Combat Studies Group has a comprehensive article up about choosing a secure chat/messaging application in this time of increasing governmental and corporate excess. It’s a long read, but if you are interested in your privacy you should give it a read. If you don’t understand what he’s talking about, then this is a starting point for your electronic privacy/security education.
So it’s 2019……and so far we have:
– Twitter, Facebook, Youtube and the like, de-platforming or censoring any content that leans towards the right or conservative side.
– Amazon, Google, Apple, Microsoft, et al, doubling down on collection of people’s data.
– The US intelligence apparatus convincing major hotel chains (Marriot for one) to collect information and report on hotel guests (for the most trivial of “abnormalities”, if one can call them that).
– Amazon working with law enforcement to implement widespread facial recognition gathering.
– Those nifty DNA/ Heritage testing sites have been caught giving your DNA to Uncle Sam.
– Cellular providers selling your real-time location to anyone who wants to buy it.
– The proliferation of “smart” devices such as Alexa that is always listening.
– Web browsers screening the news you search for and only letting the “leftist” slanted news through.
I could go on for pages and pages, but you get the point. One needs to become aggressive to secure their privacy in this day and age….so with that in mind I thought it apropos to publish an updated breakdown of available options.
Lets establish some standards that should be adhered to when choosing a chat application.
1. It should be comprised of open-source code. Open source code can be audited by third parties for completeness, proper implementation and potential security vulnerabilities.
2. It should employ end to end encryption. In other words, the encryption happens on your device and the decryption happens on the recipient’s device versus a third party server. This removes the need to trust a third party with your keys.
3. It should utilize INFOSEC industry accepted standards for cipher primitives. It should use well studied ciphers, key exchanges and hashes such as: AES-256, RSA-4096, ChaCha20, ECC-512, Curve25519, Poly1305, secp256k1, Curve448, Twofish, SHA-3, Whirlpool, GPG.
4. It should utilize forward secrecy. This protects the user if they have a key that somehow gets compromised. In this setup the system renegotiates the key exchange at short, established time intervals. Diffie-Hellman is a common implementation of this concept.
5. It should support the removal/destruction of messages on both ends of the conversation. This could be based on a timer, manual selection or a “destroy on read” protocol…