Comparing the security aspects of messaging applications that can be used on smartphones and PCs

A table comparing 39 types of security aspects such as message applications and video call applications that can be used on smart phones, tablets, PCs, etc. is "Secure Messaging Scorecard"is. Many messaging applications that many users, such as Skype, Facebook chat, and Google Hangouts, are using, are available for iMessage, which can be used from "Messages" on iPhone, and I usually casually contact with my friends and family You can check how secure these applications you are using with a single shot.

Secure Messaging Scorecard | Electronic Frontier Foundation
https://www.eff.org/secure-messaging-scorecard

"Secure Messaging Scorecard" is a score card like this. There is the name of the application in the pink part, and the thing written in blue letters on it is the check item on the security side. If the check item under the check item is checked, the item is cleared, if it is marked red it means that the requirement can not be cleared.


In the check items, we are investigating the following points.

◆ "Encrypted in transit? (Encrypted in transit?)"
It is necessary that all communication routes of users are encrypted. However, we do not consider encryption of metadata such as user name and address information.

◆ "Encrypted so the provider can not read it? (Encryption has been applied so that providers do not know?")
This criterion means that the user's communicationEnd to endItems established from the idea that should be encrypted with. We encrypt the message so that the content of the message is not intercepted on the communication route, but after delivering it we need to decrypt the encrypted message. It is said that the key for decryption is generated and stored not on the server in the communication route or the user who sent the message but on the side that receives the message.

◆ "Can you verify contacts' identities? (Can you check contact information?)
An item that checks whether there is a method to check the identity of the user or the communication partner, for example, when a service provider or another third party is compromised. The following scorecard only requires that the mechanism be executed, its usefulness and security aspects are not subject to evaluation.

◆ "Are past communications secure if your keys are stolen? (Even if keys are stolen, whether past communications are safe or not)"
Although all communications are encrypted and decrypted with temporary keys, the key will be deleted after the period. It is an absolutely necessary element for encryption that these keys can not be recovered.

◆ Is the code open to independent review? (Is the code open?)
This is whether the source code is firmly released so that compatible implementations can be independently compiled.

It is not necessary that everything be open source, but it seems to be necessary to disclose enough code to check for bugs, backdoors, and structural defects.

Is Is security design properly documented? (Is the security design correctly documented?)
Whether the encryption method used in the application is explicitly explained.

◆ "Has the code been audited? (Is the code audited firmly?)"
This is whether the independent security survey was conducted within 12 months or not.

You can chat with friends on FacebookFacebook chat'S score card. Although encryption on the communication route and code audit are cleared, all others are out.


Video call service that can be used on iOS terminals, Macs, etc. "FaceTime" Although it is quite a good result, the identity of the user is impossible and the code is not disclosed, so it has two red marks.


A Google communication application preinstalled on almost all Android devices "Google Hangouts'S score sheet. It is Zaru security more than I imagined.


For iPhone and iPad, you can use "message", instant messaging service available from Mac "IMessageThe same score as FaceTime of the same Apple made service.


Completely anonymous SNS application "Secret"


Enjoy video calls and chat "SkypeA score card.


Application that can send pictures that disappear within 10 seconds "Snapchat"


Rakuten acquired free call & message application "Viber"


A particularly popular messaging application in the West "WhatsApp"


The service ended in March 2014 "Yahoo! Messenger"


There were only six applications that satisfied all of the 39 applications that were included in the survey, and two applications that did not satisfy one item at the other were also present.


2013,Edward SnowdenBy Mr.'s accusationEntailment of communication interception by the governmentWas revealed. In response to this, in order to clarify the question "Which is truly reliable messaging application?"Electronic Frontier FoundationWhenProPublicaOf Julia Angwin and Princeton UniversityCenter for Information Technology PolicyJoseph Bonneau who works for the company, and the scorecard showing the result of investigation is published as "Secure Messaging Scorecard".