Review of messaging services’ security finds it jars with usability

6 Nov 2014

Digital rights group the Electronic Frontier Foundation (EFF) has reviewed the security of a whole raft of messaging services and found that truly secure messaging tools may compromise usability.

Given the realisation by many that the world is watching and surveillance is reaching new heights, EFF’s campaign for secure and useable crypto is coming at a good time.

“It boils down to two things: security and usability,” explains EFF. “Most of the tools that are easy for the general public to use don’t rely on security best practices – including end-to-end encryption and open-source code.”

It appears that truly secure messaging tools are less user friendly, for a myriad of reasons. For example, installation obstacles, a true understanding by users of how to establish authenticity, and future uses exposing communiqués.

Many companies offer ‘secure messaging’ products and the EFF is trying to establish if that claim is, in fact, true. Through various queries into messaging services, EFF is creating a ‘scorecard’ of providers, offering an easy to understand review of their security systems.

Seven simple questions

EFF’s way of establishing these results is through applying seven questions to the service. Is your communication encrypted in transit? Is your communication encrypted with a key the provider doesn’t have access to? Can you independently verify your correspondent’s identity? Are past communications secure if your keys are stolen? Is the code open to independent review? Is the crypto design well-documented? Has there been an independent security audit?

Only six of 39 communication services passed all seven tests – ChatSecure + Orbot, CryptoCat, Signal/RedPhone, Silent Phone, Silent Text and TextSecure.

However, this scorecard represents only the first phase of the campaign.

“In later phases, we are planning to offer closer examinations of the usability and security of the tools that score the highest here,” says the organisation.

“As such, the results in the scorecard should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track.

“We chose technologies that have a large user base – and thus a great deal of sensitive user communications – in addition to smaller companies that are pioneering advanced security practices. We’re hoping our scorecard will serve as a race to the top, spurring innovation around strong crypto for digital communications.”

Data hack image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com