Best Secure Instant Messaging Apps for 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video i'll compare some well-known instant messaging platforms i'll focus on the platforms that are open source and the other requirements that they must have end-to-end encryption for both group and two-party conversations the apps selected are signal breyer xmpp matrix.org threema and session and just so you understand the dangers i'll compare these to whatsapp some of these have acceptable use cases even though there may be some imperfections related to privacy then at the end i'll pick which ones stand out from the others in 2021 and why the comparison of course will be based on whether they do a good job for privacy not just message encryption which are actually two different things so stay tuned [Music] i'm on the video platform odyssey.com you can follow me there using the link in the description you all need a vpn to protect your privacy i run my own vpn service for those that want to be on the down low and it's bytes vpn it comes with tor pi hold for ad blocking and servers worldwide your purchase of a vpn subscription supports this channel and it's so appreciated when looking at secure and private instant messaging solutions there are certain issues that are important to consider let me explain what some of these are each product may have a particular design objective some are anti-censorship some are to protect against government tracking or use for group communications in a protest some are focused on privacy obviously i'm focused on the privacy part but because of different use cases some are really good for specialized uses and i'll make sure to bring that up as mentioned in my other videos metadata can be very revealing message content can be inferred just by knowing details like who you're talking to how frequently and the length of the message some platforms collect contact info and spread it in contact list some products require a phone number or an email address in general the collection of identity information is a big negative centralized reading and collection of contact lists and phone numbers is a big no-no to me because this is one of the worst things that you can do for privacy it basically connects people with a relationship map which is used with extreme frequency by three letter agencies and they use it to analyze connections between people and i'm sure by platforms like facebook proprietary systems will often lie about support for end-to-end encryptions just because they state that there's end-to-end encryption doesn't mean it's the case plus the metadata collection can be done without being stated at all in general for privacy reasons i'd stick to open source in some cases some apps like whatsapp will state the open source protocol they use for encryption it's not perfect since you don't know how to implemented it but at least it's better than nothing then there are apps like imessage and skype that are claimed to have end-to-end encryption but you would be foolish to believe that since there's no way to verify this claim skype for example is subject to a u.s law called kalia which would allow for tapping of a conversation if requested by law enforcement so ignore the hype go for something verifiable there are actually two kinds of end-to-end encryption one is the regular two-party encryption that has existed for a while with apps like signal and telegram and lately many more apps are promising end-to-end encryption for group messages for this video i'm only considering apps that offer both it is important for usability to know how to have people contact each other on the app in some cases platforms require an exchange of keys like gpg which is very tedious to manage some require out-of-band sharing of a friend connection some are very simple and are like email where you just have an identifier that's easy to transmit some promising platforms only work on mobile phones some only work on android and some work on both mobile and pc i would prefer those that work with the most number of platforms can you run your instant messenger on different platforms simultaneously some are tied to a device so you need to migrate from one to the other you can't be active on multiple devices and some allow multiple devices is there a central server managing the messaging this can be one point of failure a government could shut down a central server a three-letter agency could monitor traffic to a single entity and some are based on many independent servers similar to the way email works this is called federation email is fed rated like gmail.com outlook.com those are different servers peer-to-peer means that the actual messages are exchanged from device to device directly and there's no central storage some work in combination the metadata and notifications and centralized but the actual message passing occurs peer-to-peer is the internet required an interesting concept here but some of these messaging apps will function without an internet connection or with occasional internet this is helpful for certain use cases this introduces some limitations too but some specialized users could find this of value now that we understand the issues that need to concern us let's apply this analysis to specific apps and platforms and we'll see which of these matter in 2021 signal signal is an old timer it is open sourced the signal protocol for end-to-end encryption has withstood the test of time and it is in fact used in some variation by many of the other messaging platforms using end-to-end encryption there was a recent claim that the security companies celebrate broke signal celebrity is basically into collecting information for law enforcement i believe this is an israeli company kind of scary what the focus of this company is so it was concerning when they made the claim about breaking signal but apparently it was a false alarm the message transport is still secure what happened was that they apparently are able to read the messages stored on the phone locally and this requires physical access but this is likely true of all apps assuming you first break the security of android or ios then we can assume that you can log in and see what's in the apps signal is very practical because it also includes support for voice over ip voip or voice calling and video chatting between two people this is not often available on other apps but signal has disadvantages it requires a phone number and it collects contact lists which they then use to alert other people that have your phone number