1

We are thinking about switching from e-mail to instant messaging. Do you think, Apps like WhatsApp or Telegram provide enough security for that?

user3356750
  • 11
  • 2
  • 6
    Security from what? Switching from what email provider (in-house, or something proprietary)? It all depends. I wouldn't recommend using WhatsApp or a similar IM service to do wikileaks-type national security information or if your information is otherwise very sensitive (e.g., someone could make millions intercepting your communication by insider trading). I don't believe WhatsApp is particularly secure, but then neither is typical email sent to an arbitrary email address where in general there are no guarantees it is not relayed in plaintext. – dr jimbob Feb 26 '14 at 16:44
  • Consider TextSecure. It uses proven security protocols, it is open source, and it uses end-to-end encryption which even the NSA can't intercept. (Assuming no other attack vectors are involved, of course) – Hello World May 10 '14 at 14:46

1 Answers1

3

It depends on what you mean by "secure enough". If unencrypted, unauthenticated messaging is secure enough, then yes. Otherwise, no.

WhatsApp's security model is secret and unverified. They claim to encrypt messages but don't give any ideas of how. The safest best is to assume no end-to-end encryption actually happens (which is probably the case anyway).

Telegram's security is more public, but is also a bit of a public disaster. This is discussed in another question, but the general idea is they made up their on cryptographic protocol which turns out to be an utter failure from a cryptography standpoint. While the team that designed the protocol is full of Math Ph.Ds and all the best intentions, their cryptography experience was severely lacking. As a result, they make impossible claims while failing to deliver on even the most basic security requirements.

If you're looking for a secure mobile messaging app, I would suggest TextSecure, it's open-source and therefore publicly verifiable, and also written by actual cryptographers who understand the technology they're working with. RedPhone, from the same group, adds encryption to voice calls.

As a lesser alternative, there's Threema: Each user's identity is tied to a public key which is used to decrypt the messages sent. The app design encourages in-person key exchange to improve security. Not open source, though, so the security is not verifiable.

Community
  • 1
tylerl
  • 82,225
  • 25
  • 148
  • 226
  • +1 for TextSecure, except it's still Android-only at the moment. The only advantage Telegram has is that it's also available on iOS, desktop and Web. – Daniel Serodio May 08 '14 at 21:40
  • 2
    It is worth noting that Telegram's encryption is not an "utter failure". The crypto community is criticizing it for being home-brewed. But no one has identified a real, practical vulnerability yet. (Except for this one, which was fixed immediately:https://telegram.org/blog/crowdsourcing-a-more-secure-future). Also, Telegram's crypto challenge has been changed: People may now manipulate traffic in addition to seeing it. – Hello World Jun 15 '14 at 16:24