Security Chart of Messaging Apps

Coming from IntelliTechniques, and posted on Brushbeater, this is a comparison chart of the various ‘secure’ messaging apps out there, including mobile apps and email services. The top of the list is (not shockingly): Signal and Wire for messaging and Tutanota and Protonmail for email.

As I discussed in Radio Contra Episode 31, setting up a wifi-only device for communications is absolutely critical at this point in time.

IntelTechniques Secure E2EE Comms Comparison Beta v. 0.1 October 2020
Messaging Confide Dust Jitsi iMessage Matrix/Element Session Signal Sudo Telegram Threema WhatsApp Wickr Wire Notes
E2EE Messaging (In-Network) YES YES YES YES OPTIONAL YES YES YES YES YES PARTIAL* YES YES *Whatsapp cloud (Google) backups are not E2EE
Country of Ownership USA USA USA USA UK Australia USA USA UAE Switzerland USA USA USA Many other cloud backups (Google, iCloud, etc) may not be E2EE
14-Eyes Association YES YES YES YES YES YES YES YES NO NO YES YES YES
Open Source NO NO YES NO YES YES YES NO YES PARTIAL NO PARTIAL YES
3rd-Party Metadata YES YES YES YES NO NO NO NO YES NO YES YES NO
3rd-Party Analytics YES YES YES YES NO NO NO NO YES NO YES YES NO
Funding Various Mark Cuban 8×8 Apple Matrix/Element Loki Signal Anonyome Labs Various Threema Facebook Various Wire
Registration Requirements None Email None Phone/Email None None Phone None Phone Payment Phone None Email
Device Contact Access Optional YES NO YES NO NO YES Optional YES NO Optional Optional NO
Message Control Across Devices YES YES YES NO YES NO NO YES YES NO YES YES YES
Ephemeral Messages YES YES YES NO NO YES YES YES YES YES YES YES YES
User ID Format Member ID Email Name Phone/Email Username Username Phone Phone Phone Username Phone Username Username
Free Version Available YES YES YES YES YES YES YES YES YES NO YES YES YES
Desktop/Browser Availability YES NO YES YES YES YES YES YES YES YES YES YES YES
Third-Party Audit YES NO NO NO NO In Progress YES Non-Public NO YES NO Non-Public YES
Email CTemplar Discreet Mailbox Posteo Protonmail Tutanota Sudo
E2EE (In-Network) YES YES YES YES YES YES YES
E2EE (Non-Network) YES NO YES YES YES YES NO
Country of Ownership Iceland Czech Republic Germany Germany Switzerland Germany USA
14-Eyes Association NO NO YES YES NO YES YES
Open Source YES NO YES YES YES YES NO
3rd-Party Metadata NO NO YES NO NO NO NO
3rd-Party Analytics NO NO YES NO NO NO NO
Funding Self Funded Self Funded Self Funded Self Funded Horizon Self Funded Anonyome Labs
Registration Requirements None None Payment Payment None None None
Free Tier Daily Email Limit 200 100 10 (Trial) YES 150 YES NO
Custom Domain YES YES YES NO YES YES NO
Wildcards YES NO YES NO YES YES NO
2FA YES YES YES YES YES YES YES
Desktop/Browser Availability YES YES YES YES YES YES YES
Third-Party Audit NO NO NO YES YES NO Non-Public
Voice FaceTime Jitsi Matrix/Element Signal Sudo Telegram Threema WhatsApp Wickr Wire
E2EE Calls (In-Network) YES YES YES YES YES YES YES YES YES YES
Country of Ownership USA USA UK USA USA UAE Switzerland USA USA USA
14-Eyes Association YES YES YES YES YES NO NO YES YES YES
Open Source NO YES YES YES NO YES PARTIAL NO PARTIAL YES
3rd-Party Metadata YES YES NO NO NO YES NO YES YES NO
3rd-Party Analytics YES YES NO NO NO YES NO YES YES NO
Funding Apple 8×8 Matrix.org Signal Anonyome Labs Various Threema GmbH Facebook Various Wire
Registration Requirements Phone/Email None None Phone None Phone Payment Phone None Email
Device Contact Access YES NO NO YES Optional YES NO Optional Optional NO
Max # of Users on Call (Base Tier) 32 75 1:1 1:1 1:1 1:1 1:1 8 1:1 4
User ID Format Phone/Email Name Username Phone Phone Phone Username Phone Username Username
Desktop/Browser Availability YES YES YES YES NO YES NO (Voice) YES YES YES
Third-Party Audit NO NO NO YES Non-Public NO YES NO Non-Public YES
Video FaceTime Jitsi Matrix/Element Signal Sudo Telegram Threema WhatsApp Wickr Wire Zoom
E2EE Video (In-Network) YES YES YES YES YES YES YES YES YES YES PARTIAL
Country of Ownership USA USA UK USA USA UAE Switzerland USA USA USA USA
14-Eyes Association YES YES YES YES YES NO NO YES YES YES YES
Open Source NO YES YES YES NO YES PARTIAL NO PARTIAL YES NO
3rd-Party Metadata YES YES NO NO NO YES NO YES YES NO YES
3rd-Party Analytics YES YES NO NO NO YES NO YES YES NO YES
Funding Apple 8×8 Matrix.org Signal Anonyome Labs Various Threema GmbH Facebook Various Wire Various
Registration Requirements Phone/Email None None Phone None Phone Payment Phone None Email Email
Device Contact Access YES NO NO YES Optional YES NO Optional Optional NO Optional
Max # of Users on Call (Base Tier) 32 75 1:1 1:1 1:1 1:1 1:1 8 1:1 4 100
User ID Format Phone/Email Name Username Phone Phone Phone Username Phone Username Username Email
Desktop/Browser Availability YES YES YES YES NO YES NO (Video) YES YES YES YES
Third-Party Audit NO NO NO YES Non-Public NO YES NO Non-Public YES NO
Contributors: Gustov, Up, X, MB
Spread the love
                

