surespot encrypted messenger, thoughts?

Discussion in 'privacy technology' started by cb474, Feb 5, 2015.

  1. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Anyone familiar with Surespot encrypted messenger?

    https://www.surespot.me/

    EFF rates Surespot pretty well and what they say on their websites sounds good, though there is little information about who the devs are and what their motivations are. I understand wanting privacy and anonymity (of course), but I guess I also like to know who's making software that I plan to trust.

    Any thoughts on Surespot would be appreciated.

    *

    I've been looking for an encrypted messaging that works in both Android and iOS.

    Tried ChatSecure, but it constantly logs out on iOS and you don't get notifications of new messages (ChatSecure says it's due to Apple restrictions on what apps can do); so that makes ChatSecure not so useful. Open Whisper System (e.g. TextSecure, RedPhone) has the Signal app for iOS, but it doesn't include texting yet. Tried Tutanota (though that's really an email service) and it also logs out frequently and does not provide notifications of new emails in iOS either.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Imo it is not a bad messenger. Open-source, available on Android and iOS, working notifications, usernames instead of phone numbers.
    Cons: No Forward Secrecy, usernames instead of phone numbers(a messenger where you'll have to manually add all your contacts will never be a competitor for mainstream apps like WhatsApp.), too much info stored on server: https://www.surespot.me/documents/threat.html
    v2.0 of Signal for iOS(with TextSecure messaging) should be released soon, Beta was launched in December:
    https://twitter.com/FredericJacobs/status/542966161554825216
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Biggest Con: nobody uses it.
     
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I've been trying it out. It works well. The fact of requiring usernames, instead of using phone numbers, is clearly less convenient, but it's done deliberately for security. I prefer that my messaging app doesn't know my phone number. And it allows you to have multiple identities, so you can communicate more and less anonymously with different people.

    Yeah, I don't like that fact that texts are stored on the server, even if encrypted and I only hold the private key. I guess the point is to allow people to restore the texts on other devices? Or if I lose them somehow (assuming I have not also lost the private key). But I'd rather take the risk of losing the texts, than have the privacy/security problems of them being stored on the server. And if there must be a server, I'd prefer a service based outside the U.S. It looks like it's based in Colorado, I assume that's where the server is, and they clearly say they are subject to U.S. court orders.

    It will be nice when Signal gets updated. I guess I'll get my iOS friends to switch back to that. Obviously Open Whisper Systems is well known and has about as good a reputation as you can get. I'd prefer if it doesn't require registering one's phone number with their server, but I understand that the convenience makes it a lot more likely to get broader use. I also found that RedPhone on Android causes the dialer app to take longer to load. There's always a delay and a spinning wheel for a second, presumably while RedPhone is checking in with the server? It was minor, but annoying, given I only know one other person that uses it. I'm more interested in the encrypted texting, than phone calls.

    Yeah, I agree that it's not very widely used. To me that's not an issue of using it with other people, since even with TextSecure, I have to talk everyone I know into using it, so it's just as much work to suggest any old app. I've never stumbled on someone using it on their own. But the fact that it's not widely used does to me make it's legitimacy more questionable. As the EFF notes, even though it's open source, no one has reviewd the code. It looks like the project of just one dev in Coloardo. That's cool and I appreciate it. Everything on the website seems like someone knowledgeable about security and encryption and sincere in his desire to create a private service. But still, the service has not really been vetted in a reliable way.

    That said, I have been trying it out with a friend who uses iOS. It works nicely. It's very easy to set up (easier than ChatSecure). It has a clean interface. And it is really hard to find anything that works properly for notifications in iOS (still testing that).
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Installed (iOS) and using it since this afternoon. I like it but, as I said before, to chat with somebody I had to install in on my wife's android. :D

    If you want to chat I can just drop you my username in a private message..
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Development seems very slow: https://github.com/surespot/android/pulse/monthly
    I'd rather use TextSecure/Signal now. Aside from the earlier mentioned points, Desktop support is coming, which I like a lot and some of my contacts are still sticking to Telegram because of Desktop.
    Oh, and it's hard to motivate average joe's to install Surespot when it doesn't support group messaging.
     
  7. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I am still not able to send texts with Signal. I simply do not see that option available. Calls only.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Are you sure you're on v2.0? It's currently only on iOS8+ btw.
     
