Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Are There Secure Alternatives To Skype? (theguardian.com)

Posted by EditorDavid on from the finding-your-calling dept.

How can you make a truly secure phone call? An anonymous Slashdot reader writes: I have a Windows 8.1 phone and mostly use it for Skype calls and chats. A bit of browsing every now and then, and checking public transportation schedules... What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?

37 of 237 comments (clear)

  1. ToX by Anonymous Coward · · Score: 2, Funny

    Tox is a alternative, no sure if it is ported to windows phone...

    1. Re:ToX by Anonymous Coward · · Score: 2

      Wrong site.

      https://tox.chat is the correct one.

  2. Maybe Ring? by mistersixt · · Score: 2

    https://ring.cx/

  3. Network Effect by Anonymous Coward · · Score: 5, Insightful

    Options are plenty. But the point is how you can persuade all your contacts to switch to the niche app of your choice with you.

    1. Re:Network Effect by Dex+Hex · · Score: 2

      Maybe using an application (like Jitsi, as other posters already suggested) can interoperate with other messengers. You can register a SIP address and then chat with any other user that has a SIP address, no matter what their comm client is. At least in this manner you won't have to convince all your friends to switch to just that one client that works best on your platform (but you would still need to convince them to move from Skype, securely configure some new software client that works on their device, have them register a SIP address... so still far from doable).

      While on this subject, I'm not aware of how good SIP security is. Also not sure which SIP providers are considered secure and honest to respect their terms of service and privacy policies. I guess it also depends on how competent where the client developers in implementing the security features.

  4. Signal, WhatsApp, etc by Anonymous Coward · · Score: 3, Informative

    Signal is open source. Use Signal if you want real security.

    WhatsApp is closed source but uses the same encryption in Signal. Use it if you need something people already use.

    In either case, turn on security notifications and learn what they mean, and verify your contacts by reading out their fingerprint over the voice connection.

    Telegram's encryption is kinda broken. Therema's encryption is broken. iMessage only works on iOS and it's slightly broken. I donno if Allo does voice, but you must turn on encryption manually, so it's probably broken if you imagine the user can be tricked.

    1. Re:Signal, WhatsApp, etc by Lennie · · Score: 4, Interesting

      I'm sure we'll eventually see if WhatsApp really is using the Signal system correctly all the time. I mean this is Facebook they even follow you around even if you've never even signed up for Facebook.

      --
      New things are always on the horizon
    2. Re:Signal, WhatsApp, etc by Dex+Hex · · Score: 2

      Tox looks promising but it's not quite there yet from looking at their site. Their mobile device clients look buggy / under heavy development. I hope they get their soon though.

    3. Re:Signal, WhatsApp, etc by Killall+-9+Bash · · Score: 2

      OpenSSL is open source. Very secure. Pay no attention to that gaping hole in my heart that has blood squirting out of it.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  5. Check the EFF Secure Messaging Scorecard by Anonymous Coward · · Score: 5, Informative

    Electroic Freedom Foundation created the Secure Messaging Scorecard to help answer this question. The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are. But both Signal and Silent Phone are available for Android and iOS. Either of these might be worth considering as alternatives for the types of things you current use Skype for today.

    1. Re:Check the EFF Secure Messaging Scorecard by Dex+Hex · · Score: 3, Informative

      Unfortunately that version of the scoreboard is outdated and new one is underway but there is not even a draft published. Nevertheless, I had a look at several of the most promising looking software listed there and trying to figure out if there is even one that is currently secure enough.

  6. Inherently Insecure by ytene · · Score: 4, Informative

    You mention the need for "secure chat", but don't express "how secure" you would like that to be. As others have posted, if you're connected to the internet (and your question is worded to imply that you're looking at Voice Over IP (VOIP) solutions, then there is pretty much no secure option out there... An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose.

    Having said that, it might be possible for us to brainstorm the sort of attributes that would help to make your VOIP calls less insecure. The collective wisdom of slashdotters might then be able to suggest some alternative products for you to consider. Things to look out for might include:-

    1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
    2. A solution that not only uses the latest approved encryption algorithms, but which makes the swapping of an algorithm a relatively easy process [think user-selectable option, addition of a library file with the algorithm code]. The upgrading of key strength/entropy parameters should be even easier...
    3. A solution that includes, within the encryption stream, random white noise padding (to make it much harder to determine the precise amount of data being exchanged) might be nice.

    And so on...

    I did think about including an option that said, "For each legitimate call channel that you set up using the central register of logged-in users, pick three more logged in users at random and simultaneously exchanged random, encrypted data packets with those users too." Unfortunately, there are multiple issues with that. First, what if one of those random users really was under surveillance by a three-letter-agency. Using the "association" rules, that agency would then start monitoring you *real* closely... and second, running four calls for the cost of one might actually degrade your network/audio performance if you happen to be on a slow link.

