As part of an ongoing series, we’re highlighting the benefits and advantages of various end-to-end encryption tools for messaging, file storage, and secret management.Many data transfer techniques in use today leverage point-to-point encryption. This approach protects data from point A to B, then B to C, then C to D and so on. Points B and C in this scenario can potentially obtain data to which they’re not supposed to have access; this can be a big problem. Conversely, data should be encrypted first at point A, then sent along through these intermediary points to its final destination. Only the recipient at point D – the other “end” of the line – should decrypt the data. The only way to truly protect the information being exchanged is to encrypt it on both ends of the exchange.
MessagingThe Internet is fast enough to present an illusion of direct peer-to-peer communication. In reality, there are often several parties in between that handle routing messages from one location to another. If messages are delivered in plain text, these parties can eavesdrop, impersonate the sender or recipient, or even manipulate data in transit. Technology enabling secure communication from a client machine to a server (i.e. TLS encryption for secure web browsing) is already readily available. Let’s look at some options for creating secure communication from one person to another.
SignalUnder the hood, WhatsApp uses Open Whisper System’s Signal Protocol (download whitepaper). That being said, the original publisher of the protocol also has their own secure messaging app for both Android and iOS: Signal. Like WhatsApp, Signal gives you both secure peer-to-peer text messaging and secure audio/video calling. Signal can automatically delete messages after a specified interval through their “disappearing messages” feature, whether or not the recipient has read the messages. The biggest difference between Signal and WhatsApp isn’t the technology they use – they use the same communication protocols – it’s in the pace of development. Signal has a smaller team and ships features at a more conservative pace. Facebook is the owner and primary financier of WhatsApp; this relationship means developers can ship new features very quickly. Additionally, WhatsApp’s central focus is communication; Signal’s central focus is privacy. This impacts the decisions made by each team and the features they build into the app. As a result, WhatsApp collects account information and other metadata in order to better serve customers as a communication broker. Signal collects … just about nothing:
Unlike WhatsApp, Signal doesn’t store any message metadata. Cryptographer and Open Whisper Systems founder Moxie Marlinspike told me that the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second. (Battle of the Secure Messaging Apps: How Signal Beats WhatsApp)Enhanced privacy is the largest advantage of Signal. The disadvantage is a smaller user base with which to communicate. You’ll likely the need to convince your peers to install the app.
AlloGoogle’s app, Allo, is a newer offering that delivers many of the same features as Signal and WhatsApp. Allo provides a smooth, intuitive alternative to traditional SMS for both Android and iOS. Unfortunately, the biggest trade-off Google has made is in valuing user-focused perks over security.
Instead of encrypting all messages by default, Allo requires you explicitly enable incognito mode to start an end-to-end encrypted chat. Enabling incognito mode will automatically encrypt messages as you send them; only the intended recipient can ever read them. Google made the choice to go this route as many of the features and benefits of Allo require allowing their own services to read your messages. Allo itself is a chat system that learns about you the more you use it, presenting custom-tailored responses to help you communicate more quickly. Unfortunately, relegating end-to-end security to an afterthought makes Allo the weakest of the three messaging applications.
Google's decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now.— Edward Snowden (@Snowden) May 19, 2016