10

The Wire app appears, on the surface, to avoid many of the pitfalls that other messaging apps have - it's fully end-to-end encrypted, and it's open source. It supports video calling, and it has clients for smartphones, desktops, and web. Unlike e.g. WhatsApp, you can use the web client even when your smartphone is off.

On their privacy page, they state that

Text messages and pictures use Off-the-Record (OTR) end-to-end encryption. Wire uses the Axolotl ratchet and pre-keys which are optimized for mobile messaging.

However, Moxie Marlinspike has said that they do not use the Signal protocol:

Wire does not use Signal Protocol, they used some of our code to create a protocol of their own devising that we do not recommend.

I'm unable to find any other details on this. Is there any commentary on Wire's encryption? Is Wire secure?

Edit 2017-05-17: it looks like Wire stores a list of everyone you've communicated with in plaintext on their server, but this may change in the future.

tao_oat
  • 312
  • 1
  • 2
  • 10
  • Someone posted this link, but their answer was deleted. I still think it has useful information: [Some problems with Wire (plus responses from the company), from the University of Waterloo](https://crysp.uwaterloo.ca/opinion/wire/) – tao_oat Jan 09 '17 at 18:34
  • 1
    When you ask yourself "is X secure?", make sure to also ask "against what?". There are many different meanings of "secure", some of which are valid in this context. For example, something can be secure against breach of condentiality of message content against a passively monitoring adversary while utterly failing to protect communications metadata, or failing when the adversary goes from passive monitoring to active tampering with (including selective blocking, modification or injection of) traffic. Lots of technologies are secure against *some* attacks, but fail against *some other* attacks. – user Jan 14 '17 at 20:08
  • @MichaelKjörling That's a very good point - perhaps this question is too broad as it is. Perhaps a more specific question is "Is Wire's encryption secure?", but I think that the question as it is now may be a good starting point for general discussion about Wire - especially since there doesn't seem to be an awful lot out there. – tao_oat Jan 14 '17 at 21:17
  • 1
    They did also recently complete a security audit https://medium.com/wire-news/wires-independent-security-review-61f37a1762a8#.xtlfv3wfw – fb1 Feb 09 '17 at 12:19
  • As of 2020, Wire says it's independently audited by some security audit company called "Kudelski Security" - https://wire.com/en/security/#audits. It's revenue comes from Enterprise solution it provides. Lastly, it's based in Switzerland so you are supposedly protected by European privacy laws too. – Ashim Aug 29 '20 at 03:18

1 Answers1

3

To answer your first (and easy) question: Yes, they use Signal's protocol.

The second question is a tough one. (But since they do use Signal's protocol, you might as well use Signal, don't you think?) They're not completely open source, btw. Only the app is, the server software is not. To my knowledge, there's no security audit. I'm not sure how they handle metadata, which is a huge deal (to me, at least) and the reason why I personally use Threema. The guys behind Wire are Skype developers, which doesn't exactly inspire confidence since Sykpe is/was one of the least secure messengers around. Also, how do they generate money? The app is free. There are no ads. That should raise suspicion, if you ask me.

Servranckx
  • 31
  • 1
  • Is the server source open now? I found https://github.com/wireapp/wire-server – Capi Etheriel Sep 21 '17 at 16:51
  • 1
    Yes, it's fully opened source. They also have had an audit and I believe they have fixed all the issues identified. They keep very little metadata on their services, but slightly more than Signal. They have end-to-end encrypted business offerings, which is how they plan to make money. – ShawnPConroy Dec 20 '17 at 18:00
  • 1
    Skype was an excellent messenger 15 years ago. Between lessons learned from that and the desire to make a secure messenger, they seem to have the expertise and motivation to make an excellent competing product. I'm considering transitioning to it myself. – ShawnPConroy Dec 20 '17 at 18:02
  • The advantages to Signal is that it's multi device and can actually be anonymous if you don't use your phone number or primary email address. – ShawnPConroy Dec 20 '17 at 18:02