Pages:
Author

Topic: Secure messengers: are there any? (Read 1961 times)

legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
July 30, 2015, 01:42:35 PM
#32
a related WARNING about messaging.

At next months black hat conference in Vegas a new exploit will be detailed that allows an attacker to attack most any android phone just by sending a video by SMS. The video contains a payload that could lead to a complete takeover of your phone. Any android after 2.2 is susceptible and, unlike other attacks, you do not have to even view the message. Just sending it is enough and all the attacker needs is your number.
All you can do now is (on some phones) disallow auto download of messages and NEVER DL A VIDEO ON AN ANDROID PHONE!!!!!!! After the conference it will only take weeks for this exploit to move into the wild.

member
Activity: 72
Merit: 10
July 29, 2015, 09:18:44 AM
#31
Hey guys, I have a question: do you think a truly secure p2p messenger should rely on the use of blockchain or some other technology to ensure the complete privacy?

Personally, I can see several quite obvious problems with blockchain-based apps, which are the size of the blockchain itself and the excessive amount of computational resources needed to run a PoW algorithm. But even with all those disadvantages, I don't think there is really a different option for a truly secure app.

What do you guys think?
member
Activity: 72
Merit: 10
July 27, 2015, 05:40:25 PM
#30
the only thing that tox is missing conceptually in the current protocol is a storage facility, so that true offline messages can be implemented (right now both parties have to be online at the same time eventually for "offline" messages to be delivered). but that's the only missing thing that would be expected from a proper messenger, really.

and as soon we're talking storage layer we're in storj/maidsafe land. maidsafe claims to work without pow/blockchain. their security is based on a "proof-of-resource" and a node ranking system (there's still debate going how/if it can be secure enough). you can run a farmer though on your 24/7 online desktop box to provide storage space for others, to earn some of the integrated safecoins. but your devices will run under your same account, so apps could provide very much convenience in such a system, much more so than in today's internet/web where you need to maintain hundreds of logins/passwords.


RE tox: that's actually quite a glaring issue. Do they have plans for introducing the feature?

Yeah, I imagine the team that would develop a similar system for messaging could also set up their own semi-official farmer nod and allow anyone to use it for free/some token fee to allow newcomers to join in for an acceptable price, in exchange for the lessened security such a centralized option implies.
legendary
Activity: 1764
Merit: 1007
July 27, 2015, 09:53:11 AM
#29
the only thing that tox is missing conceptually in the current protocol is a storage facility, so that true offline messages can be implemented (right now both parties have to be online at the same time eventually for "offline" messages to be delivered). but that's the only missing thing that would be expected from a proper messenger, really.

and as soon we're talking storage layer we're in storj/maidsafe land. maidsafe claims to work without pow/blockchain. their security is based on a "proof-of-resource" and a node ranking system (there's still debate going how/if it can be secure enough). you can run a farmer though on your 24/7 online desktop box to provide storage space for others, to earn some of the integrated safecoins. but your devices will run under your same account, so apps could provide very much convenience in such a system, much more so than in today's internet/web where you need to maintain hundreds of logins/passwords.
member
Activity: 72
Merit: 10
July 27, 2015, 09:34:29 AM
#28
you don't need proof-of-work for a p2p messenger. maybe a little bit of hashcash to prevent spam. but even that would be just one of several possibilities.

tox is conceptually fine as it is, it just needs more developers, and on a more professional level at that.

the long-term solution would be all-purpose integrated p2p systems like storj or maidsafe.

I agree with the last point, that's what I was getting at for the most of the discussion. There are already p2p integrated solutions, but they're mostly in their infancy and thus don't enjoy much popularity, hence no network utility.

This has got me thinking: actually, I think using desktop PCs as PoW slaves for mobile devices wouldn't be such a bad solution as I initially believed, it just has to be done in a convenient way. And the messaging system will probably have to include a financial transaction feature in addition to messages themselves, to ease the process of payment to such remote nods.
legendary
Activity: 1764
Merit: 1007
July 24, 2015, 08:18:10 AM
#27
you don't need proof-of-work for a p2p messenger. maybe a little bit of hashcash to prevent spam. but even that would be just one of several possibilities.

tox is conceptually fine as it is, it just needs more developers, and on a more professional level at that.

the long-term solution would be all-purpose integrated p2p systems like storj or maidsafe.
newbie
Activity: 14
Merit: 0
July 24, 2015, 05:09:07 AM
#26
I don't think that there are some messenger secure. The big brother hear everything he want. Even some of messengers or one of those seems secure I don't believe that this is true. Before Snouden no one knew that existed that "wonderful" system of surveillance which surveid even the presidents, prime ministers or chancellors of the most important countries of the world. So, who don't exist some secret surveillance for every kind of messenger?

Don't panic people. Don't do subversive things and you are alright !!!!  Grin
member
Activity: 72
Merit: 10
July 24, 2015, 05:01:51 AM
#25
Have you seen this secure messenger scorecard?

https://www.eff.org/secure-messaging-scorecard

I did; none of those messengers are P2P AFAIK, which brings us to the point of this problem.

What do you guys think prevents people from building a convenient, easy-to-use blockchain-based P2P mobile app?

Well, I do know what - the incredible strain any PoW protocol puts on a mobile device and the amount of storage needed for the whole blockchain. So far the only solutions to this were different sorts of "crutches": like making a remote PC be a PoW whore for your phone, which means that you either have to set up a node on your computer and have it running 24/7, or pay someone to do that for you, which isn't what many people would call an "optimal solution".

What do y'all think can be done with a PoW system to make it applicable for mobile devices?
legendary
Activity: 924
Merit: 1000
July 24, 2015, 01:40:18 AM
#24
Have you seen this secure messenger scorecard?

https://www.eff.org/secure-messaging-scorecard
sr. member
Activity: 252
Merit: 250
July 23, 2015, 02:04:29 PM
#23
Nxtty: Anonymous, End-to-end Encryption, uses Blockchain, has permanent message destruction - but it's not Open Source as far as I see.
Here's nxxty on google play, the Apple version is planned.

Was just told that the anonymous user registration and encryption is handled via Nxt - and Nxt is open source. That could alleviate some concerns.
legendary
Activity: 1764
Merit: 1007
July 23, 2015, 09:58:57 AM
#22

that's a lie because in actuality 0 people use retroshare

that's the point, to make it look like that from outside Wink
sr. member
Activity: 466
Merit: 500
July 23, 2015, 09:26:16 AM
#21
I use XMPP+OTR (with Pidgin on Desktop and Xabber on Android), Tox (qTox on Desktop), TextSecure, Bitmessage, and RetroShare on a daily basis. Each serve their (different) purpose. I'd like to see the all-in-one solution, but oh well...


that's a lie because in actuality 0 people use retroshare
legendary
Activity: 1764
Merit: 1007
July 23, 2015, 08:54:53 AM
#20
I use XMPP+OTR (with Pidgin on Desktop and Xabber on Android), Tox (qTox on Desktop), TextSecure, Bitmessage, and RetroShare on a daily basis. Each serve their (different) purpose. I'd like to see the all-in-one solution, but oh well...
member
Activity: 72
Merit: 10
July 23, 2015, 08:48:38 AM
#19
You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

It's better than Bleep, I guess, but marginally (open source, with a similar number of downloads in stores).



The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

I have bad news for you. The cryptograph used in Telegram isn't considered good.
http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html
http://thoughtcrime.org/blog/telegram-crypto-challenge/
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
https://news.ycombinator.com/item?id=6913456

And end-to-end encryption needs to be the default (which doesn't happen in Telegram), otherwise, no one will use it. Although their end-to-end encryption shouldn't be trusted anyway.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

OTR is good, but not for mobile. You and your contact need to stay online all the time because it doesn't work with offline messages. Also, it doesn't work with group messaging.

Well, like I said, I don't trust Telegram to be 100% secure, nor anyone should, since it's not p2p, but it's the best option out there, as far as popularity/security ratio goes, in my opinion. And I can also force end-to-end encryption on those I communicate with by starting secret conversations myself.

Anyway, I'm not a fanboy of Telegram and will gladly switch to a better alternative, when it appears on the market, but for now I don't see a more secure option, which won't leave me unable to communicate with my network of contacts, due to them not caring enough to download Bleep or SureSpot.
member
Activity: 72
Merit: 10
July 23, 2015, 08:32:27 AM
#18
bitmessenger maybe?

See OP.

GPG/PGP is the standard solution.   

"Messengers"  are underlying transport protocols.  What keeps something secure is the next layer on top.  A quick check is to say "did a company produce this?"  If the answer is yes, than you aren' t using a secure protocol. 

Completely agreed!

Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.....
Passenger pigeons.

Can't beat them.

Yeah sure, encryption of both the destination and the message itself (if you're up for a little cryptography) is nice, but the messages are quite easily interceptable, and there is less than 100% deliverability, even without anyone trying to disrupt your communications. I'll pass.
sr. member
Activity: 252
Merit: 250
July 23, 2015, 06:01:08 AM
#17
Nxtty: Anonymous, End-to-end Encryption, uses Blockchain, has permanent message destruction - but it's not Open Source as far as I see.
Here's nxxty on google play, the Apple version is planned.
member
Activity: 88
Merit: 10
July 23, 2015, 03:47:52 AM
#16
You could use tox or bleep.
Bleep is closed source though
legendary
Activity: 924
Merit: 1000
July 23, 2015, 01:18:28 AM
#15
Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.

Yeah, this one seems all right, a million downloads in the playstore, no data storage/mining by provider. But, like you said, it's not open-source, nor is it p2p, hence not 100% private. Independent experts and service providers can be bought/coerced into disclosing users' personal data. It's doubtful that anyone will bother right now, but when and if it grows, it can become a vulnerable target.

Another problem with it is that it's not free, which means that it won't enjoy a similar level of natural growth that free counterparts, like WhatsApp or Telegram do, and I can't just ask all my friends and colleagues use it. So it's either going to remain on this unpopular level, where I can't really use it, or it will grow and with it will grow the probability of gvt. agencies tapping into it.


Really? It's 1.99 for lifetime use, even whatsapp charges you 0.99/year after the first year!
You're right about the closed source though, that is a showstopper IMHO.
sr. member
Activity: 252
Merit: 250
July 22, 2015, 04:50:35 PM
#14


The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

I have bad news for you. The cryptograph used in Telegram isn't considered good.
http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html
http://thoughtcrime.org/blog/telegram-crypto-challenge/
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/
https://news.ycombinator.com/item?id=6913456

And end-to-end encryption needs to be the default (which doesn't happen in Telegram), otherwise, no one will use it. Although their end-to-end encryption shouldn't be trusted anyway.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

OTR is good, but not for mobile. You and your contact need to stay online all the time because it doesn't work with offline messages. Also, it doesn't work with group messaging.
legendary
Activity: 1092
Merit: 1000
July 22, 2015, 04:00:15 PM
#13
Is anyone still using TorChat? Does it work well, even though it doesn't seem to updated in a while? is it still a safe working program?
Pages:
Jump to: