Encryption and chat software

In theory, nowadays it is very easy to have a private talk using internet, because there is publicly available and automated, but at the same time reliable methods of encryption. But in practice, it is not that easy, or at least it is not usually used by general public, because people are given incorrect information, because they “trust developers”, or because they just do not care.

This article should help you with at least one of the issues.

Video Link to heading

Theory Link to heading

Simple Encryption Link to heading

Encryption is a way to secure information by sending it as some sort of secret code. More simple methods of encryption can be deciphered if you know either method used or some sort of vocabulary that helps to correspond encrypted information.

Issues: Methods and Vocabularies are easily guessed by computers and professionals, hard to exchange safely

Encryption “Keys” Link to heading

Modern methods of encryption can be changed using so called keys, usually strings of alphanumerical symbols, keys can be exchanged easier and don’t require creating new methods.

Issues: Still needs to be safely exchanged

Public and Secret Keys Link to heading

Public Key can be availible or sent during exchange. It can only be used to encrypt messages. Private key stored locally and can be used to decrypt messages encrypted by corresponding public key Only public keys need to be exchanged. It allows exchanging keys by originally unencrypted data channels.

Issues: Prone to “man in the middle” attack (getting public key and trying to get in contact unstead of original receiver), so security certificates to verify connections are used and usually incorporated into encryption methods (which by itself opens new potential attack directions, so this is never ending race between security professionals and hackers)

End to End encryption Link to heading

If you exchange messages over the internet, you send them to the server and server then sends it to the receiver of message. This is done with separate encryption and server has access to your messages. If you exchange keys with person you communicate with unstead of server the issue is fixed, because server doesn’t receive messages unencrypted - This is called end-to-end encryption

Issues: You need to use open source and audited (checked for vulnerabilities and malicious hidden function) encryption applications to be sure you can trust them

List of software by encryption Link to heading

Not private (!) Link to heading

  • WhatsApp - metadata(he-he) harvesting, closed source, not trusted end-to-end encryption, backups are made on google drive, phone number is required to register

  • Viber - closed source, absence of third-party security audit, no end to end encryption, phone number is required to register

  • Discord - closed source, no end to end encryption, cannot view public spaces without joining

  • Other proprietary chats - closed source, no end to end encryption, phone number is required to register

  • Popular Social Network direct messages - no end-to-end encryption, closed source, data harvesting, sometimes phone number is required to register, they don’t even try to hide the fact that they can read your messages

Private but not really Link to heading

  • Telegram - No end to end encryption by default, it’s not available for group chats and somewhat hidden (client can be open source and they say that there is no data harvesting)

  • Fediverse direct messages - no end to end encryption, data is sent to both your instance owner and receiver instance owner (you can self-host, no data harvesting)

  • IRC and Mumble - Require you to self host (or at least have public IP that can connect you to other person, self-hosted vpn can do the trick) to privately talk, otherwise server owner sees everything

  • E-Mail-based chats or just E-Mail - end-to-end encryption is not tricky to set up and suspicious to server owners, popular providers are “walled gardens” that can only receive messages from other popular providers

Private Link to heading

  • Signal - Password-based End-to-end encryption is present, it’s open source, but centralised and require you to use google services and sign in using your phone number

  • Session - Decentralized version of Signal, uses tor-like nodes as servers (but client is not the node unlike tor), does not require sign up

  • XMPP (with ONEMO encryption) - End to end encryption is present, decentralized and federated, but it only stores secret keys locally and it’s prone to losing encrypted messages

  • Matrix - End to end encryption is present, decentralized and federated, somewhat allows to restore secret keys and old messages

Bonus Link to heading

  • Minecraft - pre-chat report versions are the same as IRC and Mumble, but they are more resource intensive to host

  • Any other game with self-hosted servers - It could contain malicious spying code, but if server software is open source and audited, it will be the same as IRC and Mumble

Why should I care? Link to heading

  • Hackers can get your and everyone’s else messages if they get access to the server, which they more likely to attempt than hacking your device
  • In a lot of countries governments can gain access to this messages on servers if they use their legal power to do so.
  • As you are messaging someone, not only your, but your communication partner’s private messages are not private and less secure now, usually without their acknowledgement.
  • There is some people that really need that privacy you do not care about, and they are not criminals, but since they stand out by using encryption, they can be suspected as such in society or just stand out enough to be traced in network itself when they wanted to be anonymous. If more people will use end to end encrypted and private messengers in normal daily life, it will be less of an issue.