In search of the best messaging app for groups

babel

8 minutes

Telegram it does not encrypt your messages by default and has no encrypted groups; Signal requires to have a phone with Google / Big brother / Skynet installed; and WhatsappAlthough it has recently enabled encryption and has secure groups by default, it has poor support for gifs, no stickers, and other basic cuteness for current chats.

What do you have to do to have safe, practical and fun group chats that are also open source and GNU / Linux friendly?

The current panorama

Let me give a bit of context: before 2013 only a few "paranoids" believed it was important encrypt all our communications; after that year, Edward Snowden showed us quite a few compelling reasons why we should encrypt our communications all the time, which is why some applications began to take security more seriously than before, although not in the way they do. cypherpunks o cryptopunks we would have liked.

Telegram, open source with centralized servers.

Relatively recently the best solution seemed to be Telegram, an open source application with the disadvantage that the servers are centralized and in the power of the Durov brothers in Berlin (Russian owners on German soil, the American nightmare!). However, it is necessary to trust that these people are not going to spy on conversations and that they are not going to sell access to this data to any corporation or government, and no matter how much they swear to us on any holy book, there are no certainties absolutely reliable that give us complete peace of mind.

As group encryption is technically very complex and produces practical disadvantages, if we use Telegram we will have to leave those conversations unencrypted.

WhatsApp, closed code encrypted conversations.

Whatsapp It has started the other way around: it started operations before Snowden's revelations so it didn't care about security at all. Before 2012, it didn't even send data over secure connections, so any basic attack type man in the middle it was done with conversations.

He has currently worked with Whisper Systems, to implement a protocol that encrypts any conversation by default, even those in groups, although this takes away practicality since desktop clients depend by force on the connection with the phone, which makes the use of WhatsApp on the computer slow, tedious and impractical.

Another problem is that, as much as Whatsapp say that conversations are end-to-end encrypted, the software is closed source, and the owner of that code is Facebook, so you don't need to be too paranoid to know that something is not quite right there. I can come to trust Moxie marlinspike, but not on Facebook.

Signal, one of the safest but possibly with google as an observer.

Speaking of Moxie, he is the head behind Whysper Systems and he is the one who came up with the idea of ​​an application that would encrypt personal and group messages, in addition to encrypting SMS and calls through cell phone operators (in case you didn't know, operators can see and listen to any information through their cellular network); this application is called Signal.

A major Signal advantages is that it does not synchronize anything with its servers, so not even our agenda is compromised (otherwise than what happens with WhatsApp). This means that, in the event that Whysper System is compromised or that the US government demands protected data (which already happened once), there is really nothing to deliver because they do not keep a record of anything.

The counterpart of this great app (praised by Snowden, even) is that it uses Firebase Cloud Messaging (formerly Google Cloud Message) which, as you suppose, depends on Google. Although they say that in this case Google only delivers and receives the data and cannot read it (which does not exempt them from having a record of who talks to whom), passing my conversations through Alphabet's servers is something unnecessary and risky from my point of view. Not to mention that, even if we believe that the data is safe, it implies having a phone with Google stuck to the guts, which carries a whole other world of implications (the same if we have an iPhone that avoids using FCM).

Someone came up with the wonderful idea of ​​making a fork Signal without using FCM (FreeSignal), but was abandoned after Moxie exhibited their reasons behind the use of FCM, which leaves us back where we started: which application to use to have large, safe, practical and fun groups?

Why is it so difficult to have encrypted groups by default?

One reason is that for a group to be practical, it needs to be asynchronous (If not, there would be no way to see previous messages or how to "get in and out" of the group without losing access to the data), but that makes the encryption process much more complex.

In the same way, the encryption has to be point-to-point, so if we start the secure chat on our cell phone, for example, we cannot see the messages on the PC later, which would rob a group with very active members of practicality.

In the best of cases, WhatsApp and Signal (which use the same protocol) use PC applications as mirrors, not as independent clients, which avoids this problem but makes use on PC totally dependent on the cell phone (somewhat less practical).

Applications with a job perspective

From another point of view, there are also applications designed for workgroups such as Slack, although it is for commercial use, for a closed client and all that that implies.

There are free and decentralized alternatives such as Rocket, Mattermost. o Riot, but they depend on someone in the group hosting the application on a private server (which means that the whole group has to trust it) or paying to use the application developers' servers (which means trusting them) ; In addition, these applications, in general, as they are focused on the work environment, lack utilities simply for fun (such as gifs or stickers).

The overview of group messaging apps

Today applications continue to evolve and change practices in the pursuit of more concise and comprehensive security, but the inherent complexity in these processes (coupled with business interests in some applications) makes the race for the ultimate secure application not easy.

La Electronic Frontier Foundation list Regarding which applications are the safest, it is outdated and awaiting a new version, and almost every day new applications appear and show off being the best among the myriad of options.

A new app that is worth highlighting is Google's Allo, and I say that it is remarkable because originally it had said that it would encrypt all communications by default, but on the day of its presentation it said that it would not always, that it would give the option to start a secure chat but not automatically (which even earned him a mention of Snowden). This is understandable, since Alphabet's business is our data, so an application that does not generate wealth for them is a wasted application (same case with WhatsApp and Facebook).

It seems that we will have to wait even longer for a reliable and practical application, since currently all applications have flaws in terms of practicality or security. It would seem that until today we have not been able to deviate from the mathematical formula that dictates that "safety is indirectly proportional to practicality" and, even if we manage to overcome that barrier, we still have to deal with the omnipresent resistance of the non-specialized public to adopt new technologies and protocols even though an absolute general improvement is shown (the case of Tox y Ring, to mention two recent and interesting examples).

For better and for worse, what the common user uses is always the most practical (almost always conditioned by commercial interests), not the best in a technical sense. The most resistant to this trend have the resilient protocol XMPP accompanied by the plugin OTR which, as expected, is still waiting to be able to implement groups that have strong encryption.

In this thread there is an image (plus some links) of the key to decrypt all the "safe" chats of WhatsApp


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Iyan said
    ago 8 years

    Very good post! The truth is that I use many of them. WhatsApp "because I have no choice." Well, of course I have a choice, but since I don't want to give up being in communication with friends and acquaintances who only use this app, I have it installed. Telegram mainly by some groups of Free Software projects and by bots. Signal to talk to a few "geek" friends (the same ones who use GPG to encrypt their emails hehe). Slack for a company group and Riot has been using it for a couple of weeks now to connect to Freenode IRCs and Chakra Linux groups.

    PS: luck in the blog contest!

    Reply to Iyán
  2.   rodrigo satch said
    ago 8 years

    They forget to mention that the outgoing messages from WatsApp are encrypted, but not when they are saved on the phone, so putting the phone in recovery mode, and connecting it to the computer is the only thing it takes to get all those supposedly encrypted conversations ... Even so, the best application is the one that is useful to us and in short here in Mexico 95% of the phones have watsapp which makes it almost impossible to educate users to change or use another app
    regards

    Reply to Rodrigo Satch
  3.   peter flintstones said
    ago 8 years

    and you forgot to put wire ... also open source and multiplatform

    Reply to pedro flintstones
  4.   g said
    ago 7 years

    Very good analysis

    Reply ag