Share This Story, Choose Your Platform!

About the Author: NC Scout

NC Scout is the nom de guerre of a former Infantry Scout and Sergeant in one of the Army’s best Reconnaissance Units. He has combat tours in both Iraq and Afghanistan. He teaches a series of courses focusing on small unit skills rarely if ever taught anywhere else in the prepping and survival field, including his RTO Course which focuses on small unit communications. In his free time he is an avid hunter, bushcrafter, writer, long range shooter, prepper, amateur radio operator and Libertarian activist. He can be contacted at [email protected] or via his blog at brushbeater.wordpress.com .

9 Comments

  1. Johnny Paratrooper November 29, 2020 at 11:49

    This is terrifying. They know everything about us.
    And if you opt out, they can probably solve for the “x” variable anyway since they have so many psychological profiles.

    Is MENA connected as well? I assume they are.

    Good crash course on the terminology, and history, right here.
    https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/

    I didn’t know any of this. This explains why… yadda yadda… Scout knows the rest of the story.

    • NC Scout November 29, 2020 at 16:12

      Its all about patterns of life. This is, without a doubt, the most misunderstood topic when it comes to personal security.

      • KOBK April 27, 2021 at 00:55

        and of course you can mess with them a bit with your online patterns. Start tossing in searching for Golden Girls reruns or knitting forum posts in with you rifle mods and comms research. Make them think you’re a grandma who has a interest in guns or something like that.

        Anything to confuse them.

  2. Anonymous November 29, 2020 at 18:11

    5

  3. vyt1az November 29, 2020 at 18:11

    I know this was copied from another website but there are some mistakes in the original chart.

    BLUF: They got it wrong with Matrix.

This stuff seems like a nit pick, but it’s fairly important to understand.

    1. Matrix has been audited. https://www.nccgroup.com/us/our-research/matrix-olm-cryptographic-review/

    2. Matrix doesn’t really have “ownership” in the traditional sense. It’s an open source specification under the Apache license that anyone can implement.

    3. Lumping Matrix / Element together is a misunderstanding. Element is just one client that the Matrix folks built that supports the Matrix protocol. There are other clients listed here not built by the folks at Matrix: https://matrix.org/clients

    As long as two clients support the Matrix service, and they share the same home server, they can communicate with zero “touch” from the Matrix Org. itself.

