metadata by design. If any authorities want to subpoena Signal for server records etc there is almost nothing for them hand over because their servers don't store calls just connection data.

 

Anyway, I'm using Signal as it seemed to offer everything I needed and also I've got my elderly parents using it so we can do video chats with the kids. Video chats are easy, you just click on the name of the contact and hit the phone button (in the signal messenger) to ring them and then you have the options to switch your camera and/or microphone on and off.

 

Electronic Frontiers - How to use Signal iOS

Electronic Frontiers - How to use Signal Android

 

One caveat, you need mobile data switched on your phone (sender and receiver) or you need to be connected to wifi for messages to go through. If either the sender or receiver are not connected to the web either through their router, a wifi hotspot or their 3G or 4G connection, the messages won't get through. So if you are like me and several people I know with limited mobile data plans on their phone and have mobile data switched off by default you can send a regular SMS first and tell them to flick their data on because you are about to send a Signal message (or just text something pre arranged to let them know it's coming - an emoji ect)

 

After you install Signal it will import your contacts list (you still add new contacts there as normal) and let Signal become your new messenger (give it permissions at the prompts). All messages to other people not using Signal will just proceed as normal (you don't need mobile data or wifi for them). Signal will default to sending other signal users encrypted messages but if you just want to send them a normal SMS (maybe you have no data left on your plan or need to tell them to switch their data on) you write the message as normal and then do a long press on the send message button and select unencrypted to send a regular SMS.

Edited by Sallubrious
8 people like this

Share this post


Link to post
Share on other sites

Very very informative I'm looking into this now.

Thanks for the the thread.

1 person likes this

Share this post


Link to post
Share on other sites

Love ya work, Sal. This is awesome.

1 person likes this

Share this post


Link to post
Share on other sites

Signal is hands down the best for privacy and security.

 

As you mentioned, Telegram doesn't encrypt chats by default so you have to start a separate secure/secret chat if you want a chat that uses encryption and gives the option of having self deleting messages. Another annoying thing is that you can't use the same secure/secret on multiple devices at once as you can with the other apps so you can end up in a situation where you're creating numerous secret/secure chats to speak with the same person just because you decided to use another computer, phone or tablet. 

 

Whatsapp encrypt the chats by default, however, it doesn't have the option to have self deleting messages. Moreover, it makes it easy for people to back chats up to cloud services and these can be read by anyone who has access to the account (such as hackers, a jealous or jaded lover or even a cop with a subpoena) as the backed up chats aren't encrypted. There was an article I saw this month which stated that Whatsapp chats on iPhones that are uploaded to Apple's iCloud are encrypted but so far it seems as if it's limited to iPhone users only who choose to backup to iCloud. No news on if/when encrypted backed up chats will be available if one uses other cloud services or phones. In addition to the aforementioned points, Whatsapp stores more metadata than Signal and it has started sharing Whatsapp data with Facebook.

 

There's also Wickr but its code hasn't been publicly audited and it's a buggy piece of shit. It also has fewer features than the other apps.

 

Signal encrypts all communication by default, it has self deleting messages, people can't backup the chats and a minimum of metadata is stored. You can also use the same chat on your phone and PC at the same time. If you value privacy and security then use Signal. 

 

 

2 people like this

Share this post


Link to post
Share on other sites

@migraineur I came to the same conclusions too, Signal seemed a cut above the others in few different aspects, so I ended up settling on it myself.

 

Having the messages backed up on someones server seems to defeat the purpose of these type of messengers in some respects. First it leaves a bigger meta data trail and as with all encryption it may be considered safe now but if google or the feds put a quantum computer to task they'd crack it eventually.

 

Facebook runs an encrypted private messenger that seems secure at face value but to use it you have to give facebook permission to everything your device has to offer - microphone keystrokes and stored files etc. So the facebook system being secure is almost irrelevant, everything is logged and stored in metatdata and they have access to your microphone and camera.

 

Then there's google messenger but I could really go off on a tangent there. 

2 people like this

Share this post


Link to post
Share on other sites

Hahahahhaha secure Facebook messages what a hoot!

 

 

 

 

2 people like this

Share this post


Link to post
Share on other sites

To use Signal do you have to give them your mobile phone number? Or can you create and use a unique username to connect with people, rather than the phone number of the device? I'd feel much better being able to use a messenger service that didn't require my phone number and that I could always only use when connected to a VPN.

