Last week, a friend emailed me with a simple request for input: “Some friends of mine and I were talking about different options for encrypted emails and/or chat options. Social media is so public and easily accessed by anyone who knows how to hack, same with gmail or other email options. Since this is your area of expertise, I thought I would ask you for some recommendations.”
It was an interesting question. Now, I know where this friend was coming from, as I suspect you do. A lot of people are worried or even scared about current events. There’s a lot of misinformation, FUD, manipulation, and assumptions. Fortunately, I’m not going to talk about any of that! You’re welcome. Instead, I want to discuss steps that anyone can and should be taking to protect themselves from their worst-case scenario in this digital age.
Here is my response, edited slightly for posting. I responded:
Well, yeah, I do have recommendations. Here we go…
Wait! Let’s back up a second. It’s important to point out that social media, gmail, chat services, etc are not actually “easily accessed”. To be more accurate: people are consistently the weakest link, and mistakes by the users are usually what makes those services easy to access. In practice, this means a hacker usually doesn’t need to pull off some amazing technical wizardry to gain access to “secret” info. Here are a couple of scenarios of how someone can access your info:
First approach: an attacker goes through a Forgot Password flow and tries to answer the security questions. Unfortunately, people tend to select the easy questions like “What is your favorite flavor of ice cream?” Trivial to guess, since the 90% of the population will answer “strawberry”, “chocolate”, or “vanilla”. Or, they’ll use publicly available “private” information, like mother’s maiden name. My mom is on Facebook, and there’s a good chance yours is, too.
Solution: to start with, the best thing someone can do is learn tricks to improve their own security such as using specific nonsense answers. Mother’s maiden name? “Rick And Morty!” Favorite ice cream flavor? “Motor oil” Model of first car? “General George Washington”. What was the name of your elementary school? “Darmok and Jalad at Tanagra“
Second approach: an attacker can try passwords that were previously leaked in a breach on another site. Lists of credentials from breaches like Adobe, LinkedIn, MySpace, and more are readily available online. If someone uses the same email address and password everywhere, it’s trivial to get into their account by simply trying their credentials on other services. Popular ones that everyone uses like Facebook or online banking with large institutions like B of A or Wells Fargo are especially easy targets. Wonder if your passwords have been stolen? Check your email address and usernames at Have I Been Pwned? You can even sign up for alerts about future breaches!
Solution: use a password manager like 1Password, LastPass, etc. They all have password generators that can create secure passwords for you. They’re worth the time to learn how to use; they’re not particularly difficult to use, but it may require a minor adjustment to how you use the web. Consider it an investment. If a password manager is not an option for some reason (good reasons are very few!), then learn from XKCD and use passphrases rather than a password.
Now let’s circle back to the actual question: what secure email and chat options do we have? First, we should answer two questions: “Secure from whom?” and “What security / functionality trade-off are you willing to tolerate?”
“Secure from whom?”
This is probably the most important question of all. Who do you want to keep information from? Here are some of the main concerns that I’ve heard from friends and family:
- People on the same network (ex: public wifi)
- Spouse / partner (ex: shared computer or phone)
- Corporations (ex: Facebook/Google showing you ads based on the contents of a conversation)
- Law Enforcement (ex: investigation into your activities)
- Government (ex: it’s not paranoia if they actually are after you… and the NSA really is watching!)
Undoubtedly there are more tiers in there, but you get the idea.
Usually, people are most worried about avoiding law enforcement, government spying, or info abuse by companies so those are the three that I’ll focus on.
Second question: “What security / functionality trade-off are you willing to tolerate?”
In the following, I’ll point out the drawbacks to each option. Usually, the main problems are either that a product is difficult to use, has a learning curve, or is available only for a specific operating system or device (Windows vs Mac, Android vs iOS). All of these options are solid, though, so if one meets the criteria required then I strongly recommend learning how to use it rather than writing it off as too difficult.
Secure email, two main options:
- GPG encrypted email. Using an open source, free set of tools from GPG or OpenGPG, you can create your own personal encryption. In practice, you use the software to create a public key and a private key. You can then share your public key with anyone, they use it to encrypt messages or files intended for you. Only your private key will decrypt the content. Important: this has the benefit and drawback that they key will be associated with your email address; the key is more closely associated with you, and thus is not really anonymous (not easily, that is). This option integrates with Mail, Outlook, Thunderbird, and other mail clients for a lower-friction option, but my take a little effort to configure. Also, this option may not work well with mobile platforms though OpenGPG does have Android and iOS options.
- ProtonMail (or similar) anonymous email service. Services like this provide email addresses to anyone that requests one, do not log where you’re connecting from (thus no tracking), and requires no personal information to register. Assuming a user can keep their “real” life separate from this email address, they’ll have something resembling privacy, security, and deniability. The best of these, like ProtonMail, are hosted in neutral countries meaning law enforcement would have a very difficult time subpoenaing any records (which don’t exist anyway). They often have mobile apps in addition to the web version of their service. Worth a look: PCMag recently published a great list of options.
Note: Gmail is the third option, sort of. In practice, Google has very strong security practices. However, Gmail does log usage and does collect information, so it’s not an anonymous service but all email between Gmail users are encrypted. Gmail also does its best to encrypt emails that are sent to other email services. This is beyond the scope of this writeup but the point is that if used correctly and thoughtfully (and not for anything illegal* / easily subpoenaed), Gmail may be a solid option.