this centralized collection of data even if someone claims that they are hashed is easy to use to create relationship maps which draws connections between people and exposes it potentially to third parties phone numbers of course are tied to real identities since kyc know your customer laws often mean you give your id name and address to get a phone number signal is working on removing the phone number requirements so this may change in the future but at least in 2020 up to 2021 it's gonna be like this signal only works on ios and android so there's no way to communicate using a computer it also works with a single device at a time breyer breyer is a newer app that you will often hear mentioned within cyber security circles it's pretty unique among the messaging systems because it's made to run peer-to-peer it is open source it has no central server however the question i have and this requires more digging is that peer-to-peer means that it has to announce a current ip address and port somewhere and that's how peer-to-peer works but then once that is known devices can connect directly it is not explained how it manages the peer-to-peer sites without some intermediary but there has to be an intermediary what is clear is that the actual messages are transported only from phone to phone and by the way this only works on android phones so that's a particular limitation it also works with one device at a time it's also not simple to add contacts if you're physically close you can exchange identifiers using a qr code and you can find yourselves in a wi-fi or bluetooth network on the internet you'll need to use some out-of-band method of passing identifiers so the devices will sync so it's a little inconvenient to use for normal average day-to-day messaging it's a more powerful concept for use by people with some serious government avoidance issues like activists whistleblowers and journalists when breyer uses the internet it uses store so when it passes peer-to-peer connection info it is likely obfuscated from view now because it is peer-to-peer it requires that devices having a conversation must always be awake this is not possible on an iphone and that is why they don't support an iphone also because there's no forward and store option it can cause messages to be delayed and thus affect the ability of this platform to function as instant messaging it's not suitable for large groups of general contacts it certainly cannot be a substitute for texting which an app like signal can handle well but it is unique in its handing of peer-to-peer communications and the only one that can work without an internet it can use any wi-fi in a lan and bluetooth matrix matrix has grown to be very popular it's actually made up of two distinct parts and we have to be very clear on what's being discussed the protocol itself is managed by matrix.org and in theory anyone can build any client application to work with a matrix server the most popular client used in matrix is the app called element or previously known as riot.im this is what most people use when they claim to be on matrix element is a for-profit company so it actually sells subscriptions to a matrix server matrix is more than just a messaging platform it's actually a protocol for exchanging different kinds of data from different sources and because of this it is more complex matrix has the capability to integrate with other messaging platforms like whatsapp telegram and signal using software called bridges so this gateway concept is an interesting approach as a messaging platform matrix is open source and does not require a phone number and it features end-to-end encryption it is presumably built using the concept of federated server so many servers can be running matrix however this is only theoretical because matrix is such a resource hog and most people on matrix use element it turns out that the bulk of the users will be in a few servers likely one-third of all users are on matrix.org itself and the bulk of the rest on element.io servers so though this is thought of to be federated in practice that's not the case it's mostly centralized and it gets more centralized when you think of the metadata for example there's a central identity server called vector.im which not only verifies people identities but also stores metadata like email and phone number and this central identity server is contacted by all servers i'm sure this kind of ease of finding parties is what propelled element and matrix to popularity but i think it's kind of a sellout approach since for privacy reasons i wouldn't call matrix private at all relationship maps identifiers of all sorts even ip addresses could be collected with interactions with matrix modules so frankly even with end-to-end encryption matrix strength is not about privacy i would not consider this a real instant messaging secure solution its main objective actually is laudable by providing a way to have data flow outside of any big company like google or facebook its main purpose is to prevent data collection by the large companies i would look at it more like group social media with some strong security features because it's meant more to access social groups end-to-end encryption is not automatic you have to specify it as i mentioned earlier most people who use matrix use the app element which is available both on phones and apc xmpp xmpp previously known as jabber is a very established instant messaging protocol at its most basic level it is based on transporting data in xml format the xmpp protocol is very popular but hidden it is actually the messaging protocol built into whatsapp zoom and google messaging and it's also used by large entities like the nsa the us military the german police to name a few the biggest user of xmpp is whatsapp but it basically took the open source and revised it and what's app opera is closed source now so whatever changes they made to xmpp is not shared with the xmpp community xmpp is an example of a truly federated platform there are hundreds of public servers supporting xmpp and maybe thousands of private ones although some are private like i mentioned the bulk interoperate with each other in a lot of ways communicating via xmpp is like email i run my own xmpp server which is not xmpp.brexit i have an xmpp address which is rob braxman at xmpp.bracks.live it looks like email and it's easy to share so in theory anyone can send me a message as long as you know my xmpp address this makes it very usable you can choose to join any xmpp server but the neat thing about xmpp