Slashdot Mirror
Battle of the Secure Messaging Apps: Signal Triumphs Over WhatsApp, Allo (theintercept.com)
There is no shortage of messaging apps out there, so which one should you be using? If you care about your privacy, you would want your messaging client to be end-to-end encrypted. This narrows down the list to WhatsApp, Signal, and Allo. The Intercept has evaluated the apps to find which among the three is the best from the privacy standpoint. The publication says that while all the three aforementioned apps use the same secure messaging protocol (Open Whisper System's), they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud.
WhatsApp:It's important to keep in mind that, even with the Signal protocol in place, WhatsApp's servers can still see messages that users send through the service. They can't see what's inside the messages, but they can see who is sending a message to whom and when.In addition, WhatsApp also retains your contact list -- provided you have shared it with the service. If government requests access to this data, WhatsApp could hand it over.
Allo:The first thing to understand about Google's forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an "incognito mode" within the app, which will be secure but include fewer features. [...] Allo's machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson confirmed. Signal:The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app's code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible. Signal's privacy policy is short and concise. Unlike WhatsApp, Signal doesn't store any message metadata. [...] If you back up your phone to your Google or iCloud account, Signal doesn't include any of your messages in this backup.But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."
WhatsApp:It's important to keep in mind that, even with the Signal protocol in place, WhatsApp's servers can still see messages that users send through the service. They can't see what's inside the messages, but they can see who is sending a message to whom and when.In addition, WhatsApp also retains your contact list -- provided you have shared it with the service. If government requests access to this data, WhatsApp could hand it over.
Allo:The first thing to understand about Google's forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an "incognito mode" within the app, which will be secure but include fewer features. [...] Allo's machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson confirmed. Signal:The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app's code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible. Signal's privacy policy is short and concise. Unlike WhatsApp, Signal doesn't store any message metadata. [...] If you back up your phone to your Google or iCloud account, Signal doesn't include any of your messages in this backup.But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."
Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Seems that the last few sentences address the Telegram service.
But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."
and it's need to have a machine-learning built into it. It's going to be like that stupid Inbox stuff Google tried pulling a few years back, isn't it? I don't need something to create rules and read my email for me to sort it out. I can do both of those tasks just fine. Doing that doesn't save me effort or mental expense; just the opposite. If I had it turned on, I'd be worried it was screwing something up.
With Allo auto replying for me, I'd be very concerned it would be handing out information to people I didn't want to know certain things in my life. Even though Google is likely going to indemnify themselves in the click-thru, I can't wait for the first lawsuit from someone who was stalked and assaulted because Allo told said stalker where they were.
Encrypted end-to-end by default.
Seeing their source does not assure you of anything. You'd have to decompile the app you download from the store to know if it was bugged.
The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?
Wire is a rather nice messaging App that has end to end encryption. They don't advertise, or hold encryption keys. See here: https://wire.com/privacy/
It raises the question why they bothered to mention Allo then though, as it also has no encryption on by default.
..then you have already stopped obsessing with "apps" and are primarily concerned with protocols. Once you have decided on, say, XMPP plus OpenPGP extensions, then you have plenty of competing apps to chose from.
And of course, it follows that whatever protocol you use, will be "service-agnostic." Since you're going to pick something which uses a secure protocol, you basically don't care about servers; they're all commodities. Install jabberd or whatever at your Linode. Seriously: whatever.
I don't know how WhatsApp or Allo are even seriously considered. What do they speak? When people talk about the app more than the protocol, that's a bad sign. (e.g. I use the web and it's irrelevant whether I use it with Chromium or Firefox. The more you care about my specific browser, the more I think you're trying to talk me into not-using-the-web.)
n/t
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Whats the point of "secure" messaging in Whatsapp and Allo if the messages are not actually secure?
I'm a good cook. I'm a fantastic eater. - Steven Brust
> Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.
And:
(1) Was not compiled by anyone else
(2) Does not depend on libraries compiled by anyone else
(3) Does not run on an operating system compiled by anyone else
(4) Does not run on hardware built by anyone else
(5) Is completely bug-free all the way down to the hardware
(6) Does not depend on unique identifiers like telephone number
(7) Only uses onion routing to prevent 3rd parties from building a social-graph of your contacts
(8) Does not draw attention to itself by using onion routing
(9) Does not require so much network activity that it drains your battery prevents you from communicating
(A) Is easy enough to use that your non-technical contacts can actually use it
(B) etc
Every choice in life is a trade-off. There is no such thing as perfect. You must prioritize what matters most to you.
But more broadly, anything the increases the cost of non-targeted "drag-net" style surveillance benefits all of us, even those of us who don't actually use the app.
"We commend Wickr for its strong stance regarding user rights, transparency, and privacy"
Wickr
I am not interested in articles about life extension advancements.
Clearly the only "Safe" option is using telepathy.
-- Brought to you by Carl's JR
iMessage has a few issues:
-Can't verify keys
-By default, will send as SMS if you have data connection issues
-Will send as SMS regardless of settings if the other person's iPhone is signed out from iMessage
-Only works on iOS devices
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
WhatsApp: You might have a chance of actually being able to communicate with someone you know - especially if you live in Brazil.
Allo: "The first thing to understand about Google's forthcoming Allo app..." - yeah, because Google Plus was such a hit.
Signal: The good news is, you can probably find all your Diaspora friends on this one.
Seriously... let's ignore all the ones that most people actually use, shall we?
#DeleteChrome
None of the three are secure at all. The FBI/CIA use time logging as a default tracking failsafe mechanism.
To have private chat you will have to run a live cd of Tails on a cd or in a virtual machine from an .iso as a live cd.
The only good version is 1.4.1. It is what Ed Snowden used. Do not ask me how I know, especially on Slashdot.
I think it's stupid to talk about privacy and centralized services. Only federation can give use decent privacy level. Like XMPP. XMPP has e2e encryption (OMEMO, PGP, OTR). And serverless solutions like Tox. Although, it's still missing some important functionality. If you have a choice use decentralized services.
https://threema.ch/en
Servers in Switzerland, Company has "bank status", open API, everything encrypted, anonymous ID.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Wire has complete e2e--encryption and a full set of features missing in the other apps. (As well as all encryption bits being open source).
Simple comparison chart is here: https://wire.com/privacy/