If a master encryption key is stored on their server and all client keys are derived from it then they can still see your messages. So having an open-source client still doesn't matter. It's the server-side that matters the most when discussing things like SRTP or ZRTP (which I'm sure MegaChat is using some form of).
If MegaChat is configured to reinvite sessions on a client-to-client basis and the servers took themselves out of the callflow once the session is established, then it wouldn't matter as much.
But if MegaChat does not allow peer-to-peer S/ZRTP then there is no way you should trust them.
Undoubtedly, MegaChat is always going to know who you are talking to and when, at least by IP if not personal identity.
Right now the only secure commercial messaging platform that is worth a shit is Wickr.
I think this video is just an oversimplification of how the system really works. Here's a whitepaper that describes it in more detail:
https://www.wickr.com/uploads/files/700869603163179165-wickr-whitepaper-final.pdf
Basically, when the app is run for the first time, it generates a bunch of keypairs and uses a known public key to encrypt those keys and send them to the server. Then, when somebody wants to send you a message, their app uses that same known key to download one of your public keys that they then use as shown in the video. There's some more stuff that they do to get forward secrecy, message integrity, etc., but the embedded RSA and AES keys are essentially how they get around the MITM problem.
Why don't you just pop the idea at an appropriate moment, and install it together if she's game? Installing it yourself without her knowledge could lead to awkward moments if the timing is not right, and a promising adventure could be ruined just there.
Oh, and Wickr is a safer alternative to Snapchat. Caring about her privacy is gentlemanly.
yes, following from their site at: https://www.wickr.com/personal
Your personal conversations and data are always ephemeral and protected with multilayered peer-to-peer security.
Wickr does not collect or has access to your data. We do not monetize our users’ trust.
You're always in control of who has access to your messages and how long. No one else can retrieve your data, including Wickr.
Pick up your conversations on any of your devices, anywhere you go, any time.
https://www.wickr.com/legal-process-guidelines
>Preservation Requests > Upon receipt of a valid preservation request from law enforcement under applicable law, we will temporarily preserve the relevant account records for 90 days pending service of legal process. We will only disclose preserved records upon receipt of valid legal process. > Preservation requests should be on law enforcement letterhead, signed by the requesting official, and include a valid official email address. Preservation requests may be submitted via the methods described above.
In response to a subpoena, court order, or other valid legal process, provided the authority has enough information (wickr id, description of message contents ^((that are currently stored on the device I presume)^) ) they can essentially request that future information is stored for 90 days, to which they have access to the raw message data ^((At least that's what i got from reading their guidelines)^) .
Furthermore, wickr's "policy" is to notify users when their data is being requested, "unless prohibited by law or if danger of death or serious injury" in which case you wont know anything about it.
Well, no more wickr for me from now on I suppose. (not that I have anything to hide, but I'd rather have something that is actually secure)
>Does Wickr encrypt each message differently or is it all under the same encryption key thing?
Based on this blog post, each message is encrypted with a new key. The protocol that Wickr uses for end-to-end encryption provides a property called forward secrecy.
>if someone tried to break your encryption thing would they be able to see all your messages or just one or something?
Just one, and then they would need to do the same amount of work to break the encryption of the next message.
>does it protect against Keyloggers (like in HP computers or Windows in general)?
No, it does not. No messaging app can protect against a keylogger or other malware.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
For future reference: PM me here directly to get the wickr username.
You can download the wickr app here by choosing the appropriate version for your device: https://www.wickr.com/personal/#me-download
And also, happy cake day! :-)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJZjz6SAAoJEP46T/X81aXqPk4H/3Y6DnC+2rlLxZtdEreqxWYA ZV5Ccd/MS+76BOYv8db4AH2GqXQBLEZrLhX9MXIO4+SezWSbMhG3nGIRGo9qpVBz RDOEidNilucAT+neGUWjuXL6J4fT1SL62ELUzGxIovpeQlFMzfQFBUbGjIBhJo+b CMY5n9ilNAPcnff7rIiwGOnq/FNzX3/ltireX+aOfCTf/tb6XQsFzRxtfEjjtoPe aInpWN6a7RWV/0GIOU/P9SPI5cp1psTJb/SiuU8WNoDpB0CfGKpG3VLb9yYWheAz f1hAYqib7tAzu7Xd2NnuMUjdsrZMcyIehGPS5PRvJRrBmZ7uJnATeUxKUtPJyNI= =X5uE -----END PGP SIGNATURE-----
Wickr looks interesting.