Secure chat, three main options:
- “Off The Record” (OTR) plugin for chat clients. Available for free, this family of plugins integrate into existing chat clients like Adium and Pidgin. In short, the plugin does the same sort of public/private key encryption as described in PGP above. It also makes it as seamless as possible to use and will try to start automatically when chatting with someone else using OTR. The main drawback is that it relies on existing chat services like AIM (yes, that one, from AOL), ICQ, or GTalk and just adds a layer of protection on top of that; put another way, it is not a standalone product. Generally, usage will generally be limited to chatting on a computer, though ChatSecure (iOS) and Conversations (Android) look like excellent mobile options (that I have not personally used).
- In-app encryption: Skype. Skype is great in that it automatically encrypts all chats as well as encrypting saved chats so they’re secure even while stored on your computer. This is all automatic, requires no configuration, and just works. Awesomeness. On the flip side, though, it’s very likely that the encrypted data is recoverable by the product developer, Microsoft. In practice, Skype is a good option for protecting sensitive (but not illegal*) information like trade secrets or other topics that Law Enforcement and Government Agencies would not be especially interested in. Skype does provide both mobile and desktop versions of the app and is very similar to Apple’s Messages apps (aka iMessages) on iOS and OS X. Similar to Skype, all communication is encrypted and works seamlessly. In both cases, however, the message history is stored on the device and can be retrieved fairly easily by law enforcement and government.
- Secure chat apps: Signal and Wickr. There are a number of “secure” messaging apps on the app store. Most are terrible and should never be used, but two have emerged as leaders. The absolute best is Signal, available for iOS, Android, and desktop computer running Windows, Mac, or Linux (requires Chrome Browser, which you should be using anyway). The Signal application is doing everything right in terms of security and privacy, and has one of the very few “all green” ratings (no areas of concern) from the Electronic Frontier Foundation (EFF). Additionally, it has been reviewed and approved by security and encryption titans like Bruce Schneier and Matt Green who have recognized Signal for building a spectacularly secure system with privacy and security and as the top priority. In second place is Wickr, trailing Signal only slightly. Wickr (iOS/Android app name: “Wickr Me”) has focused on solving the same problems that Signal addresses, but loses a few points because they have not published the source code for review. Wickr does have the unique claim to fame of offering a massive $100,000 bounty to anyone that can break their system.
Bonus! Secure calls, two main options:
- Signal. I keep coming back to this app, and there’s a very good reason for that. In addition to their spectacular chat encryption, Signal has implemented the same technology in a voice call system and made it available in both the mobile and desktop applications. I won’t reiterate everything Signal is doing to earn my recommendation, but I will say that I am very impressed with this app and recommend it pretty much universally.
- Skype. This may seem like an odd one to include here but I decided to include it because there are valid uses where something like Signal doesn’t make sense. Consider, for example, an author working on a book; she may want to keep her calls with experts private and encrypted, but be able to record them for later quoting. Skype may not be as secure as Signal, but using Skype with a recording app would allow this sort of collaboration and is thus worth mentioning.
Alright, that’s a lot of info. What’s the best option? Well, that will depend on what you’re trying to accomplish and who you’re looking to communicate securely with. Chances are, the best solution will be a mix-and-match of the above.
Personally, I use still Apple’s Messages app for a lot of basic communication since I’m an iOS and Mac user primarily, and I’m usually not doing anything too questionable (note: this is mostly iMessages, virtually no text messages). If I need to chat with someone securely and reliably cross-platform while creating a secure record, I’ll fire up Skype. For anything that should be truly as secret as possible (or should not exist at all), it’s Signal all the way; I have the mobile and desktop app installed and, to be blunt, you should too**. In terms of email, I actually use Gmail for virtually all emails and have had no security issues. I do have a GPG public key published so someone can send me an encrypted message if need be but that’s fairly rare.
That about covers it, with one glaring omission: if at all possible, NEVER write down or type out anything if there might be fallout as a result of it being revealed. To bring this full circle, most services are not “easily accessed”… but it does happen. Best not to take the risk if it’s avoidable.
* I mentioned “illegal” activities in this writeup and feel the need to clarify a little: I had in mind what I would consider “reasonable” activities that may be outlawed in a particular country, such as blaspheming in Sudan or questioning the government in Cuba. I was not talking about plotting a murder.
** This is really important: even if you believe that you don’t need something like Signal, I encourage you to download it anyway, even if you use it only occasionally. Somewhere, there is someone using these apps right now to fight against oppression and censorship, and every download makes it that much more difficult for oppressors and dictators to track them down. Consider a scenario where 5 people in a repressive country download an app and use it to plan a protest; they would be easy for the government to find and punish. Conversely, if 10,000 people download it and use it, tracking down the 5 protest organizers becomes incredibly difficult. I cannot overstate this: your download could literally be the difference between life and death for activists, freedom fighters, and journalists.
Want some additional reading? Check out the EFF’s Surveillance Self-Defense project.
Full disclosure regarding Signal: I do not have any share, ownership, or other interest in Signal. I simply believe in their product and motivations.