Open-Source Encrypted Messaging Making Strides
CHANCES ARE GOOD that you’re using crypto in your communications now. In fact, a lot of communication tools use some sort of encryption by default. That said, it never hurts to take stock of what you (and your contacts) are using and trusting every day.
Love him or hate him, Edward Snowden’s leaks spurred on the rapid adoption of private messaging and encryption platforms. And crypto isn’t just for spies, either. Whether it’s coming out to a trusted friend or engaging in activism, keeping communication safe involves trust. First, you have to trust the recipient of your message. But you also have to trust the medium.
Even without end-to-end encryption, most communications using major web applications are encrypted in transit with TLS. (If the URL you’re visiting starts with “https://” you’re using TLS.) But even with TLS, the service you’re using (such as Twitter or Facebook direct messages) is wide open to anyone who has access to your account or has a subpoena in hand. Luckily, a lot of people are using end-to-end encryption by default.
Facebook’s WhatsApp is the most popular messenger in the United States, and as long as someone is communicating over data, their conversation is protected. While WhatsApp is proprietary, its crypto is sound. In fact, it uses the same protocol as Signal, the open-source secure messenger.
While I have to stress that WhatsApp is still pretty darn secure, I like knowing that an application is both secure and open-source. While there are other options available, the big juggernauts in the room are PGP, Keybase, and Signal.
What has caught my eye lately is how far Keybase has come. Keybase started as an alternative to traditional PGP keyservers, offering ways to authenticate a PGP public key through a user’s Facebook, Twitter, and GitHub accounts. In 2017, Keybase added support for messaging, secure file sharing, and Slack-like chat functions.
Signal has made great progress as well. Group chats, audio calls, and video calls all work quite well. On top of that, there is finally a standalone desktop client for Linux that doesn’t require you to run it as a Chrome app. That’s no small thing, either: It means that you can type out longer messages that might be tedious to do with your thumbs. The desktop app also allows you to attach documents and other files, which can be useful if you want to share something besides a photo. It also means that newly converted Firefox Quantum users don’t have to hang on to Chromium just to get Signal on their desktop.
And fret not, Windows users: Both Signal and Slack are now available as desktop apps on Windows as well.
Finally, there’s good old PGP itself. While PGP is used to encrypt email, you can also use it to sign and encrypt files. With PGP, you can encrypt files and share them with an intended recipient over any untrusted medium.
While PGP is good from a technology standpoint, it still sucks in terms of user experience. PGP can be hellish for newbies to set up correctly, especially for those unfamiliar with the console. On top of that, key security (keeping the actual private key file secure) is a pain. In the years I’ve had PGP enabled in my email clients, I’ve never received or sent a PGPencrypted email. So, unless you have a bunch of friends who already have PGP keys, you probably don’t need to think too much about it.
Both Signal and Keybase are great tools, and way easier to use than barebones PGP, but they enjoy a much smaller userbase than WhatsApp. So which should you use? Whatever you can convince your contacts to use, of course. After all, it takes two to tango. All of the encrypted communication software in the world does you no good if nobody else is using it.