Sep 26 2015

Secure Instant Messaging App Selection

Category: Mobile Computing,SecurityTeknovis @ 07:23

I was searching for a new secure instant messaging app, and I previously described my requirements in Secure Instant Messaging App Requirements. My search has finished, and I have a winner :) Let me explain how I got to this point :)

There are lots of messaging apps available that claim to be secure. Indeed, they may well be depending on what is meant by secure. My requirements were very clear, so it was relatively easy to reduce the field to an initial short list of four (in alphabetical order):

All of these apps are covered in the Secure Messaging Scorecard by the Electronic Frontier Foundation. I found that was a very useful resource.

Surespot was the first to be eliminated. This was an easy decision, because there are rumours that it has been compromised. I am not sure that I believe all of these rumours, but they are enough to scare me away! See any of the following:

Telegram was next to be eliminated. It has several good and bad features, and the main ones of interest to me are summarised in the table below.

Good Bad
Available for desktops Founded by, and run by, Russians
Provides end-to-end encryption, but only for secret chats Group chats do not use end-to-end encryption
Scored 4/7 in normal use, and 7/7 for secret chats Uses phone numbers
Available for both Android and iOS There are some concerns over its use of a very custom protocol

It was fairly to easy to eliminate Telegram, because I do not like the way that it only provides end-to-end encryption in the secure chat mode. It would be too difficult for me to educate my target audience in the differences between the various types of chats.

This left Open Whisper Systems and Threema, and I spent the most time studying both of these. Obviously I looked at their respective web sites, and I also found the following two resources very useful:

The main good and bad features of Open Whisper Systems in my opinion are summarised in the table below.

Good Bad
Open source Based in the US
Includes voice support Funded by the US government
Great endorsements (Bruce Schneier, Edward Snowden) Previous links with Twitter, and current vague links with Whatsapp/Facebook
Scored 7/7 Linked to the device’s SIM
Provides end-to-end encryption (using elliptic curves) Integrates with the native messaging app
Provides end-to-end forward secrecy
Includes identity verification
Available for both Android and iOS

Similarly, the main good and bad features of Threema in my opinion are summarised in the table below.

Good Bad
Provides end-to-end encryption (using elliptic curves) Does not include voice support
Provides end-to-end encryption for group chats No desktop version
Cryptography provided using a respected library (NaCl) Not free
Scored 5/7 Does not provide end-to-end forward secrecy
Not linked to the device’s SIM, so it can be used on devices without SIMs
Hosted in Switzerland
Standalone app
Includes identity verification
Available for both Android and iOS

Of course I realise that some of my opinions are very subjective (such as the nationalities of the people behind them). I am also aware that I must have a certain amount of trust in the app provider, and that no secure app in the world can compensate for a compromised operating system!

So what app did I ultimately select? Threema :) So far I have been extremely happy with my choice!

However, I have been impressed by Open Whisper Systems, and I am considering using it for work purposes. (I like to keep my personal apps separate from my work apps.)

Tags: , , , , ,


Aug 16 2015

Secure Instant Messaging App Requirements

Category: Mobile Computing,SecurityTeknovis @ 22:18

Lately I have been on a mission to find an instant messaging app for my mobile phone. The initial plan is to use it for personal purposes with immediate family members, and I am in the position of being able to move them all to a new app. I am less concerned about less immediate family and friends.

If there is a suitable app, then I want to be able to use it for work purposes also.

The obvious choice is WhatsApp, but I detest it in principle for a few reasons:

  • It is owned by Facebook, which I do not use – nor do I want to use it!
  • It is tied to a specific device, and it uses the phone number as an identifier. This is such an outdated approach!
  • I am very sceptical of its security model (i.e., there is none), and I dislike allowing an entity in the middle of my communications to have access to them!

In fairness to WhatsApp, the user interface is very polished and easy to use!

So my main mandatory requirements are:

  • Easy to use
  • Uses well established cryptography
  • Uses end-to-end encryption
  • Not dependent upon a mobile phone number (and hence capable of running on devices without SIMs)
  • Capable of sending and receiving photos
  • Supports group chats (less than 10 people)
  • Available for both Android and iOS
  • Trustworthy (whatever that means!)

