security-checklist icon indicating copy to clipboard operation
security-checklist copied to clipboard

Published 20 hours ago verified publisher icon brianlovin

Whatsapp & Facebook conflicts of interest?

Open joachimesque opened this issue 5 years ago • 8 comments

Following the dicussion in this PR: #82:

WhatsApp is owned by Facebook. Despite the use of end-to-end encryption there's an obvious conflict of interest. I think it should be at least placed at the end of the list, or even replaced by a open source alternative, like Matrix/Riot.im (it's also self-hostable, which is a good thing).

joachimesque avatar Jan 20 '19 10:01 joachimesque

Yep, obviously suggesting WhatsApp as a "secure messenger app" is misguided…

It may be called "secure" as it uses Signal's e2e crypto, but even the WhatsApp founder left due to privacy concerns in WhatsApp. With the introduction of ads in WhatsApp, the connection of Facebook to WhatsApp and even their claims to merge the chat services or provide interoperability this can only get worse, so I totally agree WhatsApp should not be in that list.

rugk avatar Jan 30 '19 16:01 rugk

I think this project should have some rules or checklists which will be used in reviewing new apps adding to lists. It needs definition of secure. secure for what? Enough secure for sharing bad black humor jokes? WhatsApp is more secure then ICQ, but less secure and much less privacy focused then jabber or matrix.

punksta avatar Jan 30 '19 19:01 punksta

Tally of alternatives to Whatsapp:

  • Signal (already on the website, open source)
  • Jabber (self-hostable, open source)
  • Matrix & riot.im, etc. (self-hostable, open source)
  • Wickr (commercial)
  • Threema (commercial)
  • Keybase (client is open source, server is not)

I'd suggest selecting the most user-friendly alternatives. I love Jabber & Matrix but they're not the most easy to use. How are Wickr and Threema on that point?

I'm also partial to open-source when it regards security. The fact that anyone can check the source and propose fixes makes me trust a solution more. But perhaps this is not the right discussion for this subject (although it relates to @punksta 's point, as to which criteria fit the bill)

joachimesque avatar Jan 31 '19 09:01 joachimesque

I've previously used Wickr, and found it quite easy to use ...with the only downside being that most people I know, don't use it, or even know about it. I don't have any experience with Threema yet.

mb130R avatar Jan 31 '19 16:01 mb130R

I think this project should have some rules or checklists which will be used in reviewing new apps adding to lists. It needs definition of secure. secure for what? Enough secure for sharing bad black humor jokes?

Agreed, we don't have clear rules on what should be added or not. In general a pretty major consideration should be "approachability for a non technical user" - this forces us to rule out a lot of great products that are geared towards a tech-savvy audience, which at times compromises total privacy/security. But that's the battle here, seeking the best of both worlds without going crazy.

brianlovin avatar Feb 01 '19 18:02 brianlovin

I just came across this website, listing all the pros and cons of "secure" messaging apps: https://www.securemessagingapps.com/

The most security-focused messaging apps are Signal, Threema and Wire.

I'd suggest listing Signal and Wire first, as Threema is commercial (even though it has a lot of appeal and I'm considering trying it for myself), non-free apps can have a harder time getting adopted by a large part of the population.

From their website's About page:

So… which app(s) should I use?

  • Signal. It’s completely open source, written by a well-known security expert, and its protocol is used in other messaging apps (e.g., Whatsapp & Wire). They’re funded by donations and grants, not corporate money that relies upon your data. Their implementation has been reviewed by security experts and cryptographers. It’s solid.
  • Threema. If you’re looking to avoid Five Eyes/Fourteen Eyes, or you’d like to use an app anonymously, then it’s a good choice. They have a user pays model, their design is solid, and they have had the app independently reviewed. It is, however, closed source.
  • Wire. Again, if you’re looking to avoid Five Eyes/Fourteen Eyes, then it’s a good choice. It’s not as well documented as Signal and Threema, although both their client and server are open source. It has been independently reviewed. Both Threema and Wire provide slightly different levels of security and privacy. I’d recommend them both equally for the average user.

Having used Signal with my family, I can say with certainty that non-technical users can use it without a problem.

joachimesque avatar Feb 03 '19 09:02 joachimesque

I just made the PR #125. In it I removed iMessage and Whatsapp and replaced them with Threema and Wire for reasons cited above. I also replaced two resources that weren't reflecting the most accurate information relative to Whatsapp and iMessage, with securemessagingapps.com and an EFF series about secure messengers and why it's so hard to recommend one: https://www.eff.org/deeplinks/2018/03/secure-messaging-more-secure-mess.

If you have more remarks and additional resources to add, I'll reflect them in the PR.

joachimesque avatar Feb 03 '19 15:02 joachimesque

I've been thinking of adding Keybase, but there's two things I'm unhappy about:

  • not everything is open source
  • it's centralized

Also, it uses the Bitcoin Blockchain so I'm not too happy about it—but more for environmental and ethical concerns.

Do you use Keybase? Do you like it?

joachimesque avatar Feb 16 '19 11:02 joachimesque