The state of secure messaging in 2023
So, it is 2023. a full-blown Cyberwar is still going on between Ukraine and Russia. Telegram has become a tool in that war for both sides…
So, it is 2023. a full-blown Cyberwar is still going on between Ukraine and Russia. Telegram has become a tool in that war for both sides. Let’s take the chance and look at the state of secure messaging, review some of the better-known options, and look at some of the lesser-known and commercial options out there.
When rating a secure messaging app, what do we look at? Well, the first thing I look at is the ownership situation. Also, is the app or its underlying encryption technology open source? Can the integrity of the individual endpoints be ensured even if the backend infrastructure may be corrupted or ownership changes (keybase.io was an example of ownership change when Zoom bought it in 2020, but more about that later on?
The following criteria flow into the review and assessment of secure messaging services and apps, this might differ for some people, but i think this covers the most important must-haves.
- End-to-end encryption (no-brainer)
- Multi-Platform capable
- Support of Voice and Video calls as well as attachments
- Open Source Encryption
I will make this a top 5, starting with my favorite.
Signal — https://signal.org/
My personal favorite for a number of reasons. Let's start with a pro and con table:
Pro
- Can do group chats, SMS, voice and video calls, documents, and picture messages.
- Option to send disappearing messages (with a timer)
- Open Source Signal protocol (used by other messaging apps as well)
- PIN Access ( you can set a PIN that is used to setup Signal on other/new devices)
- Password protection (App will require a PIN or password to open, good if your device gets into the wrong hands)
- It does not store user data or metadata
- Available for iOS, Android, Mac, Windows, and Linux
- Growing User base
Con
- Requires a mobile number for initial sign up
- You can only delete messages for everyone in a chat sent not longer than 3 hours ago. It might not be an issue for most people, but still worth mentioning.
Signal is the messaging app of choice for many security and privacy-concerned individuals; the best-known examples are Edward Snowden, Jack Dorsey, and Bruce Schneier.
At this point, I am confident that Signal is the most secure messaging app that is easily available to the general public; the fact that there is a huge open-source community reviewing the source code and identifying weaknesses ensures that. I do have to go into the 1 thing that is a drawback, the fact that you do need to give a mobile number for the initial sign-up; aside from that, I have yet to find anything that would bother me with Signal, and that is probably a minor thing for which there would always be the throwaway SIM option.
An important factor in this security is the Signal protocol: the de facto gold standard in messaging encryption; this is even used by other apps that still did not make this list for various reasons (e.g., What’s App).
So, this is my top recommendation for a secure messenger.
More about Signal can be read here: https://support.signal.org/hc/en-us
Telegram Messenger — https://telegram.org/
Let's get the first thing out of the way right here at the start, the fact that Telegram is Russian owned. Why the heck would that make the top 5? Well, there are a few good reasons for that.
Telegram was founded in 2013 by two Russian brothers, Nikolai and Pavel Durov. In 2014, Pavel fled the country after some individuals strongly connected to the Kremlin took control of a social networking site most known just as VK. Russia’s intelligence agency had asked Durov to turn over the data of anti-Kremlin protesters. Durov refused this, which ultimately led to his feeling the country.
Though many in Ukraine have preferred Signal over Telegram, a large Ukrainian community is still utilizing Telegram, including some from government channels. There is also the Telegram Channel called IT Army of the Ukraine, with about 185,000 subscribers as of this writing, where tasks are given out to individuals for attacks on Russian infrastructure and businesses.
This by itself may not put most users at ease, so here are a few pros and cons to consider; in the end, you need to decide for yourself if Telegram is trustworthy.
Pro
- End-to-end encryption (E2EE) for Secret Chats
- Encryption protocol: MTProto, a custom protocol
- Open source apps and Telegram Database Library
- Screenshot detection (Secret Chat only)
- Apps for iOS, Android, Mac, Windows, Linux
- Self-destructing messages
- Can delete messages for all members of a chat with no time limit
- Users can be logged in on multiple devices simultaneously
- Users can use multiple telegram accounts in the app and switch between them
- Supports Two-Step Verification (2FA)
- Option to create Channels with unlimited audience or groups for up to 200000 members
- Now possible to sign up without SIM Card (Read more here: https://telegram.org/blog/ultimate-privacy-topics-2-0#sign-up-without-a-sim-card )
Con
- E2EE encryption is only for Secret Chats and not per default for all Chats
- Groups / Channels are not E2E encrypted
- Servers are not open-source
- Logs IP Address and other user data
These seem to be a lot of cons, but in the end, it is still way better, at least in my opinion than to trust the word of organizations like Meta (What’s App. FB Messenger, Instagram Messenger) when it comes to privacy, we all remember the Cambridge Analytica Scandal.
More about Telegram can be read here: https://telegram.org/faq.
