Table of Contents
Messaging Candidates
This is a summary of candidates for a cross-platform, user friendly text messaging platform for general use instead of Facebook Messenger, Google Hangouts/GTalk, etc. Mobile-friendly solutions have some precedence as mobile texting seems to be the dominant use case at the moment.
Requirements
The starting point in candidate selection is the now obsolete EFF's Secure Messaging Scorecard (as of 14 July 2015). From that list, only entries that have at most one red mark are considered.
In addition, the ideal candidate will:
- Be federated with an open source server.
- Have open source clients.
- Have clients for all major platforms:
- iOS, Android, Windows, MacOS, Linux
- Be easy to install and set up.
- Provide something better than a miserable user experience once set up.
- Offer privacy and security protections by default.
- Feel like it's not going to abandoned.
- Not require a phone number create an account.
- Not require your phone number to be divulged to everyone with whom you communicate.
The candidates
The notes below shouldn't be considered complete; they just highlight known negatives.
ChatSecure + Orbot
- Have clients for all major platforms. No clients for desktop platforms.
- Be easy to install and set up. Setting up an XMPP account isn't tragic, but it's not as streamlined as a single-source (i.e., non-federated) system. The big fail here though is that public XMPP servers tend to be fickle. OTR is baked in, so that's good.
CryptoCat
- Have clients for all major platforms. Android client is still betaware. No native Windows or Linux apps.
- Feel like it's not going to abandoned. Development is advancing at a slow pace.
Also, the Facebook integration needs to be investigated to see whether there's a potential security compromise.
Jitsi + Ostel
- Have clients for all major platforms. Jitsi isn't available for mobile platforms (although an Android app is in the works). Other Ostel-compatible apps exist for mobile, but Ostel supports calls only–no text.
Mailvelope
OpenPGP encryption for webmail. Not really what we are after.
XMPP clients with Off-The-Record Messaging (Pidgin, Adium, etc.)
- Be easy to install and set up. Setting up an XMPP account isn't tragic, but it's not as streamlined as a single-source (non-federated) system. The big fails here though are that public XMPP servers tend to be fickle and configuring+engaging OTR messaging is an additional and cumbersome step.
RetroShare
- Have clients for all major platforms. No mobile clients.
- Feel like it's not going to abandoned. It's unclear how many developers are involved and what the commitment is.
Signal / RedPhone
Open Whisper Systems' partnership with WhatsApp/Facebook renders any security and privacy provisions suspect. Whatever lives within WhatsApp/Facebook is effectively governed by WhatsApp/Facebook privacy and security. In the absence of additional information, this renders this option ineligible for further consideration.
Silent Phone
- Have clients for all major platforms. iOS and Android only.
Also, SilentCircle seem to have deprecated their standalone clients in deference to their turnkey payware systems.
Silent Text
- Have clients for all major platforms. Android only.
Also, SilentCircle seem to have deprecated their standalone clients in deference to their turnkey payware systems.
Subrosa
In-browser tool. Not really what we are after.
Telegram Messenger
- Be federated with an open source server. The server is currently closed source. Federated open source services appear to be planned. From the FAQ:
Q: Why not open source everything?
All code will be released eventually. We started with the most useful parts – a well-documented API that allows developers to build new Telegram apps, and open source clients that can be verified by security specialists.
- Offer privacy and security protections by default. For the highest security (i.e., full marks from EFF), secret chats can be used. See the FAQ. also, the privacy policy is encouraging. Questions have also been raised regarding the solidity of its encryption1)
- Not require a phone number to create an account. The only way to open a Telegram account is by using an SMS-enabled phone number.
- Not require your phone number to be divulged to everyone with whom you communicate. The path of least resistance for using Telegram is to use your phone number as your identifier; however username identification is possible. See Telegram use notes for more info.
Additional vetting of the founders' financial and other interests is required before a firm recommendation can be made. However the founders seem not to be invested with VKontakte any longer, and the operation is based in Berlin.
TextSecure
Open Whisper Systems' partnership with WhatsApp/Facebook renders any security and privacy provisions suspect. Whatever lives within WhatsApp/Facebook is effectively governed by WhatsApp/Facebook privacy and security. In the absence of additional information, this renders this option ineligible for further consideration.
Tox
Relative newcomer Tox doesn't appear on the EFF's list. A more complete evaluation is pending, but initially this looks like a winner.
Recommendation
Tox needs a more complete evaluation, but on the surface it is encouraging. Telegram comes close to a recommendation, but the questions surrounding its encryption, its use of your phone number as the primary source for identification, and its clunky use of usernames makes an enthusiastic recommendation difficult.