- Source of Article: Which Messaging Technologies Are Truly Safe and Secure?
Full scorecard: https://www.eff.org/secure-messaging-scorecard
In the face of widespread Internet data collection and surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer "secure messaging" products - but how can users know if these systems actually secure?
The Electronic Frontier Foundation (EFF) released its Secure Messaging Scorecard, evaluating dozens of messaging technologies on a range of security best practices.
You can read the full Secure Messaging Scorecard here.
"The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren't protected by encryption," said EFF Technology Projects Director Peter Eckersley. "Many new tools claim to protect you, but don't include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message."
The scorecard includes more than three dozen tools, including chat clients, text messaging apps, email applications, and technologies for voice and video calls. EFF examined them on seven factors, like whether the message is encrypted both in-transit and at the provider level, and if the code is audited and open to independent review. Six of these tools scored all seven stars, including ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure. Apple's iMessage and FaceTime products stood out as the best of the mass-market options, although neither currently provides complete protection against sophisticated, targeted forms of surveillance. Many options�including Google, Facebook, and Apple's email products, Yahoo's web and mobile chat, Secret, and WhatsApp�lack the end-to-end encryption that is necessary to protect against disclosure by the service provider. Several major messaging platforms, like QQ, Mxit, and the desktop version of Yahoo Messenger, have no encryption at all.
"We're focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues," said EFF Staff Attorney Nate Cardozo. "We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography."
The Secure Messaging Scorecard is part of EFF's new Campaign for Secure and Usable Cryptography, and was produced in collaboration with Julia Angwin at ProPublica and Joseph Bonneau at the Princeton Center for Information Technology Policy.11-05-14 05:41 AMLike 0 - It's good that a watchdog organization has taken the initiative to evaluate the features of so many IM clients and publish it into a chart.
Hopefully this encourages Blackberry to implement the missing security features and for security conscious IM users to scrutinize their apps more carefully instead of placing trust in brands.Last edited by sentimentGX4; 11-05-14 at 06:03 AM.
11-05-14 05:51 AMLike 5 - Yes, I read this yesterday but there are a few things that really pop out at me as wrong. First, I really don't think the authors know what the word end-to-end mean. It's more than a single layer of encryption and it entails hardware and IM design. For example, there is simply no way on God's green earth that Whatsapp approach is using your phone number is secure. Someone has the blinders on.
Posted via CB1011-05-14 07:33 AMLike 8 -
- Maybe it's biased or they used questionable benchmarks but you can't deny that BBM, once the pinnacle of secure messaging is now starting to lag behind in terms of security, stability and ease of use.
I took one tested app from the list called "Threema" to see what the fuss is all about and found this little tidbit on their site:
The leading German consumer safety organization Stiftung Warentest has scrutinized the five most popular instant messengers in Germany with regard to data protection and security. The result: Only Threema was deemed �non-critical�. The other apps were considered �very critical� or �critical� by the independent foundation. (Zeit online, February 27, 2014)
Threema is the clear winner of the comprehensive messenger comparison by internet security experts PSW GROUP. Other popular messenger services ranked far behind. (it-daily.net, July 26, 2014)
They need to start developing it at a faster rate (like their competitors) and implement true end-to-end encryption and PFS (Perfect-Forwarding-Secrecy). "New" features are being released in an excruciatingly slow pace (I'm guessing because of a lot of legacy code and a small privileged development team working on the BBM code) compared to any competitor out there...
While the phone may be secure, there is no denying that BBM has fallen behind.anon8656116 likes this.11-05-14 08:40 AMLike 1 -
-
- Wonder why BlackBerry does not encrypt the messages using the recipients PIN as the cypher key? Certainly would add another level of secureity. The recipient would then unencrypt the message using the PIN and as we know that the PINs are unique and burned into the hardware it would make it very difficult to intercept.
Of course it would be horrible to implement in a group chat, but then the group ID could be used as the cypher key I guess.....11-05-14 09:08 AMLike 0 - Read yesterday.
There are a few problems with that scorecard.
Methodology
Here are the criteria we looked at in assessing the security of various communication tools.
1. Is your communication encrypted in transit?
This criterion requires that all user communications are encrypted along all the links in the communication path. Note that we are not requiring encryption of data that is transmitted on a company network, though that is ideal. We do not require that metadata (such as user names or addresses) is encrypted.
2. Is your communication encrypted with a key the provider doesn't have access to?
This criterion requires that all user communications are end-to-end encrypted. This means the keys necessary to decrypt messages must be generated and stored at the endpoints (i.e. by users, not by servers). The keys should never leave endpoints except with explicit user action, such as to backup a key or synchronize keys between two devices. It is fine if users' public keys are exchanged using a centralized server.
3. Can you independently verify your correspondent's identity?
This criterion requires that a built-in method exists for users to verify the identity of correspondents they are speaking with and the integrity of the channel, even if the service provider or other third parties are compromised. Two acceptable solutions are:
An interface for users to view the fingerprint (hash) of their correspondent's public keys as well as their own, which users can verify manually or out-of-band.
A key exchange protocol with a short-authentication-string comparison, such as the Socialist Millionaire's protocol.
Other solutions are possible, but any solution must verify a binding between users and the cryptographic channel which has been set up. For the scorecard, we are simply requiring that a mechanism is implemented and not evaluating the usability and security of that mechanism.
4. Are past communications secure if your keys are stolen?
This criterion requires that the app provide forward-secrecy, that is, all communications must be encrypted with ephemeral keys which are routinely deleted (along with the random values used to derive them). It is imperative that these keys cannot be reconstructed after the fact by anybody even given access to both parties' long-term private keys, ensuring that if users choose to delete their local copies of correspondence, they are permanently deleted. Note that this criterion requires criterion 2, end-to-end encryption.
5. Is the code open to independent review?
This criterion requires that sufficient source-code has been published that a compatible implementation can be independently compiled. Although it is preferable, we do not require the code to be released under any specific free/open source license. We only require that all code which could affect the communication and encryption performed by the client is available for review in order to detect bugs, back doors, and structural problems.
Note: when tools are provided by an operating system vendor, we only require code for the tool and not the entire OS. This is a compromise, but the task of securing OSes and updates to OSes is beyond the scope of this project.
6. Is the crypto design well-documented?
This criterion requires clear and detailed explanations of the cryptography used by the application. Preferably this should take the form of a white-paper written for review by an audience of professional cryptographers. This must provide answers to the following questions:
Which algorithms and parameters (such as key sizes or elliptic curve groups) are used in every step of the encryption and authentication process
How keys are generated, stored, and exchanged between users
The life-cycle of keys and the process for users to change or revoke their key
A clear statement of the properties and protections the software aims to provide (implicitly, this tends to also provide a threat model, though it's good to have an explicit threat model too). This should also include a clear statement of scenarios in which the protocol is not secure.
7. Has there been an independent security audit?
This criterion requires an independent security review has been performed within the 12 months prior to evaluation. This review must cover both the design and the implementation of the app and must be performed by a named auditing party that is independent of the tool's main development team. Audits by an independent security team within a large organization are sufficient. Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.nick13b likes this.11-05-14 09:14 AMLike 1 - For a company that wants to make their money via software they sure seem unable to get the apps and software right.
BBM no longer secure as it once was.
FB still lights years behind.
BES12 still not out.
BB10 still is missing many features of the Legacy OS.
No improvement in BlackBerry Maps.
BBM for DROID and Windows still behind its competitors.
BlackBerry hates America!11-05-14 09:38 AMLike 4 - For a company that wants to make their money via software they sure seem unable to get the apps and software right.
BBM no longer secure as it once was.
FB still lights years behind.
BES12 still not out.
BB10 still is missing many features of the Legacy OS.
No improvement in BlackBerry Maps.
BBM for DROID and Windows still behind its competitors.
BlackBerry hates America!twirlyboy and damien kupuku like this.11-05-14 10:06 AMLike 2 -
- As I said before trust them to slate bbm lol
I know for a fact it is secure than any other
Posted via CB1011-05-14 10:18 AMLike 0 -
-
- That awkward moment when "facebook chat" is more secure than bbm :P Damn bbm has got a lot of work to do. Thought I was much more secure. "Bubble popped"
Posted via BlackBerry Q5 on 10.2.1.3247sentimentGX4 likes this.11-06-14 06:42 AMLike 1 - It is so nice to see that people will believe anything without doing any fact checking. Any details on why you believe this report?CerveloJohn likes this.11-06-14 11:56 AMLike 1
-
- Yeah. It is.
Has been since BB10. And its not news to anyone paying attention.
I used to be surprised at the surprise information like this garners on Crackberry. No more.
Posted via the CrackBerry App for AndroidsentimentGX4 likes this.11-06-14 03:10 PMLike 1
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
BBM just got served
Similar Threads
-
no icon to make call over bbm
By bilinguin in forum General BBM ChatReplies: 15Last Post: 12-16-14, 02:33 PM -
PlayBook NOT dead... Bridge has just been updated!
By Prem WatsApp in forum General BlackBerry News, Discussion & RumorsReplies: 67Last Post: 11-07-14, 10:01 AM -
BBM Stickers overpriced?
By talberry in forum General BBM ChatReplies: 7Last Post: 11-06-14, 06:52 AM -
BBM voice and video not working
By marvini in forum BlackBerry PassportReplies: 5Last Post: 11-05-14, 06:41 AM -
Strange bbm call behaviour
By greatgretschsound in forum BlackBerry 10 OSReplies: 9Last Post: 11-04-14, 10:50 PM
LINK TO POST COPIED TO CLIPBOARD