Threema — https://threema.ch/en
Threema is an interesting alternative, albeit not free. It is, like all others, offering E2EE. An important differentiator is, unlike literally all other alternatives, it does not require a mobile number or email address for initial setup and registration.
Pro
- End-to-end encryption (E2EE)
- Open Source (transition completed)
- Encryption method: NaCl (Salt) (open source cryptographic library)
- No mobile number or email address needed
- Text and voice messages; voice and video calls; groups and distribution lists
- Apps for iOS, Android, Mac, Windows, Linux, and the pretty decent open WebApp
- File sharing and Group polling
- Does not log IP Addresses or metadata (their own statement)
- Owns all their own servers
Con
- A relatively small number of users means limited options
- No 2FA support
- Not free, and no free trial (the cost for the Mobile up to download is 3.99 USD
Threema is certainly a very good secure messaging app. It is one of the few to let you sign up without providing a phone number or email address. Being a paid app, you may consider this a plus as they need to make money, and if they make money from charging you for the app, they have less reason to sell your data (like Facebook/Meta does).
Having said all this, I do want to end the review on Threema with the fact that they are based in Switzerland, so, just reminding everybody about the case of the Crypto AG — but of course, Threema appears in no way connected, and just like ProtonMail is certainly a very good option for your secure messaging needs.
Wickr Me — https://wickr.com/
I thought for a while before I decided to include Wickr in this list, and the reason for that is Amazon's recent acquisition of Wickr. I still found enough reasons to include it.
Let's start with the Pros and Cons
Pro
- Client-side end-to-end end-to-end encryption (E2EE)
- Encryption algorithms: AES 256, ECDH521, and RSA 4096, with Perfect Forward Secrecy (PFS)
- Anonymous accounts are possible
- Apps for iOS, Android, Mac, Windows, Linux and
- A nice feature cold “burn on read” for messages and attachments
- Ephemeral messages and attachments (Ephemeral messaging is the device-to-device transmission of messages that automatically disappear from the recipient’s screen once the message has been read. You can configure the time span for this).
- Publishes Transparency Reports — get the latest here: https://wickr.com/wp-content/uploads/2021/09/Transparency-Report-070121.pdf
- All user content is securely and entirely wiped from the device after it expires.
- Does not log IP Addresses or the UID (Unique device ID — their own statement)
- Does not record user metadata (their own statement)
Con
- Code is publicly visible on GitHub, but it is not fully open source
- Based in the United States
- Recently acquired by Amazon (Let’s see where that
- Not a very big user base
Wickr Me can still be considered one of the best secure messaging apps in the world. Ephemeral Messaging certainly is an acquired taste, but ask yourself if you need years of messages history, and if you do, then this app is not for you. It is a viable solution for you if you do not, but we must keep monitoring what Amazon will do with it.
Wickr Pro is for you if you need additional features. If you want some additional features, go with the Basic Plan (but then you won't be anonymous anymore) — for even more, there are Silver, Gold, and Platinum. You can check out the Product Tiers for more details: https://wickr.com/product-tiers/
Having said this, and even though it was acquired by Amazon, it still made my list mostly because of the fact that you do not need to provide a mobile number or email address to sign up, making it useful for certain purposes. But here, it all depends on whether or not you trust Amazon or how you feel about them owning Wickr.
Keybase — https://keybase.io/
As with Wickr, I also thought about it before including Keybase; this is mainly because they were acquired by Zoom sometime in 2020.
Lets again start off with the Pros and Cons
Pro
- End-to-end PGP-based encryption (E2EE) for messaging and file sharing
- Encryption algorithms: XSalsa20, Poly1305, Ed25519, SHA512
- Apps are open source
- Apps for iOS, Android, Windows, Mac, Linux
- It has a self-destruction feature for messages
- multi-device usage is possible
- They provide 250GB of encrypted cloud storage with your account
- Blockchain-based to protect against tampering
- Completely free of charge.
Con
- Now owned by Zoom, which has strong ties to China(privacy concerns) — Even though the owner is now a US Citizen, the main development workforce is based in China.
- Not all that straightforward to install and fully configure
- Regular Users may have a bit of a learning curve
- Chat with limited features
- The server backend is NOT open source
- not a very big user base (below 500k)
So despite all these cons, the app did make it into the last spot in my top 5.
Keybase is a powerful collection of security tools that bring PGP encryption to more users and make it more applicable for general use. For the average user, it is a little too confusing and complicated to use, but for well-versed tech-savvy people, it is a good toolbox.
On an initial review, Keybase is still very secure. There had been no reports of Keybase being hacked or otherwise compromised that I could find.
Unfortunately, there is nothing that will take away the fact of Zoom Ownership, so while it made a list, because of the many features for advanced users, and the fact that it is completely free, it barely made a list in the last spot, and I am not sure if it will make next years list for me.
With this, I end today’s article, and I hope it could help some of you to decide on the right messenger to use.
You might also want to check out some of my Videos on my YouTube Channel:
