Secure Messengers, what are they?
You’ve probably noticed that we end up talking about secure messengers in these articles quite a bit. While selecting and using secure messengers isn’t necessarily about cybersecurity (as opposed to communications security or privacy), cybersecurity has a lot to say about what makes a messenger “secure” and how they all measure up to each other.
Also, missionaries and advocates ask us about secure messaging and VPNs frequently.
There are a lot of topics to cover and no one article can cover them all. Today we’re talking about the very basics.
What are they?
Secure messengers are messaging platforms—usually instant messaging or short-form messaging via a cell phone—that protect your communications from intercept by unwanted third parties, especially service providers and external surveillance.
For the sake of this article, we’ll focus on the usual service providers because external surveillance relies on or mirrors the monitoring conducted by service providers, at least until we have to consider quantum computing.
The service providers we’re normally concerned with comprise the infrastructure(s) our messages ride over. So:
The messaging provider itself and their servers
The cell service provider
The internet service provider
The cell phone or computer’s application operating system
Secure messengers prevent one or most of these service providers from being able to read the contents of messages sent between people using the secure service.
With that said, most secure messengers are a privacy tool: they protect what’s being said from snooping. They are not normally anonymity tools because they don’t always hide who you are while speaking (e.g. Signal and WhatsApp both used real phone numbers for communications until recently).
They also may or may not be quiet when broadcasting, as we talked about a bit in the 3-bit framework (https://www.ericiussecurity.org/blog/3-bit-ip-planning). Think of them as encrypted radio signals: people can hear the signal with their own radios, but they need something special to understand what’s being said.
Selecting a secure messenger
We’ll skip over the need to understand the information your team relies on for the moment and we’ll also skip over conversations about classification and need to know. Let’s assume that your team needs a secure messenger to communicate with each other about some form of sensitive information.
The first step to selecting a new tool is determining what it needs to do and why. Why discussing that we should consider at least the following:
Group size – How many people need to communicate at once
Features needed – Do you need text messages? Group calls, video calls, and/or document collaboration?
Security and Privacy features and policies – What are your team’s privacy and security policies? What are the privacy and security policies of the tools available to choose from?
Budget – How much money do you have vs how much do tools cost?
Operation System Support – Do tools need to support cell phones, computers, or both? Which ones?
In other words, the first thing we need to engage with are the business or mission need for the tool and how the tool will interact with the mission’s existing setup and constraints.
Then, we want to engage with privacy and security specific features.
Essential Security Features
Secure messengers aim to prevent service providers and surveillance from monitoring your communications. That means they need to do three primary things:
Protect data in transit – Prevent snooping as the messages travel
Protect data at rest – Prevent snooping when the message is stored and not in use on the phone or computer
Protect accounts/identities from takeover – Prevent other people from successfully pretending to be you to hijack your message storage or send/receive systems
These three goals are usually accomplished with encryption and strong access controls. These goals produce this list of essential features:
End to End Encryption with keys under the users’ control – Messages should be encrypted as soon as they are sent and should not be decrypted until received. Only the sender and receiver should be able to decrypt the messages
Forward Secrecy – When keys change in the future, old messages should be lost. No one without the right keys should be able to read the message, including the legitimate users. This implies keys will change in the future. (see also, https://avinetworks.com/glossary/perfect-forward-secrecy/)
Zero Knowledge – The service provider creating the messaging system should have no knowledge of the messages’ contents and as little knowledge about the senders or receivers as possible.
Contact Verification – Users should be able to control their own keys, view their own keys, and use the fingerprints of their keys to ensure they are talking to the person they think they are and that no one is sitting in the middle decrypting then relaying messages.
Support for Multi-factor Authentication – Accounts for the service should be protected from takeover by at least two forms of authentication.
Design or Architecture should be documented – In modern cryptography, it shouldn’t matter if the cryptographic system is known as long as keys remain secure. Similarly, it shouldn’t matter if the service provider publishes the broad overview of their architecture, because it should be secure unless someone has keys.
Independently audited and open about problems – All systems have problems and vulnerabilities. A secure messaging provider should acknowledge this and be open with customers about how frequently they are audited, what problems are found, and what’s done to fix problems
You might also consider price to be essential: if the tool is free you are the product. That saying may be overly simple because the tool may have an alternate funding strategy such as freemium subscriptions, nonprofit/donation supported, or open-source software (i.e. “you pay with your sweat and time”). It’s important that you know how the messenger makes its money and stays active, so that you know if they are monetizing your messages. Facebook Messenger, Whatsapp, and Telegram are great examples of free services whose funding models draw their security into question.
Useful Features
Besides essential features, you may also want to consider features that increase anonymity or decrease the impact of any exposure or failure. Namely:
Disappearing messages – Can you set messages to automatically erase so they are not available for exploitation if someone ever does break into the system?
Registration without phone or email – Can you create and secure an account without linking it back to other accounts, even if this means you could become permanently locked out?