Secure Messaging: Years later, there are still only two
I was asked again this morning about using a specific app to send secure messages in a corporate environment. My answer was simple, and it hasn’t changed in years, there are only two apps to trust from my criteria.
The first one is that the code (application and server) is all open source. This means that the code can be audited by information security professionals to ensure it does not have a backdoor. By sticking with closed source (which is easier), companies are effectively just masking their code until software reverse engineers find the bugs.
The second criteria in having me recommend a secure messaging solution is that is has in fact been audited by an independent, third party information security auditing firm. There are other open source solutions there, but we need to know they’ve been evaluated by experts, and that audit has been made public.
Third: Does it secure (provide end-to-end encryption) all messages and attachments by default?
While there are a lot of other criteria one can use to evaluate secure messaging solutions, only two apps still satisfy these criteria as I’ve highlighted. Yet, I still have two more criteria when making a recommendation:
Are they cross platform in that they work on the desktop, android, and iOS, or whatever the most common operating systems of the day are?
Finally, do they have true disappearing messages — that anyone you can converse with, you can delete messages in the time frame you choose? (say 5 seconds, 6 hours, or a week)
What’s important at this stage is to note that anything else you’re tempted to ask about, including normal text messages on your phone, Skype, or any of the others, you must assume that several companies and/or governments are likely logging a lot of data about you.
The two apps are: Signal.org and Wire.com. There are no other secure messaging apps that meet the above criteria, or should be trusted for sensitive topics like your health information, or business intellectual property, or anything else you don’t want published in 10 years about yourself.
UPDATE: One thing I forgot to list here, if you’re wondering if a future communication app should be trusted; on top of the above criteria, you should ensure it has PFS or Perfect Forward Secrecy, which protects past sessions against future compromises of secret keys.