Reminded me a lot of Silent Text. But I don't like the idea of having to pay for a subscription.
> The example I was looking at recently is https://www.wickr.com/downloads/. The company seems trustworthy.
> Trusted by world leaders, executives, journalists, human rights activists and your friends
> Wickr’s code, policies and promises have been verified by the most respected organizations in the world.
Do you call this trustworthy? I call this bullshit.
> Wickr is a free encrypted messaging app that allows users to send and receive secure messages, documents, pictures, videos and audio files.
I don't see a link to the source code on the Downloads page that you mention.
Oooooo, I'd not heard of Wickr. I'm going to run it by my encryption-obsessed friend and see what they think, because we've been looking for an encrypted group-chat thing for some time - and this one is cross-platform too, which is awesome. Thank you!
Edit: My encryption-enthused friend says that because Wickr's not open source and has no way to compare fingerprints or key pairs or something, we have no reassurance that our data is actually safe. They sent me this article, which I found interesting.
Fair enough.
Well here is an interesting, somewhat ironic article on Wickr.
Also i found this white paper breaks it down nicely.
Thanks for pointing those out! I'll edit them out of my list.
>Wire doesn't store volume of messages, images or calls. Where did you get that from?
Privacy whitepaper, section 4.1.2.
I think it would be a good idea if you could maintain a list like this, so people wouldn't have to figure it out based on multiple different sources. As an example, Wickr Inc. maintains a list of what they store here.
>it's security design isn't well documented.
You are basing that on the EFF's outdated scorecard, which was published in 2014. At the time, the EFF stated that the criterion required "clear and detailed explanations of the cryptography used by the application", preferably in the form of a whitepaper. Wickr published a whitepaper about their messaging protocol in 2015.
My wife and I use Wickr. You can set message auto-deletion rules and it's peer-to-peer encrypted. Great for communication and sharing. The only caveat is that it's not an option for saving a long-term archive of shared pics/videos if you need that.
I'd like to take this opportunity to spread the word about Wickr (https://www.wickr.com), probably the SAFEST option for discussing anything you want to keep secure. If you'd like to read up about their security measures on their website, it'll tell you that they use the industry standard of AES-256 encryption, which is virtually impossible to break unless someone intercepts the message and gets a hold of the encryption key. To solve this problem, each time a message is sent, the randomly-generated key used to encrypt the message is then encrypted itself, using a seperate key that's unique to the recipient's device, so that even if anybody intercepts the message and gets the encryption key used to encrypt the message, they would have to have access to the intended recipients unique hardware ID key in order to decrypt the message. Wickr has been tried and tested by many of the biggest security firms, all of which have verified that they have not found any way of gaining access to any messages they shouldn't be able to read, and in case the app itself has a fatal design flaw that could result in it not being completely secure, they offer a bounty of up to $100,000 USD for anyone who reports a potential flaw in their technology. They also report quarterly transparency reports about how many times they've been requested by the government to provide information about their users, however, since Wickr is P2P encryption, anything recovered by government officials is essentially just information about the account, the worst thing they could get their hands on would be any unread messages that are still stored in the Wickr servers, which can't be decrypted anyway. It's grown massively in my country of residence as a way for drug dealers and customers to communicate discreetly without any decipherable evidence left behind, and I would recommend it to anybody who wants to send/receive messages with almost 100% guaranteed security
Regarding the messaging issue, get your friends on Wickr it's like an encrypted version of snapchat where you can set the time to deletion after your message is read.
It can also be used to "shred" anything that you delete on the phone (messages/emails/images etc)
Similar to Wickr, but open source is Surespot.
Supports multiple identities, and is not tied to a phone number.
Also, Wickr had a security audit:
https://www.wickr.com/wp-content/uploads/2014/08/Aspect-PublicStatement-July2014.pdf
https://www.wickr.com/ Has been commented bellow but really worth mentioning. Although its marketing is a bit gimmicky "Military grade" encryption, it uses really good PGP encryption on multiple levels include hardware hashing.