    As a contrast to Matrix, look at SIgnal:

    Signal also publishes its source code like Matrix, but they own the centralized servers that run Signal and they publish the Apps themselves. The code audits have shown that their servers shouldn’t have any way of knowing what’s communicated over them, but they are actually full owned and controlled by the folks at Signal. SIgnal looks solid, but there is more room for an intermediary to cause issues if a security flaw can be exploited and every user’s info could be compromised.

    

Think of it this way:
    AP runs wordpress.org’s software. The linked chart would say WP “owns” the AP website, but we know that’s not really true. It’s 100% yours. You own the server and you chose the typical wordpress.org “client.” Tomorrow you could use a WP fork, or fork it yourself, and keep the same WP API if you wanted. Matrix is somewhat analogous to that.

  4. jd November 29, 2020 at 23:07

    A couple of observations.

    Telegram is funded by a Russian (not necessarily a bad thing ), runs on cloud servers, and is a favorite of Antifa/BLM.

    It isn’t entirely accurate to ding Jitsi for 3rd party analytics and meta data. Jitsi is open source and you can run your own server and bypass any 3rd party data sharing. Of course that doesn’t apply to whatever NSA might do.

    Jitsi, combined with an xmpp server (such as ejabberd) can provide encrypted voice and video calls as well as encrypted messaging where the server operator can have complete control of who can use it and who, if anyone, can see the meta data.

    Matrix uses Jitsi for video and voice comms so giving them a pass on 3rd party meta data while dinging Jitsi is ested inaccurate.

    The matrix reference server is written in Python and will never scale as well as ejabberd which has been to handle 2 million users on a single node. Beyond that the SDK’s are javascript based (which is inherently insecure for client applications that get the UI from a central server) or IOS based (fine if you trust Appl

    Anyone who wants to provide secure voice, video, and messaging communications can set up their own server running Jitsi and ejabberd. Doing so provides you with control over who uses it and minimizes 3rd party analytical capabilities. Running all network traffic through a a VPN outside of the 14 eyes, and using client software that does not load from a remote server will stymie everyone with the possible exception of state supported actors.

    • vyt1az November 30, 2020 at 19:09

      Good points about Jitsi and xmpp .

      ———————–
      The matrix reference server is written in Python and will never scale as well as ejabberd which has been to handle 2 million users on a single node. Beyond that the SDK’s are javascript based (which is inherently insecure for client applications that get the UI from a central server) or IOS based (fine if you trust Appl
      ———————–

      Performance can improve but scaling to that size is against the decentralized model they’re promoting. It’s far too large and will draw too much attention by growing a single Matrix server to that size. Matrix needs lots of little servers out there.

      ———————–
      Beyond that the SDK’s are javascript based (which is inherently insecure for client applications that get the UI from a central server) or IOS based (fine if you trust App
      ———————–

      No, the SDKs are in a variety of languages: https://matrix.org/sdks/#matrix-org-js-sdk

      JS is actually much easier to audit compared to server-side JS or other server-side languages because all JS is loaded into your browser memory for you to debug or de-minify to inspect.

      The browser webserver relationship is by far the most likely spot for a security flaw, and that’s not because of JS.

      Please keep commenting. It’s nice to have some other techies here. Cheers.

  5. Skiced December 3, 2020 at 19:58

    It’s curious that they don’t list Keybase on there. It has end to end encryption, and group messaging like Slack or Discord. The 3D gun printing folks use it, even after it’s purchase by Zoom.

    https://keybase.io/

  6. Knowledge Is Power December 3, 2020 at 21:37

    At the risk of oversimplification, since there isn’t a messaging app the is ‘all green across the board’, what is the best / most recommended messaging app to use?

    I recognize that we are all big boys and can make informed decisions for ourselves, but sometimes it’s nice to be guided in the right direction with top 3 recommendations from a pro.

    I discovered WickrMe, and use it mainly because it has no registration requirements and solid E2EE. Should I really care about 3rd party audit or 3rd party metadata? How much risk is there really given these other factors of messages being intercepted? For my use case, the ability to generate one time burner accounts, message, then disappear is very beneficial.

    I also use ProtonMail, which interestingly enough was the only service to get green marks across the board.

    Thanks in advance for any thoughts or feedback.

    KIP

Comments are closed.

GUNS N GEAR

Categories

Archives

Spread the love