One concern many online users and businesses have is about the security of their personal conversations and correspondences. Nobody wants to have their correspondences stolen and snooped on by strangers for personal and security purposes. Furthermore, many online products make broad claims to the security and safety of their products, but how can we be sure that they work as advertised? Just because a company claims that its product is secure does not mean it is true. One of the limited options that consumers have is to rely on third party and independent reviews.
One such independent security reviewer is the Electronic Frontier Foundation. They recently made a very eye-opening and thought provoking review of online messenger products. Some of the criteria they based their evaluation on includes the following: Is your communication encrypted in transit; Is your communication encrypted with a key the provider doesn’t have access to; Can you independently verify your correspondent’s identity; Are past communications secure if your keys are stolen; Is the code open to independent review; Has there been an independent security audit.
It is important that security include end-to-end encryption, which means that the service company doesn’t have access to the keys of the users. Only the users have the keys and it doesn’t leave their possession. This means that the service company can’t give up information without the consent of the users. It is also important that past communications are secure if keys are stolen, so if a key is compromised but the message deleted on a user’s local machine, past messages are encrypted and can’t be decoded at all because the encryption uses ephemeral keys which are routinely deleted. Finally, it is necessary to make sure that the identity of the corresponding participant can be verified when communications are in route, because a significant security risk exists in divulging information to a false identity. The perpetrator can glean and steal sensitive data, so this must be prevented with a robust verification protocol.
Some of the top security performers in this analysis include products such as ChatSecure, CryptoCat, Pidgin, Signal/RedPhone, Silent Phone, Silent Text, Telegram, and TextSecure. The best mass-market option was Apple’s iMessage and FaceTime products, although neither provides complete protection against sophisticated and targeted forms of cyber intrusion. Some of the messenger options analyzed were found to be vulnerable to surveillance by the service provider, such as email products from Google, Facebook and Apple; Yahoo’s web and mobile chat; Secret; and WhatsApp. Even worse, some major messaging platforms have no encryption at all, such as Yahoo’s desktop messenger, QQ, and Mxit.
This security analysis affirms the notion that individuals and businesses must be very diligent in protecting personal information, and this includes stringent research in the security of the products that one utilizes to secure important data. In this day and age, cyber security is something that most people take for granted, but as the system evolves to become more sophisticated and the world becomes more reliant on cyber technology, the importance for all users to protect themselves will become paramount. You cannot assume that any entity or product is safe based on general reputation or unconfirmed claims. Assuming these claims as truth without due diligence opens yourself up to risk which is the path to loss and damage.