Whatsapp & Facebook conflicts of interest?

[joachimesque]

Following the dicussion in this PR: #82:

WhatsApp is owned by Facebook. Despite the use of end-to-end encryption there's an obvious conflict of interest. I think it should be at least placed at the end of the list, or even replaced by a open source alternative, like Matrix/Riot.im (it's also self-hostable, which is a good thing).

[rugk]

Yep, obviously suggesting WhatsApp as a "secure messenger app" is misguided…

It may be called "secure" as it uses Signal's e2e crypto, but even the WhatsApp founder left due to privacy concerns in WhatsApp. With the introduction of ads in WhatsApp, the connection of Facebook to WhatsApp and even their claims to merge the chat services or provide interoperability this can only get worse, so I totally agree WhatsApp should not be in that list.

[punksta]

I think this project should have some rules or checklists which will be used in reviewing new apps adding to lists. It needs definition of secure. secure for what? Enough secure for sharing bad black humor jokes? WhatsApp is more secure then ICQ, but less secure and much less privacy focused then jabber or matrix.

[joachimesque]

Tally of alternatives to Whatsapp:

• Signal (already on the website, open source)
• Jabber (self-hostable, open source)
• Matrix & riot.im, etc. (self-hostable, open source)
• Wickr (commercial)
• Threema (commercial)
• Keybase (client is open source, server is not)

I'd suggest selecting the most user-friendly alternatives. I love Jabber & Matrix but they're not the most easy to use. How are Wickr and Threema on that point?

I'm also partial to open-source when it regards security. The fact that anyone can check the source and propose fixes makes me trust a solution more. But perhaps this is not the right discussion for this subject (although it relates to @punksta 's point, as to which criteria fit the bill)

[mb130R]

I've previously used Wickr, and found it quite easy to use ...with the only downside being that most people I know, don't use it, or even know about it. I don't have any experience with Threema yet.

[brianlovin]

I think this project should have some rules or checklists which will be used in reviewing new apps adding to lists. It needs definition of secure. secure for what? Enough secure for sharing bad black humor jokes?

Agreed, we don't have clear rules on what should be added or not. In general a pretty major consideration should be "approachability for a non technical user" - this forces us to rule out a lot of great products that are geared towards a tech-savvy audience, which at times compromises total privacy/security. But that's the battle here, seeking the best of both worlds without going crazy.

[joachimesque]

I just came across this website, listing all the pros and cons of "secure" messaging apps: https://www.securemessagingapps.com/

The most security-focused messaging apps are Signal, Threema and Wire.

I'd suggest listing Signal and Wire first, as Threema is commercial (even though it has a lot of appeal and I'm considering trying it for myself), non-free apps can have a harder time getting adopted by a large part of the population.

From their website's About page:

So… which app(s) should I use?

• Signal. It’s completely open source, written by a well-known security expert, and its protocol is used in other messaging apps (e.g., Whatsapp & Wire). They’re funded by donations and grants, not corporate money that relies upon your data. Their implementation has been reviewed by security experts and cryptographers. It’s solid.
• Threema. If you’re looking to avoid Five Eyes/Fourteen Eyes, or you’d like to use an app anonymously, then it’s a good choice. They have a user pays model, their design is solid, and they have had the app independently reviewed. It is, however, closed source.
• Wire. Again, if you’re looking to avoid Five Eyes/Fourteen Eyes, then it’s a good choice. It’s not as well documented as Signal and Threema, although both their client and server are open source. It has been independently reviewed. Both Threema and Wire provide slightly different levels of security and privacy. I’d recommend them both equally for the average user.

Having used Signal with my family, I can say with certainty that non-technical users can use it without a problem.

[joachimesque]

I just made the PR #125. In it I removed iMessage and Whatsapp and replaced them with Threema and Wire for reasons cited above. I also replaced two resources that weren't reflecting the most accurate information relative to Whatsapp and iMessage, with securemessagingapps.com and an EFF series about secure messengers and why it's so hard to recommend one: https://www.eff.org/deeplinks/2018/03/secure-messaging-more-secure-mess.

If you have more remarks and additional resources to add, I'll reflect them in the PR.

[joachimesque]

I've been thinking of adding Keybase, but there's two things I'm unhappy about:

• not everything is open source
• it's centralized

Also, it uses the Bitcoin Blockchain so I'm not too happy about it—but more for environmental and ethical concerns.

Do you use Keybase? Do you like it?