is that if you run your own server you are completely private since no one else can see your server no different than running your own email server except that xmpp features end-to-end encryption using a newly added feature the last few years called omimo and this is the end-to-end encryption so no one else can read the content even on the server not like email but corralling yourself to your own xmpp server limits the spread of metadata xmpp also requires no identity since just like email you can invent any name in my case i used an open source server software called prosody which is fairly easy to install xmpp is very efficient one small server can support thousands and thousands of users maybe even a city the xmpp is actually just a protocol so you have to use different apps depending on the platform on android the best app you can find is called conversations on ios there's siskin dot im and manal on desktop pcs the one to use is gagim and it works on windows mac and linux so basically xmpp works on everything now not every server supports all the xmpp features like voiceover ip file storage video and so on some of that requires the app jitsi but the messaging part is universal it also works with multiple devices simultaneously the main advantage to xmpp in my mind is that there's no required identity and that makes it private as heck and very secure with the omimo encryption the biggest negative of xmpp is that it is not as flashy as other platforms primarily because apps are not as popular so there's not as much of an investment in the ui as the other platforms and i'm not counting apps like whatsapp that uses xmpp 3ma 3ma is used heavily in places like germany it has end-to-end encryption and was recently open sourced it has centralized servers in switzerland and also has centralized authentication the good news is that it doesn't require an email or phone number in theory they claim the message storage is just a forwarding function actual messages are removed after they're forwarded so the actual messages are using each individual device for long-term storage the main problem relates to privacy 3mi uses centralized authentication and it actually uploads contact list to the central server supposedly the contact lists have hatched phone numbers and such but this is not much protection from a security point of view the issue is that relationship maps between individuals talking can be quickly derived from the centralized communication metadata and the identities that are further carved in stone with public keys that are centrally stored there are no particular features stated to obfuscate other identifiable data like ip addresses and so on so while this may be a secure solution it would not pass privacy muster in my book this product by the way was not previously open source so this was opened up recently and i think they claim they passed a security audit i don't question whether they are secure or not but security and privacy are two different things and i'm sure this does not improve on signal at all it has voice message storage but there's no support for voice over ip or video calling like signal and the only reason i mentioned this is because i'm looking for some redeeming factor that would make me choose it over signal which has the same glaring privacy deficiency session session is a bit different even just from its economic model session itself rides on another network for blockchain called lokinet which uses the loki cryptocurrency and those who support this network are incentivized by getting paid in monero the participating server nodes also have to put a large stake in before they can provide network services and trust in each server affects the price of the stake so there's a financial cost reward relationship that's tied to the trusted server a node provides i'm not sure how session will be monetized to pay for resources not clear on this at the moment but i would imagine this will come up later by its nature the communications between parties are controlled by replicated node servers so negotiated conversations and the actual conversation data can flow through any of the server this makes it bulletproof in theory against government censorship many servers many ways of passing a message and all communications using onion routing like tor so everything loops through at least three servers i'm not clear on whether post negotiations between devices some messages are passed peer to peer it does have a post and forward capability like email the actual code of passing data between the servers is based on the actual code from monero so obfuscating identity is definitely a strong feature session is cross-platform it's open source supports into an encryption fully and is actually introducing a new protocol that is not based on signal all traffic inside session is passed through the lokinet which as i said operates using onion routing like tor so that's how the actual identity data is disconnected from the actual user but since the users aren't as many a store they fully admit it's not as unbreakable as tor is at the moment of all the products out there this is the only one that clearly focused on the elimination of metadata their white papers demonstrate a very sophisticated understanding of privacy threats not just security threats however it is very new and not yet mature i think this is something to watch out for in the future because the thought process for privacy is the most sound whatsapp now let me talk about whatsapp just to contrast it with the other platforms i just mentioned what's app is ultra popular of course particularly in certain countries the actual communication protocol is running xmpp and a lot of the encryption is based on the signal open source the dangerous aspect of whatsapp is the intentional data collection zuckerberg lures you into supposed secure messaging in that your messages cannot be read this is the claim we cannot really be certain because of course whatsapp is not open source but it is clear that the metadata is collected and matched to facebook and instagram accounts remember that facebook is unique because it is one of the few platforms that mandate having a real identity which is crowdsourced to be accurate this sharing with facebook is very clear because it is stated in the terms of service that makes this app a very dangerous thing for truly secret conversations if you're talking to your facebook friends on whatsapp the damage is already done by being on facebook and i've given the scenario many times someone is having an