[anon(1464249)]

Source of Article: Which Messaging Technologies Are Truly Safe and Secure?
Full scorecard: https://www.eff.org/secure-messaging-scorecard

In the face of widespread Internet data collection and surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer "secure messaging" products - but how can users know if these systems actually secure?

The Electronic Frontier Foundation (EFF) released its Secure Messaging Scorecard, evaluating dozens of messaging technologies on a range of security best practices.

You can read the full Secure Messaging Scorecard here.

"The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren't protected by encryption," said EFF Technology Projects Director Peter Eckersley. "Many new tools claim to protect you, but don't include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message."

The scorecard includes more than three dozen tools, including chat clients, text messaging apps, email applications, and technologies for voice and video calls. EFF examined them on seven factors, like whether the message is encrypted both in-transit and at the provider level, and if the code is audited and open to independent review. Six of these tools scored all seven stars, including ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure. Apple's iMessage and FaceTime products stood out as the best of the mass-market options, although neither currently provides complete protection against sophisticated, targeted forms of surveillance. Many options�including Google, Facebook, and Apple's email products, Yahoo's web and mobile chat, Secret, and WhatsApp�lack the end-to-end encryption that is necessary to protect against disclosure by the service provider. Several major messaging platforms, like QQ, Mxit, and the desktop version of Yahoo Messenger, have no encryption at all.

"We're focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues," said EFF Staff Attorney Nate Cardozo. "We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography."

The Secure Messaging Scorecard is part of EFF's new Campaign for Secure and Usable Cryptography, and was produced in collaboration with Julia Angwin at ProPublica and Joseph Bonneau at the Princeton Center for Information Technology Policy.

[sentimentGX4]

It's good that a watchdog organization has taken the initiative to evaluate the features of so many IM clients and publish it into a chart.

Hopefully this encourages Blackberry to implement the missing security features and for security conscious IM users to scrutinize their apps more carefully instead of placing trust in brands.

[nico2004]

good article and interesting

[Tinomane]

I have a feeling " blackberry fact check " is going to respond to this.

Posted via CB10

[THBW]

Yes, I read this yesterday but there are a few things that really pop out at me as wrong. First, I really don't think the authors know what the word end-to-end mean. It's more than a single layer of encryption and it entails hardware and IM design. For example, there is simply no way on God's green earth that Whatsapp approach is using your phone number is secure. Someone has the blinders on.

Posted via CB10

[SirJes]

Read yesterday, and I call bull.

Posted via CB10

[anon(1464249)]

Maybe it's biased or they used questionable benchmarks but you can't deny that BBM, once the pinnacle of secure messaging is now starting to lag behind in terms of security, stability and ease of use.
I took one tested app from the list called "Threema" to see what the fuss is all about and found this little tidbit on their site:

The leading German consumer safety organization Stiftung Warentest has scrutinized the five most popular instant messengers in Germany with regard to data protection and security. The result: Only Threema was deemed �non-critical�. The other apps were considered �very critical� or �critical� by the independent foundation. (Zeit online, February 27, 2014)
Threema is the clear winner of the comprehensive messenger comparison by internet security experts PSW GROUP. Other popular messenger services ranked far behind. (it-daily.net, July 26, 2014)

It goes to show that even new apps are developed at an astonishing rate and are being made more secure than BBM. I use BBM because I'm a BlackBerry user and I like using it thanks to the audio and video features but using BBM for security is all but long gone...
They need to start developing it at a faster rate (like their competitors) and implement true end-to-end encryption and PFS (Perfect-Forwarding-Secrecy). "New" features are being released in an excruciatingly slow pace (I'm guessing because of a lot of legacy code and a small privileged development team working on the BBM code) compared to any competitor out there...

While the phone may be secure, there is no denying that BBM has fallen behind.

[BBPandy]

I love how they found iMessage to be the most secure when they are the focus of a massive class action lawsuit because of their lack of security.

Posted via CB10

[anon(1464249)]

I love how they found iMessage to be the most secure when they are the focus of a massive class action lawsuit because of their lack of security.

Posted via CB10

While the article is rubbish, the scorecard itself is accurate.

[AnimalPak200]

This was posted last night:

http://forums.crackberry.com/showthread.php?t=973806

Posted via CB10

[MobileMadness002]

Wonder why BlackBerry does not encrypt the messages using the recipients PIN as the cypher key? Certainly would add another level of secureity. The recipient would then unencrypt the message using the PIN and as we know that the PINs are unique and burned into the hardware it would make it very difficult to intercept.

Of course it would be horrible to implement in a group chat, but then the group ID could be used as the cypher key I guess.....

[Bluenoser63]

Read yesterday.

There are a few problems with that scorecard.

Methodology

Here are the criteria we looked at in assessing the security of various communication tools.

1. Is your communication encrypted in transit?
This criterion requires that all user communications are encrypted along all the links in the communication path. Note that we are not requiring encryption of data that is transmitted on a company network, though that is ideal. We do not require that metadata (such as user names or addresses) is encrypted.

Most of them have that.

2. Is your communication encrypted with a key the provider doesn't have access to?
This criterion requires that all user communications are end-to-end encrypted. This means the keys necessary to decrypt messages must be generated and stored at the endpoints (i.e. by users, not by servers). The keys should never leave endpoints except with explicit user action, such as to backup a key or synchronize keys between two devices. It is fine if users' public keys are exchanged using a centralized server.

This is up for debate right now. Two sides of the coin. I don't want the government reading my messages EVER. Why didn't the government do something to stop the terrorist attack or stop child porn.