    Bottom line; there is no easy answer to your question, but please don't consider using Skype and "secure" in the same statement... ;)

    1. Re:Inherently Insecure by asylumx · · Score: 2

      All the conspiracy theorists are planted by the government in order to keep us distracted from what's really happening in the world! Wake up, sheeple!

    2. Re:Inherently Insecure by swillden · · Score: 4, Interesting

      An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose

      There's no evidence that the NSA can break properly-implemented modern cryptography. In fact there's considerable evidence that they cannot, including both Snowden's statements, and the fact that the NSA recommends it for classified US government data, among other things.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Inherently Insecure by randallman · · Score: 2

      "An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose"

      So, you're claiming AES has been broken?

  7. Re:Alternatives: Yes by Anonymous Coward · · Score: 5, Informative

    You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security

  8. Re:Alternatives: Yes by ChunderDownunder · · Score: 3, Funny

    Tencent? Pffft!

    Let us know when 50 Cent releases his own videochat client.

  9. Again? by SeaFox · · Score: 3, Informative

    If we could not ask the same questions every month, that would be great.

  10. WeChat = Tencent = Chinese Communist Party by He+Who+Has+No+Name · · Score: 5, Insightful

    WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.

    That being the case, I have to seriously question the credibility of anybody suggesting WeChat in the context of basically anything.

    1. Re:WeChat = Tencent = Chinese Communist Party by jandersen · · Score: 2

      WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.

      I know that - give me some credit, I am after all able to find the keys on my keyboard - and I didn't say I recommend it, only that I use it, as do most Chinese, apparently, or at least those that I know; and I used it as an example of what kind of functionality one should be able to find with little effort in a large number of apps. And as I did point out, it is not realistic to expect things like anonymity or security from a free tool that, for it function, relies fundamentally on all traffic passing through the servers of any business, whose main business is to mine the traffic. Seriously, you guys are out there, if you can't even read to the end of a comment before screaming in paranoia.

      I don't fear WeChat any more - or less - than Skype or whatever else there is with similar functionality. There is no such thing as a free lunch - so if anybody gives you something for free, there is a catch. There always is, and you simply have to live with that knowledge, and choose your actions accordingly. Personally, I don't have the imagination to guess what the Chinese government would want to take a deep interest in the tsunamis of low-level trivia that roars through WeChat all the time - it is just not all that captivating, but it is handy to be able to make a free call to family and friends anywhere in the world.

    2. Re:WeChat = Tencent = Chinese Communist Party by He+Who+Has+No+Name · · Score: 2

      If necessary, yes.

      The old adage about everybody except you jumping off a bridge comes to mind, and this isn't the XKCD case where the reason for leaping is nebulous and open to humorous investigation. We've established the mob is stupid. Your choice comes down to telling them they're stupid and why, silently refusing to participate, or leaping just because everyone else is - even though you know it's a stupid idea.

  11. WebRTC by Gerv · · Score: 3, Informative

    WebRTC-based services, in the form of e.g. https://meet.jit.si/, are end-to-end secure and decentralised. Not sure if Windows Phone has any browser which supports WebRTC, though.

    1. Re:WebRTC by Lennie · · Score: 2

      Also you can easily run your own Jitsi bridge on a device you control.

      Someone should make a simple to install website you can put on your own server somewhere which works like this:

      https://appear.in/

      It probably already exists somewhere.

      --
      New things are always on the horizon
  12. Windows Phone? by xororand · · Score: 3, Insightful

    If you run Windows Phone or Windows 10 you should say goodbye to any sort of privacy.
    https://www.gnu.org/proprietar...

    As of now there are no commercially available smart phones that respect your freedom entirely. Depending on where you draw the line,
    your best bets are Replicant or at the very least CyanogenMod without any Google Apps.

    F-Droid is a package manager for Android that only contains software that respects your freedom.

  13. Re:Why the obsession? by jcr · · Score: 5, Insightful

    Why are you people so obsessed with privacy from the government?

    Because we don't fucking trust you, shithead. Haven't you figured that out yet?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  14. You cannot make secure phone-calls by gweihir · · Score: 2

    As soon as you involve the phone-system, you are compromised. However, you can have a secure voice-chat, with numerous technologies. If you run your own server, something like mumble may serve. Needs a dedicated client, but security is apparently pretty good. Works on Linux.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Use a WebRTC peer-to-peer session by roca · · Score: 4, Informative

    Use a Web site to set up a WebRTC peer-to-peer session. I like talky.io, which uses peer-to-peer for one-to-one chats. There are many others, and if you don't like them or don't trust them, you could pretty easily build your own.

    The security properties of peer-to-peer WebRTC are pretty good:
    -- end-to-end DTLS with perfect forward secrecy
    -- all protocols involved are IETF standards and have had a decent amount of public security review
    -- Firefox/Chromium implementations are fully open source that you can build yourself and run on Windows/Mac/Linux/Android
    -- the Web site that sets up the connection could MITM you, but there are many WebRTC sites to choose from and it's pretty easy for anyone to set up more.

