All messaging clients are not created equally, and that counts double for messaging clients that promise some measure of security in their platforms. Secure messaging is hard to do, mostly because being totally secure means sacrificing some measure of convenience. It could be argued that striking the right balance of convenience and security is “good enough” for most people, but if you want the most secure messaging platform you can get on your phone or computer, that means doing your homework and researching these apps. Fortunately, thanks to a new messaging score card, the EFF has done a lot of leg work for you.
Given the recent surveillance concerns, it’s not surprising to see such an intense focus on marketing how secure your messaging platform is. Secure messaging has always been important, but the recent attention has turned those who would be interested in security into those who are outright concerned about making sure their communication isn’t something prying eyes can peer in and look at. While there are companies trying to sell entire hardware platforms focused on security, there are often apps and behavior changes you can make on your existing device to make yourself more secure. The new EFF scorecard helps breakdown exactly who should be trusted with your secure communications and why, and like all of the other EFF scorecards, you can bet this will be a continuing effort.
Based on seven key metrics, each with their own thorough explanation and methodology on the EFF site, you can see exactly what is happening with these messaging platforms. While everyone on the list is encrypting your messages in transit, there’s more to offering a secure messaging platform. Based on these seven evaluation points, the EFF has found that CryptoCat and TextSecure are among the most secure messaging apps out there. There are several other messaging platforms out there that meet most of the other metrics, but the one key failure point for these other clients is an independent security review. This isn’t hard to obtain, and as the EFF points out “we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.”
This doesn’t mean that Off The Record modes for things like Pidgin or Adium are insecure, just that they have not been put under the same level of scrutiny as CryptoCat and TextSecure. Ideally, this time next year the EFF will be able to update this scorecard and reveal that most of the messaging clients on the list have all green checks across the board.