 

I know WhatsApp is owned by Facebook, and their terms of service state they will share data with their parent company, including your phone number. That's information I don't want to give a corporation like Facebook. Seems to defeat any reasons to use that particular one. If anyone paid them enough, FB would sell your data in a heartbeat.

1 person likes this

Share this post


Link to post
Share on other sites
50 minutes ago, zed240 said:

To use Signal do you have to give them your mobile phone number? Or can you create and use a unique username to connect with people, rather than the phone number of the device? I'd feel much better being able to use a messenger service that didn't require my phone number...

 

 

another option might be something like protonmail as you can set it up anonymously and send large files

 

 

 

 

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

@zed240 - yes you do have to give them your number to set it up. Even though the traffic is sent over the web you still need a phone with a sim card. It won't work in a tablet or phone with no sim card.

 

Whatsapp uses the signal protocol but their association with facebook was enough for me to pass on it. If asked by the feds fasebook will give it up like a drunken whore.

 

There has been at least one case where the FIB (fuck in bum) subpoenaed open whisper systems (the makers of signal messenger) and they basically got fuck all info because there was fuck all to give them.

 

This from http://thehackernews.com/2016/10/signal-messenger-fbi-subpoena.html

In the article it states that the FIB asked for

  • Subscriber name
  • Payment information
  • Associated IP addresses
  • Email addresses
  • History logs
  • Browser cookie data
  • Other information associated with two phone numbers

and all they got was

 

signal-data

 

 

 

 

 

 

 

 

So other than the phone numbers there's not much data for them to get.

 

I can see your point though, if you trust a VPN then that should give you more anonymity. But if you believe the Snowden documents most of them (VPN's)are all cracked now but he's still endorsing this.

 

Edited by Sallubrious
2 people like this

Share this post


Link to post
Share on other sites

Interesting conversation going on.

 

I'll leave the word steganography in here as it may be interesting to some folk:wink:

Sometimes you need to do something in plain sight....

1 person likes this

Share this post


Link to post
Share on other sites
2 hours ago, waterboy 2.0 said:

Interesting conversation going on.

 

I'll leave the word steganography in here as it may be interesting to some folk:wink:

Sometimes you need to do something in plain sight....

 

This video on steganography is pretty cool..

 

I wrote some some C for uni to embed text into images using least significant bit steganography. It was pretty easy but I think LSB is not the most secure.

Share this post


Link to post
Share on other sites
12 hours ago, zed240 said:

To use Signal do you have to give them your mobile phone number? Or can you create and use a unique username to connect with people, rather than the phone number of the device? I'd feel much better being able to use a messenger service that didn't require my phone number and that I could always only use when connected to a VPN.

 

I know WhatsApp is owned by Facebook, and their terms of service state they will share data with their parent company, including your phone number. That's information I don't want to give a corporation like Facebook. Seems to defeat any reasons to use that particular one. If anyone paid them enough, FB would sell your data in a heartbeat.

 

Wickr doesn't reveal your phone number to other people and you can add people by username on Telegram instead of using a phone number.

 

 

Share this post


Link to post
Share on other sites

Signal is awesome. You can even send movies and giphy cam giphs which is fun:)

Share this post


Link to post
Share on other sites

I  suppose this is as good a place as any to outline some details about encrypted email.

 

I've been using a free open source encrypted email platform call protonmail. It was developed by the scientists at CERN as way to ensure the privacy of their own communications and crowd funded on indiegogo in 2014.

 

It's not cloud based and the mail servers are in Switzerland, so the servers are not directly accessible to anyone without a court order from Swiss supreme courts . The data stored on the servers is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) . The  system has been setup in a way that stores almost no meta data and doesn't log IP addresses.

 

Emails to other protonmail email addresses are handled internally on protonmail's servers which eliminates one opportunity for interception. Emails to other non protonmail email addresses have the option to be encrypted and sent with a one time password so the email can be de-crypted. Messages can also be set to have an expiry date.

 

One of the best aspects for me is that logging into proton mail can be setup with two step authentication, so even if your password does get compromised you can rest assured that your account is still safe. If you are not using two step authentication on everything that offers it these days then you really should look into it.  Taking it one step further you have the provision to log the IP address of users who have logged into your account and the IP address is not accessible to the IT staff at protonmail.

