Not logged in » Login
Nov 08 2014

EFF Presents Secure Messaging Scorecard

Inspired by the ongoing debate about online privacy and confidential communication, the Electronic Frontier Foundation (EFF) has launched a new program to test the trustworthiness of instant messengers and online chat programs. The so-called Secure Messaging Scorecard is part of a greater "Campaign for Secure & Usable Crypto."

Back in the 1990s, one of the things that turned being online into such a groundbreaking experience was that all of a sudden you could exchange text messages – or "chat" – with people from all over the globe, in real time and at no extra cost. All you had to do was fire up an IRC client or instant messenger, and soon you'd feel wired to the world. Chat was, in fact, one of the web's first true "killer applications," and so it wasn't surprising at all to see major software vendors and service providers jump the bandwagon and serve up a host of (often incompatible) client programs. Soon afterwards, these vendors and providers began to incorporate chat clients into their products for corporate use – as it seemed to no avail, because at first only few companies felt comfortable using the new communication channel.

Fast forward round about 20 years, and you land in a world where a larger (and in many cases the greater) part of our social lives is spent online and where unified, cross-platform communication turns out to be as commonplace as phone calls in the 1960s and 1970s. We read and write emails as well as IM and text messages right after we wake up, before we go to bed, and at any point in between, while at home, in the office or on the go. And the more we rely on these communication tools, the more we expect that our rights to confidentiality and privacy be respected. At the same time, we also know that there'll always be someone willing to disregard that wish – and it doesn't really matter whether that someone is an online fraudster, tabloid journalist or state-backed hacker. Consequently, more and more users are starting to look for secure IMs and chat apps, but have trouble finding a piece of software that meets their requirements.

Benchmark for Privacy Protection
In this uncomfortable situation, help comes from the EFF, which has just revealed its new "Secure Messaging Scorecard" during the first days of November. Designed to provide some much-needed basic orientation, the service is supposed to work as a kind of benchmark that evaluates the degree to which popular "chat clients, text messaging apps, email applications, and technologies for voice and video calls" protect the confidentiality and privacy of online communications. For the first round, the EFF experts tested 39 popular tools – from AOL's AIM through Skype and WhatsApp to Yahoo Messenger – and came up with a frustrating result: in the end, only six pieces of software (15.4 percent) were rated as "secure," whereas more than four fifths fail the user in at least one of seven crucial regards. In other words, the bulk of IMs, chat apps etc. doesn't qualify for personal, much less professional or corporate use – and nearly one third deserve a huge warning sign painted across their respective download sites.

The six tools that came up with a clean slate are, in alphabetical order: ChatSecure (when combined with Orbot), CryptoCat, Signal/RedPhone, Silent Phone, Silent Text, and TextSecure. All of these reportedly encrypt messages in transit and in a way that is indecipherable for vendors, allow for verifying contact identities, and use Perfect Forward Secrecy (PFS) to prevent retroactive decryption if keys are stolen; in addition, their security designs are properly documented, and their code is open to independent reviews and has recently been audited. Another six either don't use PFS or haven't undergone code audits lately: Adium, Jitsi (combined with Ostel), Mailvelope, Pidgin, RetroShare, and Subrosa. All others failed in both of these respects or more. Unfortunately, this even applies to programs that were previously touted as especially trustworthy, such as GPGTools and Gpg4win (the GNU Privacy Guard implementations for Mac OS and Windows) or Threema. The less surprising part of the results shows that virtually no technology provided by major vendors or ISPs comes without major flaws – for example, Google Hangouts and BlackBerry Messenger only encrypt messages in transit, and two other apps fail to do even that. By contrast, tools like FaceTime and iMessage deliver on most counts, but lack a feature that enables users to verify contact IDs and suffer from Apple's refusal to support independent code checks.

Bold Move with a Few Challenges
The Secure Messaging Scorecard is the first part of a broader "Campaign for Secure & Usable Crypto" the EFF has kicked off in reaction to press publications about international and in many cases illegal mass surveillance. While this is certainly a bold and honorable project, it does present a few challenges of its own. One is that the scorecard designers do not mention security concerns raised with regard to some of the recommended products; another that they list only very few non-U.S. products. Still another issue is that so far the EFF experts have put special emphasis on software for personal use – one would hope that a future scorecard will include more ratings for enterprise-grade products such as Lync, Gmail, or WebEx.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now