Secure Messaging App Showdown: WhatsApp vs. Signal Hint: One is better for security, the other is best for privacy! -- Tom
Nice read. Like most secure solutions my problem is that my real name friends don't see the importance. Its so frustrating at times.
A strange conclusion they come to. First they say the security is the same, then they make it sound like WhatsApp is better for security. You could even say Signal is better for security as warning to changed public key/identity is on by default.(Of course I understand that turning it on by default is not really feasible for WhatsApps hundreds of millions users who have know clue what it means.)
It would seem the dividing line between security and privacy is very slim, however, that is because privacy means are provided by secure methods. -- Tom
So in what way is WhatsApp better at privacy or security for that matter? Signal: Open source Made with security in mind from day 1 Saves no metadata No connection to any corporation Made by a not for profit Android app is programmed by a world renowned security expert WhatsApp Closed source Originally had no encryption, followed by terrible encryption, followed by bad encryption, followed by decent encryption, followed by Signal Protocol (amazing encryption) Saves metadata Owned by Facebook, a company that makes billions selling your data to advertising Programmed by ask far as I can tell un-named individuals working for Facebook
I believe the difference is that Signal provides the means to do end-to-end encryption at the protocol level, whereas WhatsApp is constructed upon those features for privacy. -- Tom
whatsapp may be "encrypted messaging" but it gathers & logs so much other data on their servers of who you contact/when, md5 hash of attached files. timestamps of when they were sent, when you last logged on/used it whatsapp knows the names of your group chats and what contacts are in that group chat.. lots of metadata gathered, stored... yes facebook may not be able to see the content of the messages, but they know & log everything else. signal doesn't know the names of your group chat or who is in them, doesn't store on its servers anything other than that you have used the service sometime on the last 24 hours..
Just because WhatsApp is "constructed upon those features for privacy" doesn't mean it's in any way, shape or form more private than Signal. If you want privacy you are always better off with Signal since it stores no metadata.
I really like Wire. The desktop program seems to have fewer issues than Signal-Desktop. However, they had an audit quite recently and they didn't pass with flying colors the way Signal did. https://techcrunch.com/2017/02/10/messaging-app-wire-now-has-an-external-audit-of-its-e2e-crypto/ Better than Telegram though.
I haven't looked into this stuff very carefully. Mainly because I can't imagine using cell-based mobile devices for secure stuff. So anyway, I've recently started using the Keybase app in Linux. Since February, it's had both cloud storage and chat. Everything is based on GnuPG keys. All data is encrypted locally before hitting Keybase servers. Plus forward-secure TLS for transport, of course. Users can choose to upload private keys, passphrase-encrypted of course. But otherwise, users' private keys stay on their devices. Given that, Keybase can't do anything tricky with data. You encrypt files to keys of all users to be granted access. Chat data gets encrypted to the recipient. If a user doesn't have their private key on a device, they can't work with files or chat. There's no mechanism for trusting devices based on some more-or-less secure authentication mechanism. You either have the private key, or you don't. Do any of the other chat apps work like that? I do get the downside. If you lose your private key, you're screwed. You need to create a new one, and authenticate it with all of your contacts. And you lose access to all stored files encrypted to the lost key. But that's a decent tradeoff, as I see it.
I'm not familiar with Telegram nor Wire. However, I read somewhere that the Wire server stores a lot of metadata unencrypted! This has als been discussed on Twitter with a dubious explanation from Wire. No way that I will use that app Besides, wire.com (216.239.34.21) is hosted by Google. Google and privacy?
I don't see the private key thing as a big deal. If someone cannot protect a saved and stored "keyset" they shouldn't be using this encryption method. Its the equivalent of not storing and saving a seed to a btc wallet. Both of these items are absolutely crucial to providing secure and permanent access to vital things.