Ask Slashdot: Are There Secure Alternatives To Skype?

How can you make a truly secure phone call? An anonymous Slashdot reader writes: I have a Windows 8.1 phone and mostly use it for Skype calls and chats. A bit of browsing every now and then, and checking public transportation schedules... What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?

Signal, WhatsApp, etc

Signal is open source. Use Signal if you want real security.

WhatsApp is closed source but uses the same encryption in Signal. Use it if you need something people already use.

In either case, turn on security notifications and learn what they mean, and verify your contacts by reading out their fingerprint over the voice connection.

Telegram's encryption is kinda broken. Therema's encryption is broken. iMessage only works on iOS and it's slightly broken. I donno if Allo does voice, but you must turn on encryption manually, so it's probably broken if you imagine the user can be tricked.

Check the EFF Secure Messaging Scorecard

Electroic Freedom Foundation created the Secure Messaging Scorecard to help answer this question. The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are. But both Signal and Silent Phone are available for Android and iOS. Either of these might be worth considering as alternatives for the types of things you current use Skype for today.

Re:Check the EFF Secure Messaging Scorecard

[Dex+Hex]

Unfortunately that version of the scoreboard is outdated and new one is underway but there is not even a draft published. Nevertheless, I had a look at several of the most promising looking software listed there and trying to figure out if there is even one that is currently secure enough.

Inherently Insecure

[ytene]

You mention the need for "secure chat", but don't express "how secure" you would like that to be. As others have posted, if you're connected to the internet (and your question is worded to imply that you're looking at Voice Over IP (VOIP) solutions, then there is pretty much no secure option out there... An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose.

Having said that, it might be possible for us to brainstorm the sort of attributes that would help to make your VOIP calls less insecure. The collective wisdom of slashdotters might then be able to suggest some alternative products for you to consider. Things to look out for might include:-

1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
2. A solution that not only uses the latest approved encryption algorithms, but which makes the swapping of an algorithm a relatively easy process [think user-selectable option, addition of a library file with the algorithm code]. The upgrading of key strength/entropy parameters should be even easier...
3. A solution that includes, within the encryption stream, random white noise padding (to make it much harder to determine the precise amount of data being exchanged) might be nice.

And so on...

I did think about including an option that said, "For each legitimate call channel that you set up using the central register of logged-in users, pick three more logged in users at random and simultaneously exchanged random, encrypted data packets with those users too." Unfortunately, there are multiple issues with that. First, what if one of those random users really was under surveillance by a three-letter-agency. Using the "association" rules, that agency would then start monitoring you *real* closely... and second, running four calls for the cost of one might actually degrade your network/audio performance if you happen to be on a slow link.

Bottom line; there is no easy answer to your question, but please don't consider using Skype and "secure" in the same statement... ;)

Re:Alternatives: Yes

You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security

Again?

[SeaFox]

If we could not ask the same questions every month, that would be great.

WebRTC

[Gerv]

WebRTC-based services, in the form of e.g. https://meet.jit.si/, are end-to-end secure and decentralised. Not sure if Windows Phone has any browser which supports WebRTC, though.

Use a WebRTC peer-to-peer session

[roca]

Use a Web site to set up a WebRTC peer-to-peer session. I like talky.io, which uses peer-to-peer for one-to-one chats. There are many others, and if you don't like them or don't trust them, you could pretty easily build your own.

The security properties of peer-to-peer WebRTC are pretty good:
-- end-to-end DTLS with perfect forward secrecy
-- all protocols involved are IETF standards and have had a decent amount of public security review
-- Firefox/Chromium implementations are fully open source that you can build yourself and run on Windows/Mac/Linux/Android
-- the Web site that sets up the connection could MITM you, but there are many WebRTC sites to choose from and it's pretty easy for anyone to set up more.

I kinda wonder why governments aren't complaining about WebRTC. It's probably just not popular enough yet.

Depends on what you want

[LichtSpektren]

Signal is currently the best solution for secure messages and phone calls. It's an app for Android and iOS, and Chrome has an extension to sync your messages to a desktop chat. But it communicates between phone numbers of course, so if that's not what you want then it's a bit trickier.

The best totally anonymous desktop messaging protocol I am aware of is Pidgin (Windows, Linux) and Adium (macOS) using the "Off-The-Record" extension. I don't know if there's any good solutions for video chat.