    I kinda wonder why governments aren't complaining about WebRTC. It's probably just not popular enough yet.

    1. Re:Use a WebRTC peer-to-peer session by Lennie · · Score: 2

      Yep, governments and others haven't really noticed yet.

      If you run your own server with the website/relay software then it really is full end2end and based on the proper crypto, etc.

      People will figure this out eventually.

      --
      New things are always on the horizon
  16. Re:Why the obsession? by Anonymous Coward · · Score: 2, Insightful

    You've got that the wrong way around. The question you should be asking is "Why is the government so paranoid about terrorism?"

    Take off the tin foil hat and stop being so paranoid about terrorists, you anti-American, freedom-hating douchebag.

  17. Re:Alternatives: Yes by stealth_finger · · Score: 2

    99 problems but a web chat client aint one.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  18. Re: Why the obsession? by Anonymous Coward · · Score: 2, Insightful

    Terrorism? Is there any single evidence NSA is achieving anything against terrorism? The only evidence we have of their work is that they spy the european MEPs, the european leaders, 56 millions germans, 48 millions italians, 50 millions of french... And the only warning france got before of bataclan came from Algerian services, which are doing mostly Humint....

  19. Re:Why the obsession? by Applehu+Akbar · · Score: 2

    All terrorists have to do to surprise us again is attack us with a new technique. While the three-letter agencies are making our lives miserable at airports, one jogger tossing a vial of hacked Ebola into a big-city reservoir could be the next 9/11.

  20. Depends on what you want by LichtSpektren · · Score: 3, Informative

    Signal is currently the best solution for secure messages and phone calls. It's an app for Android and iOS, and Chrome has an extension to sync your messages to a desktop chat. But it communicates between phone numbers of course, so if that's not what you want then it's a bit trickier.

    The best totally anonymous desktop messaging protocol I am aware of is Pidgin (Windows, Linux) and Adium (macOS) using the "Off-The-Record" extension. I don't know if there's any good solutions for video chat.

  21. Re:Why the obsession? by budgenator · · Score: 4, Insightful

    It's not even that we don't trust,

    trust ; firm belief in the reliability, truth, ability, or strength of someone or something.

    we absolutely trust that if we allow the agents of government a great power to use in a narrow context, against a specific group of bad actors for the general benefit, that they will eventually without fail use that power in contexts never intended and against people never imagined, with only in regard to the benefit of the few power brokers.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
  22. Re:Alternatives: Yes by Wycliffe · · Score: 2

    You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security

    The original poster said security of any of them is a joke. That being said, the question that needs to be asked is who are are you trying to be secure from? If you're a drug dealer in the USA then having a secure client controlled by a country who is not likely to share with your local government is probably not a bad solution. The chinese government is not going to be too concerned about domestic crimes in the USA. Personally, if I was worried about security, I would opt for fragmenting my communication over multiple channels. It's much harder to intercept communication if you email an encrypted video to someone and then text them the encryption key via a burner phone. Even unencrypted, if the message is fragmented over 4-5 distinct channels then piecing it back together becomes much more difficult because you first must gain access to all the different channels. For the average person though, your best bet for a single channel is still probably to not look for the most secure solution but instead look for the most secure solution by a party in opposition to who you want to be secure from.

  23. Re:Alternatives: Yes by sir-gold · · Score: 2

    This assumes that the CIA hasn't already hacked these Chinese services, for no reason other that being a Chinese communications service, especially when there are certain to be Chinese government-mandated back-doors already in place just waiting to be exploited by the CIA.

    This is part of the argument against mandating encryption back-doors in the US, that goes beyond US spying: if you build a back-door for someone, eventually someone else will find it.

    "the enemy of my enemy is my friend" doesn't work when your new 'friend' is already their own worst enemy.

  24. Re:Why the obsession? by magamiako1 · · Score: 2

    I think it's funny how people seem to think that being anonymous is important while simultaneously being pissed off that the government doesn't do enough to "deter cheating" of the voting system, legality of immigration status. In short, MY privacy is IMPORTANT, but YOUR privacy is not!

    Even more amusing is that they all seem to have no problems with private companies hoarding all of this data. We have no Constitutional protections against private entities. Google and Facebook are far more powerful than the NSA, FBI, and DEA combined. But let's not draw any attention to that, shall we? Let's all focus on how the EVIL GUBMINT is STORIN' DATA ON ME!

    Let's pay no attention to the fact that the things you post on social networking or the Internet in general, or the stuff you buy, can be used to build a profile of you that not only controls how much money you're going to spend on something (interest rates), but also whether or not you're hirable at all. You know, things that are truly important to like 99.99% of anyone in the country, earning money and buying goods and services with their money.