affair and decide to use whatsapp but now facebook knows who's talking to whom the fact that the users are not connected on facebook the time of conversations the patterns of conversation like length it is pretty easy for a facebook ai to identify who's having secret relationships since facebook knows everyone's real identity so frankly this is a very stupid app to use this app has nothing to do with privacy it's a way for zuckerberg to lure you into his kingdom so he can spy on you more it's not open source i don't trust any group discussions to be encrypted and it is tied to the most dangerous platform for privacy on earth dump it standouts among this group of instant messaging apps i'm going to recommend three but each has a different use case i can imagine that some might find occasion to stick to three depending on the situation i think these three stand out in particular ways number one stand out xmpp for communicating with people you don't know xmpp stands out as the best way for communicating with people you don't know it's basically like email except that it offers full encryption so you never have to worry about your messages being read xmpp requires no identity so the metadata is minimal to non-existent if you run your own server it is non-existent since it can operate with many hundreds of servers it is not likely that the metadata can be centrally collected this is the best example of a federated network of servers i've opened up my own xmpp server which is xmpp.braxt.live which i offer for free you can use it if you want i do not offer file storage or advanced services though it's primarily for text message other companies like conversation.im offers paid servers that provide more extensive support for advanced features xmpp is great for a business because it can build a completely private communication system using publicly available modules that work on any platform you can restrict membership on a server if you wish yet it can be reached by other xmpp servers simply by giving your xmpp address which is like an email address the big negative with x-fan pp is that not all xmpp clients are equal some clients like conversation that i am on android works flawlessly with all memo encryption and other features the gajeem client on desktop computers work with all platforms but it is not an attractive app it is very simplistic with limited formatting and there are occasional glitches on ios the options are monal and siskin im there are others but these seem to have good reviews it is very easy for anyone to reach anyone else since an xmpp address is like an email address my xmpp address like i said is rob braxtman at xmpp.bracks.live but i get hundreds of messages so it is not possible for me to respond to you all number two signal for communicating with people you know as i mentioned earlier the biggest negative to signal is the metadata dispersed with the phone number and contact list which is also the exact same problem as telegram and whatsapp but we can discount this problem if you use signal with people who already know your phone number since no new information is being sent out it is not a problem at all to use it with family friends and known business associates what makes signal stand out is that it is the best in class with voice over ip and video calling for two parties it is not perfect it is still possible that some data leaks with video streaming using something called a turn server i i discussed this in my video on video streaming options but it is really a nice app and it works very well it's easy to get family members to use it you can even handle all your texting through signal so all messages go only to one app number three breyer for communicating with super secrecy breyer works for small groups that have fixed contacts this could be a good use case like for spies it has limited use for uncoordinated groups because it only works on android it is not really instant messaging per se since both devices have to be online or some preset intermediary needs to be online but there's a cool factor to not needing an internet connection people in the same household or office could have an invisible conversation using breyer i'm not sure it's convenient enough for use by executives of a company for example but i think that non-internet peer-to-peer use is unique and all traffic passes through tor so that means you don't worry about the metadata it's not easy to use because you have to exchange qr codes physically or pass identifiers out of band but if you work like a journalist where you meet up and then you disperse this could really allow truly secret communications definitely overkill for privacy but a possibly fun option i don't know how well it would work in a protest situation with a crowd unless large numbers of people are pre-connected so maybe that's not its strength but it's a very unique product obviously there are many many products that i did not mention many because they're not open source so i don't really have any way to verify their claims i'm not going to tell you not to use any particular secure messaging system except for those on by facebook just be careful about using apps that rely on phone numbers otherwise use what you wish as long as you understand the risks to security and privacy there's no absolute when choosing a messaging platform maybe in 2022 i might have a different list of standout secure instant messaging platforms maybe session will get into the list in the meantime the more you use secure instant messaging solutions in 2021 and rely less on email social media and texting the safer you will be this will be my last video for the very weird year of 2020. fortunately it's been a blowout year for my channel and i'm thankful that my message is being heard please subscribe and get notifications from me this is really important to my channel and i really appreciate your support see you next time

Info

Channel: Rob Braxman Tech

Views: 182,755

Rating: undefined out of 5

Keywords: internet privacy, tech privacy, internet privacy guy, signal, matrix.org, element, xmpp, jabber, threema, session, whatsapp, open source messaging apps, secure messaging apps, best secure messaging apps for 2021, best messaging apps, comparison of messaging apps, end to end encrypted messaging apps, best e2ee apps, which messaging apps are best for privacy, review of secure messaging apps 2021, review of messaging apps 2021, secure messaging, briar

Id: ke8pXQQPaIw

Channel Id: undefined

Length: 28min 55sec (1735 seconds)

Published: Thu Dec 31 2020