Nice to have features include:

  • Available for Windows desktops
  • General verification features

Aspects that do not concern me:

  • Having to pay (a reasonable) once-off fee for it
  • Voice call features
  • Corporate features
  • Recalling messages
  • Remotely deleting messages
  • Establishing secure communications with people that I do not meet in person

I will create a new post in the near future describing what apps I eliminated, and what app(s) I decided to use!

Tags: ,


Jul 11 2015

The “Evil” Bit

Category: Humour,Networks,Security,StandardsTeknovis @ 18:37

I had to read about the “Evil” bit in Request for Comments: 3514 this afternoon!

I wonder why it never caught-on!


Jan 26 2014

6th National Data Protection Conference

Category: Events,SecurityTeknovis @ 19:39

The 6th National Data Protection Conference is taking place in Dublin next week. I do not know if there are still places available!

It looks interesting, but it is not really my area.


Dec 05 2013

Password Security

Category: SecurityTeknovis @ 19:01

There are some interesting general password observations in The gentle art of cracking passwords, but the list of top 20 passwords disclosed due to the Adobe hack in Analysis reveals popular Adobe passwords is even more insightful! I will include it here for my own future reference:

  • 123456
  • 123456789
  • password
  • adobe123
  • 12345678
  • qwerty
  • 1234567
  • 111111
  • photoshop
  • 123123
  • 1234567890
  • 000000
  • abc123
  • 1234
  • adobe1
  • macromedia
  • azerty
  • iloveyou
  • aaaaaa
  • 654321

This list really is frightening!

Tags:


Jun 23 2013

Common Passwords

Category: SecurityTeknovis @ 08:52

I came across this word cloud depicting the most common passwords a while ago (click image to see larger version):

Common Passwords (Copyright Unknown)

Common Passwords (Copyright Unknown)

Unfortunately, I cannot remember the source :(


Jul 23 2012

Firefox 14.0.1

Category: Security,SoftwareTeknovis @ 21:51

I updated to Firefox 14.0.1 over the weekend. It does not contain any new user features, but there have been several security enhancements. See the Release Notes for the complete details.

In particular, I like the following two enhancements:

  • HTTPS is now used for all Google searches. That should prevent network administrators from eavesdropping on searches ;) Image searches are particularly fun ;) See Rolling Out HTTPS Google search for more details.
  • It is no longer possible to spoof the HTTPS icon using the favicon on a fraudulent site. I think that this was really necessary to protect ordinary computer users. I also like the way that the real domain name is highlighted to prevent fraudulent URLs. See Site identity UI updates for more details.

For more general reporting on the upgrade see Firefox 14 arrives with “secure search” and Firefox 14 Hides Your Searches from Prying Eyes.

The only downside the the upgrade has been that my favourite theme, Silvermel, no longer works :( Hopefully this will be rectified soon!

Tags: ,


Jun 20 2012

Two-Factor Authentication Failure

Category: Internet,SecurityTeknovis @ 22:04

A friend made me aware of this fascinating story of a two-factor authentication failure – I know someone whose 2-factor phone authentication was hacked….

(It is an interesting blog!)


Apr 14 2012

Password Security

Category: Infographic,SecurityTeknovis @ 17:40

I spent my afternoon setting-up a new laptop. I usually choose my passwords securely, but it reminded me of this infographic that I saw a while ago (click image to see larger version):

What Makes A Strong Password? (Copyright Killer Infographics)

What Makes A Strong Password? (Copyright Killer Infographics)

The original article where I saw this inforgraphic is Use This Infographic to Pick a Good, Strong Password.

 


Feb 29 2012

Mobile Wallets and Digital Wallets

Category: Cloud Computing,mPayments,SecurityTeknovis @ 23:46

I read an interesting article about the differences between mobile wallets and digital wallets today – Mobile Payments: Life Is More Secure In The Cloud. I was not aware of the distinction!

There was one argument that I did not agree with:

Look at it this way: if your phone gets stolen and all your financial information is on the device, and the thief began making transactions, it would almost be impossible to tell if it was really you. With the cloud approach your account is constantly being monitored. So, for example, if a transaction is made by you in San Francisco on your desktop computer, then 10 minutes later one is made in Paris on your phone, it will immediately be clear that something’s wrong.

The author argues that the digital wallet is more secure, because it is easy to detect the fraudulent transaction being made in diverse locations. I would argue that such fraudulent transaction are inherently impossible with a mobile wallet.


Next Page »