3. Can you independently verify your correspondent's identity?
This criterion requires that a built-in method exists for users to verify the identity of correspondents they are speaking with and the integrity of the channel, even if the service provider or other third parties are compromised. Two acceptable solutions are:

An interface for users to view the fingerprint (hash) of their correspondent's public keys as well as their own, which users can verify manually or out-of-band.

A key exchange protocol with a short-authentication-string comparison, such as the Socialist Millionaire's protocol.

Other solutions are possible, but any solution must verify a binding between users and the cryptographic channel which has been set up. For the scorecard, we are simply requiring that a mechanism is implemented and not evaluating the usability and security of that mechanism.

Valid. But with BBM I get to choose who to add and most times I use the barcode to add users. I can verify face to face. If it comes in a request, they better have a good way to prove themselves or I will call them to make sure it is the person I expect.

4. Are past communications secure if your keys are stolen?

This criterion requires that the app provide forward-secrecy, that is, all communications must be encrypted with ephemeral keys which are routinely deleted (along with the random values used to derive them). It is imperative that these keys cannot be reconstructed after the fact by anybody even given access to both parties' long-term private keys, ensuring that if users choose to delete their local copies of correspondence, they are permanently deleted. Note that this criterion requires criterion 2, end-to-end encryption.

There is another thread about this and documents that it would be almost impossible with BBM to hack the conversations.

5. Is the code open to independent review?

This criterion requires that sufficient source-code has been published that a compatible implementation can be independently compiled. Although it is preferable, we do not require the code to be released under any specific free/open source license. We only require that all code which could affect the communication and encryption performed by the client is available for review in order to detect bugs, back doors, and structural problems.

Note: when tools are provided by an operating system vendor, we only require code for the tool and not the entire OS. This is a compromise, but the task of securing OSes and updates to OSes is beyond the scope of this project.

Open Source does not mean that the code will be secure. OpenSSL is a good example. The code was there for everyone to see, but a bug was found and was kept secret so it could be used for spying. Open source only works if every bug is found by good people and they are public about the bug.

6. Is the crypto design well-documented?

This criterion requires clear and detailed explanations of the cryptography used by the application. Preferably this should take the form of a white-paper written for review by an audience of professional cryptographers. This must provide answers to the following questions:

Which algorithms and parameters (such as key sizes or elliptic curve groups) are used in every step of the encryption and authentication process

How keys are generated, stored, and exchanged between users

The life-cycle of keys and the process for users to change or revoke their key

A clear statement of the properties and protections the software aims to provide (implicitly, this tends to also provide a threat model, though it's good to have an explicit threat model too). This should also include a clear statement of scenarios in which the protocol is not secure.

I don't know why they didn't go to the Blackberry website. Blackberry has all the documentation there of how it works.

7. Has there been an independent security audit?

This criterion requires an independent security review has been performed within the 12 months prior to evaluation. This review must cover both the design and the implementation of the app and must be performed by a named auditing party that is independent of the tool's main development team. Audits by an independent security team within a large organization are sufficient. Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.

I am up in the air about this.Seems like too vague. They say that iMessage has been audited in the last 12 months. What version was audited and is it the latest version? If the latest version if iMessage was just released in the last month, you can be sure it wasn't audited yet so the check mark is suspect.

[damienR]

Read yesterday, and I call bull.

Posted via CB10

Agree

Z30 Beast on Roids..C00463C72

[trsbbs]

For a company that wants to make their money via software they sure seem unable to get the apps and software right.

BBM no longer secure as it once was.
FB still lights years behind.
BES12 still not out.
BB10 still is missing many features of the Legacy OS.
No improvement in BlackBerry Maps.
BBM for DROID and Windows still behind its competitors.





BlackBerry hates America!

[mikedolo]

Wow. Its like people really wanna see blackberry fail period. Damn!

[Bluenoser63]

For a company that wants to make their money via software they sure seem unable to get the apps and software right.

BBM no longer secure as it once was.
FB still lights years behind.
BES12 still not out.
BB10 still is missing many features of the Legacy OS.
No improvement in BlackBerry Maps.
BBM for DROID and Windows still behind its competitors.


BlackBerry hates America!

Your opinion. And it isn't that Blackberry hates America. America doesn't like Blackberry. The rest of the world doesn't.

[anon(3066922)]

I would love to see Blackberry fact check this #factcheck

[Ferrari430Spider]

As I said before trust them to slate bbm lol

I know for a fact it is secure than any other



Posted via CB10

[Tre Lawrence]

I would love to see Blackberry fact check this #factcheck

Agreed.

[insandouts]

Agree

Z30 Beast on Roids..C00463C72

Of course, it must be bull if it reveals BB flaws...tell me if it were so secure why Blackberry released BBM Protected?

[Matty]

That awkward moment when "facebook chat" is more secure than bbm :P Damn bbm has got a lot of work to do. Thought I was much more secure. "Bubble popped"

Posted via BlackBerry Q5 on 10.2.1.3247

[mjs416]

Imessage is more secure than BBM? Bull****.


Posted via CB10

[Bluenoser63]

That awkward moment when "facebook chat" is more secure than bbm :P Damn bbm has got a lot of work to do. Thought I was much more secure. "Bubble popped"

Posted via BlackBerry Q5 on 10.2.1.3247

It is so nice to see that people will believe anything without doing any fact checking. Any details on why you believe this report?

[Gearheadaddy]

OP...I sincerely hope you don't believe EVERYTHING you read.

[tchocky77]

Imessage is more secure than BBM? Bull****.


Posted via CB10

Yeah. It is.

Has been since BB10. And its not news to anyone paying attention.

I used to be surprised at the surprise information like this garners on Crackberry. No more.

Posted via the CrackBerry App for Android