WhatsApp Alternatives part 2 – Secure Communication

This is an addition to my other post about WhatsApp alternatives. There are others that provide more than just messaging. Below is my personal impression about these.

Silent Circle

According to Silent Circle they  offer  “The World’s Most Secure Solution in Mobile Privacy”. They aim to provide secure communication, not necessarily private. The target market is mostly expats or businesspeople working in foreign countries. The applications and service have been built on the idea of privacy by design. This means that they promise, like Threema, that any trace of communication is deleted when it is no longer necessary.

The company offers different services: Silent Circle Text for secure text messaging, Silent Phone for mobile encrypted voice communication, Silent Circle Desktop for desktop access to the communication, and finally also Out-Circle access, which allows you to communicate securely to the Silent Circle server, where it is relayed to the US telephone network so that you can dial US numbers. To use the service, you have to pay a monthly fee of $10 ($24 for Out-Circle)

The cryptography and protocol are based on RFC 6189 ZRTP: Media Path Key Agreement for Unicast Secure RTP, which was co-authored by the companies co-founder Phil Zimmerman. It uses Elliptic Curve cryptography, combined with short authentication strings for key verification, and the communication is based on Jabber XMPP. The actual implementation is closed-source, and there is no open API.

The privacy statement of Silent Circle states that they do not log authenticated web requests. They aim to have as few information as possible: “Our goal is to have nothing to turn over or disclose to any third-party.” They do not sell or distribute any personal information to third parties. Finally, they also state in their privacy policy that every 6 months they will post how many requests from law enforcement they received.

ChatSecure

ChatSecure is a fully free and open solution, it uses Off-The-Record (OTR) encryption, together with Jabber (XMPP) messaging. They also publish the source code for both the iOS and Android applications. The only downside to using OTR is that both sender and receiver have to be online to use it. This is fidgety on iOS as the app is not allowed to stay connected in the background.

The ChatSecure encryption is based on the Guardian Project old project GibberBot. This provided an

encryption layer over any online text communication channel. The encryption itself is performed by the OTR library using Diffie-Hellman key exchange for AES, along with the Socialist Millionaires’ Protocol for verifying that no man-in-the-middle is present. I have not verified the code myself, but it is present on GitHub for both iOS and Android.

ChatSecure itself does not handle any personal information as they offer their service on top of other communication protocols. The metadata about who is talking to whom is thus not private, and still in the hands of whichever communication medium you choose to use. The privacy policy of the ChatSecure website is modelled after the excellent Automattic’s privacy policy, stating that they aim to store as little as possible.

Conclusion

It all comes down to a matter of trust. You have to place your trust somewhere in the system: on servers, implementations, or ability. It all depends on what you think is important, and who you chose to trust. I trust Threemato offer a sensible implementation with secure messaging, as it is their business model. I believe that Silent Circle provides a good product too, but it is too expensive for me personally.

If you put more value in open source, then probably ChatSecure or surespot is more to your liking. Note however that your metadata (when you are talking to whom) is still not safe in these solutions. The most opaque solution of them all is Telegram with non-standard cryptography and closed implementation.