  9. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Yes, I am on 2.0.1. Re-installed yesterday. I am on iOS 8.2. All contacts within Signal are greyed out. I mean, I can make a call but not a text.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I found this on Github:
    "I see two possible cases:
    1) They just signed up, and Signal is not aware yet they signed up. Pull-to-refresh in the contacts view will reload your contact list.
    2) They haven't upgraded yet to Signal 2.0 and thus their version of Signal only supports calling, no text messaging."

    https://github.com/WhisperSystems/Signal-iOS/issues/715

    If it isn't the case, you can open a new issue and perhaps they can squeeze in a fix before the 2.0.2 release.
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I thought about that and maybe the issue is not due to a Signal bug but rather to how my contacts are organized/displayed.
    Basically all the contacts I have in Signal are duplicated, I mean I see them twice. This is because on my phone I have two different Groups of contacts and some of those contacts belong to both Groups. Maybe Signal get confused by that.
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I saw reports of this as well, but there was no mention of not being able to message contacts when they're duplicated.
    Btw, multiple contacts should be shown correctly in 2.1:
    https://github.com/WhisperSystems/Signal-iOS/issues/720
     
  13. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I gave up on Surespot, because I wasn't getting notifications on Android, making it not very useful for me. And in the end, I wasn't comfortable with the lone unknown developer with unreviewed code. I also decided in the end I didn't like that Surespot stores my messages on their server.

    Now that Signal has texting in iOS, I feel it's the best optioin, as a cross platform chat/text app. The people I'm communicating with on iOS aren't having problems getting the texting feature to work.
     
  14. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  15. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Wow, that is totally fascinating and a little bit terrifying.

    It does add to my wariness about Surespot. It seems like being a popular app for ISIS has got to put it in the crosshairs of the NSA (though probably all of these encryption apps are). And given that there has been no code review, even though technically it's open source, who knows if it has security holes in it (well, okay, the NSA probably knows, since they're exceedingly good at figuring those things out and then telling no one). Also, given the unavailability and semi-mysterious of the Surespot developers (and they way it's run out of their house), there's an outside chance it's a honeypot. It would be very clever to make an app open source, while assuming the code won't be reviewed, and then lull people into complacency about the security that way. Sort of dazzle camouflage, open source style. The back door is sitting in plain view, but no one ever looks to see it's there.

    It speaks to TextSecure/Signal's advantages, coming from a very well known security developer, having had its code reviewed, and being much more widely used. It may still be a target, but I have more faith that it's secure.
     
    Last edited: Mar 21, 2015
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Encrypted Messaging Service Stops Answering 'Warrant Canary' Questions, Suggesting FBI, Others Are Seeking User Info
    https://www.techdirt.com/articles/2...esting-fbi-others-are-seeking-user-info.shtml
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's an interesting approach to warrant canary. With some minor coding investment, it could be rolled out on a very large scale. Even just all of the major VPNs. I don't see anything about systematic testing at <antipolygraph.org>.
     
  18. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Of course, they could just have failed to respond to the emails, so it's hard to know what this indicates. For this to work well, the developers would have to promise to be diligent about responding to the emails, otherwise it's not very good information. But with small one-man/woman-show projects like this, I often find they start with a bang, then developers lose interest or get busy with other things and spend less and less time on it. So it seems extremely plausible to me that they have failed to respond to the emails for a host of other possible reasons.

    Further, if the developers planned to be superdiligent about responding to such emails and promised explicitly to do so, then they could also just maintain their own warrant canary since it wouldn't really be more work. So I don't know how much of an alternative sending emails is, practically speaking.

    Of course, considering the news story that ISIS members like to use Surespot, it would not be surprising that they've received some court orders. And this is hardly a large enough organization to have the resources to resist such orders.
     
  19. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  20. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  21. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,987
    Location:
    Brasil
  22. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I think it's good that Surespot is finally making an effort to communicate with its users about what it's doing and to respond to the media stories about it. But to me, it's still a small operation, run by unknown people, which essentially one has to just trust that all of it's assurances are accurate.

    Sure, it's open source, but I don't see that Surespot has made an effort to get a recognized third party to review the code. Saying anyone can look at the code seems to be used a lot these days to imply that the code is bug and back door free and that the developers have been completely honest about the application. Of course, most people are not coders and can't review the code. And if a project isn't big enough, it's likely no is looking at the code. Open source code that no one reviews is no more secure than closed source code. In this era, I don't think it's enough to merely label a product "open source" and assume one has done one's due diligence to demonstrate it's security.

    Also claims like, "Be assured that surespot does exactly what it says it does." And: "Surespot is today's safest and most secure private messsaging tool. Period." (Which can be found on the website and blog.) These seem a little over the top and laden with hubris. They have the opposite effect on me and do not seem reassuring.

    That said, on the surface it looks like an interesting project and I hope the project grows, the developers behind the project explain more who they are and what their motivations are, and it gets a real code review.
     
  23. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    The code review is key, who they are and motivations are not so important (think Truecrypt..)
     
  24. Marchelamb

    Marchelamb Registered Member

    Joined:
    Jun 5, 2016
    Posts:
    0
    Location:
    England
    I just have a question to anyone using surespot.
    I know you can login into new device using the same username and password. The question is:
    Am I going to lose all my messages or I can still see them in the history from my new device.
    I personally don't want to risk in case I won't see my messages anymore, but if anyone knows it please share your experience.
    Many thanks
     
  25. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    You do not see them anymore. There is no sync because messages are stored just on device.
     
Loading...