 

It also has a whitelist/blacklist system which allows you to filter out spam from any IP address you choose.

 

It's available in free and paid versions. The free version has a few less features but it's a very capable and flexible platform designed for security from the ground up.

 

It's also available for iOS and adroid and the interface seems quite slick on these devices.

 

It's well worth a look if you are old school and still see privacy as a unalienable right or if you just want an email account that is safe from automated bot email hacking systems being sold today.

 

Proton encrypted email

1 person likes this

Share this post


Link to post
Share on other sites

i heard of another one from belgium too i think called mailfence

Share this post


Link to post
Share on other sites

Read something last week but don't have the link. Apparently signal silently uploads your data and contacts, and whatsapp apparently is horrific for security encryption. I don't use either so I don't know first hand. I've used Wickr before. Seems trusty, but who knows.

Share this post


Link to post
Share on other sites

Encryption has been a hobby subject of mine for a long time and IMO smartphones in the same sentence as encryption or privacy is almost an oxymoron. But I vote for Signal or the paid version of wickr.

 

Both WhatsApp and Signal use Open Whisper which is basicly PGP for dummies, the difference being that Signals version is open source and still supposedly carries the ethics of its origin ChatSecure while WhatsApp sold their souls to the devil.

 

Wickr free is not open source like wickr paid and after the recent updates the free version is garbage. It's totally different. 

 

But sensitive info like banking details etc. should still be double encrypted or double nested with your own 4000bit+ private/public key set using an open source version of PGP and with an expiry date set for a few years max.  Using a GUI keyboard instead of a physical one helps avoid keystroke logging too which may be helpful to some.

 

Meaning, to encrypt your text in notepad using your own privately held keys before trusting some 3rd party offering free chat software with unknown motives.  (free software is rarely actually free, you just need to find their angle)

 

But in reality online privacy and encryption can be counter productive because they give one a false sense of security, especially on a mobile OS.

4 people like this

Share this post


Link to post
Share on other sites

Good point about the smartphones @AndyAmine. , in reality you don't really own these devices, you are paying to borrow them from google or apple. Android has a system where apps are sandboxed and in theory shouldn't have system access beyond their own space but in reality it doesn't always work like that.

 

You could add window$ 10 to the same category too these days, the EULA you have to agree to use it basically waives all your rights to privacy and grants permission for remote access to everything on the system including keystrokes.

 

I won't do any banking on a smartphone as there are just too many opportunities for them to be compromised.

 

I prefer to use linux and create my own sandbox for anything sensitive. I use firejail to start firefox and that provides an extra layer of protection. Firejail basically creates it's own runspace where it generates a dummy copy of the required system files in your home directory and restricts system access to just that dummy copy/runspace. Anything that tries to "escape" the sandbox and access the real system is tricked into using the duplicate copy and can't really do much to the real system. You can also a fsandbox for almost any other app with firejail too, so you can do own PGP encryption in sandboxed environment too

 

Starting firefox through firejail using the DNS option to use an anon. DNS server is also an easy way to negate local metadata collection if you aren't using a VPN. You have to use a non logging search engine like DDG though. It won't stop your IP being logged on the sites you connect to though.

 

@Zedo I'd be interested to read any details about signal leaking data you could dig up. I did a fairly comprehensive network audit on signal for 2 weeks using NMAP, wireshark, netstat & a few other tools & didn't find anything to indicate it was "phoning home".

5 people like this

Share this post


Link to post
Share on other sites

Maybe it wasn't signal - perhaps another one starting with 's'. I dunno. I don't spend much time online anymore. So I'm sorta out of the looo a bit lol. 

Yeah wickr update. I felt it was probs crap now. Might look at paid. Who knows. Like you say, if using a smart phone it doesn't matter. There's always a way to find the person if you spend the time looking etc. guess it comes down to how important are you to someone who finds you important to look at. 

 

 

1 person likes this

Share this post


Link to post
Share on other sites

Thanks for the proton mail review. 

Had heard of it, but not looked into it. I can't see it not being picked up by the masses, looks like a good product:) 

2 people like this

Share this post


Link to post
Share on other sites

Been playing with the ProtonMail app which seems to run OK on Android.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now