Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Are There Secure Alternatives To Skype? (theguardian.com)

Posted by EditorDavid on from the finding-your-calling dept.

How can you make a truly secure phone call? An anonymous Slashdot reader writes: I have a Windows 8.1 phone and mostly use it for Skype calls and chats. A bit of browsing every now and then, and checking public transportation schedules... What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?

10 of 237 comments (clear)

  1. Network Effect by Anonymous Coward · · Score: 5, Insightful

    Options are plenty. But the point is how you can persuade all your contacts to switch to the niche app of your choice with you.

  2. Check the EFF Secure Messaging Scorecard by Anonymous Coward · · Score: 5, Informative

    Electroic Freedom Foundation created the Secure Messaging Scorecard to help answer this question. The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are. But both Signal and Silent Phone are available for Android and iOS. Either of these might be worth considering as alternatives for the types of things you current use Skype for today.

  3. Inherently Insecure by ytene · · Score: 4, Informative

    You mention the need for "secure chat", but don't express "how secure" you would like that to be. As others have posted, if you're connected to the internet (and your question is worded to imply that you're looking at Voice Over IP (VOIP) solutions, then there is pretty much no secure option out there... An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose.

    Having said that, it might be possible for us to brainstorm the sort of attributes that would help to make your VOIP calls less insecure. The collective wisdom of slashdotters might then be able to suggest some alternative products for you to consider. Things to look out for might include:-

    1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
    2. A solution that not only uses the latest approved encryption algorithms, but which makes the swapping of an algorithm a relatively easy process [think user-selectable option, addition of a library file with the algorithm code]. The upgrading of key strength/entropy parameters should be even easier...
    3. A solution that includes, within the encryption stream, random white noise padding (to make it much harder to determine the precise amount of data being exchanged) might be nice.

    And so on...

    I did think about including an option that said, "For each legitimate call channel that you set up using the central register of logged-in users, pick three more logged in users at random and simultaneously exchanged random, encrypted data packets with those users too." Unfortunately, there are multiple issues with that. First, what if one of those random users really was under surveillance by a three-letter-agency. Using the "association" rules, that agency would then start monitoring you *real* closely... and second, running four calls for the cost of one might actually degrade your network/audio performance if you happen to be on a slow link.

    Bottom line; there is no easy answer to your question, but please don't consider using Skype and "secure" in the same statement... ;)

    1. Re:Inherently Insecure by swillden · · Score: 4, Interesting

      An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose

      There's no evidence that the NSA can break properly-implemented modern cryptography. In fact there's considerable evidence that they cannot, including both Snowden's statements, and the fact that the NSA recommends it for classified US government data, among other things.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Re:Alternatives: Yes by Anonymous Coward · · Score: 5, Informative

    You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security

  5. WeChat = Tencent = Chinese Communist Party by He+Who+Has+No+Name · · Score: 5, Insightful

    WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.

    That being the case, I have to seriously question the credibility of anybody suggesting WeChat in the context of basically anything.

  6. Re:Why the obsession? by jcr · · Score: 5, Insightful

    Why are you people so obsessed with privacy from the government?

    Because we don't fucking trust you, shithead. Haven't you figured that out yet?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  7. Use a WebRTC peer-to-peer session by roca · · Score: 4, Informative

    Use a Web site to set up a WebRTC peer-to-peer session. I like talky.io, which uses peer-to-peer for one-to-one chats. There are many others, and if you don't like them or don't trust them, you could pretty easily build your own.

    The security properties of peer-to-peer WebRTC are pretty good:
    -- end-to-end DTLS with perfect forward secrecy
    -- all protocols involved are IETF standards and have had a decent amount of public security review
    -- Firefox/Chromium implementations are fully open source that you can build yourself and run on Windows/Mac/Linux/Android
    -- the Web site that sets up the connection could MITM you, but there are many WebRTC sites to choose from and it's pretty easy for anyone to set up more.

    I kinda wonder why governments aren't complaining about WebRTC. It's probably just not popular enough yet.

  8. Re:Signal, WhatsApp, etc by Lennie · · Score: 4, Interesting

    I'm sure we'll eventually see if WhatsApp really is using the Signal system correctly all the time. I mean this is Facebook they even follow you around even if you've never even signed up for Facebook.

    --
    New things are always on the horizon
  9. Re:Why the obsession? by budgenator · · Score: 4, Insightful

    It's not even that we don't trust,

    trust ; firm belief in the reliability, truth, ability, or strength of someone or something.

    we absolutely trust that if we allow the agents of government a great power to use in a narrow context, against a specific group of bad actors for the general benefit, that they will eventually without fail use that power in contexts never intended and against people never imagined, with only in regard to the benefit of the few power brokers.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds