Security scorecard finds messaging apps need more development

Diem Do

Only six out of 39 messaging applications have the features needed to guarantee the security of communications sent over the Internet, according to an analysis by the Electronic Frontier Foundation (EFF).

 

 

The results of the analysis, published as a scorecard on Tuesday, found that popular messaging apps—such as Facebook Chat, Apple’s FaceTime and iMessage, Microsoft’s Skype, and Yahoo Messenger—failed to meet all seven criteria, such as whether the application implements perfect forward secrecy and whether the source code had been audited for security. The group did the analysis as part of its campaign to promote the development of secure and usable cryptography, which is necessary in a world where government surveillance has become more common, Peter Eckersley, EFF’s technology projects director, told Ars.

 

The study is intended to help direct companies who are actively developing secure-communication software, he said.

 

“We are seeing an unprecedented level of interest and engineering commitment to solving these problems,” Eckersley said. “We don’t yet completely know what the best solution will look like, and that is why we are trying to set up the scorecards so that everyone knows the rules to play by.”

 

Following the leak of classified documents outlining government efforts to collect a significant volume of data on people’s phone and Internet communications, more companies have aimed to create encrypted messaging applications. Secure instant messaging firms such as Wickr and Silent Circle have created applications to compete against better-known software, such as the Off the Record chat add-on, and services, such as e-mail provider Hushmail.

 

The EFF evaluated each application against seven criteria. Almost every application passed the first milestone—encrypting communications in transit—but far fewer allowed for independent review of their source code or had paid to have their code audited by a third party. The four other criteria are whether the messages are encrypted to prevent the provider from reading their contents, whether the identities of contacts can be verified, whether the security design is documented, and whether the encryption process can prevent previous messages from being decrypted with a stolen key, a security feature known as perfect forward secrecy.

 

Only six applications passed all seven criteria: ChatSecure, CryptoCat, the Signal app for Redphone, Silent Phone, Silent Text, and TextSecure. Apple is the most secure of the messaging apps used by the masses, the EFF said. But passing all seven sections of the security scorecard does not mean that the applications are ready to be used as a way to privately communicate in an authoritarian nation, Eckersley said.

 

“Getting a perfect score here is more the first step than final victory,” he said. “We still need usability studies, metadata protection, independently commissioned audits, and other measures of security before we try to get the whole network to switch to one of these options.”

 

In addition, security is not sufficient in a messaging application, he said. The software or service has to be easy to use and not make the effort of exchanging messages onerous. The exchange of keys, and validation of the trust of those keys, required to securely use a distributed message security system like Pretty Good Privacy is an example of encryption done wrong, he said.

 

“Good cryptographic design should not cause significant inconvenience, and [it] certainly shouldn’t cause extra work as a first step to using the system,” said Eckersley.

Share the news now

Source : arstechnica.com