消息应用程序是我们每天使用的最重要的应用程序之一。(the )无论是与世界各地的
家人和朋友保持联系、联系同事还是开展业务运营, (family and friends)WhatsApp、iMessage、Skype 和 Facebook Messenger(Skype and Facebook Messenger)等消息传递应用程序在我们的日常交流中都发挥着重要作用。
我们经常在消息应用程序上分享个人照片、商业机密和法律文件等内容,这些信息我们不想让错误的人获得。但是,我们可以在多大程度上信任您的消息应用程序来保护我们所有的机密消息和敏感信息?
以下是一些指导方针,可帮助您评估您最喜欢的消息传递应用程序(messaging app)将提供的安全级别。
关于加密的几句话
当然,所有消息传递平台都声称会加密您的数据。加密使用数学方程式在转换过程中对您的数据进行加扰,以防止窃听者读取您的消息。
适当的加密可确保只有消息的发件人和收件人知道其内容。然而,并非所有类型的加密都是平等的。
最安全的消息传递应用程序(messaging apps)是那些提供端到端加密 ( E2EE ) 的应用程序。E2EE
应用程序仅将解密(store decryption)密钥存储在用户的设备上。E2EE不仅可以保护您的通信免受窃听,还可以确保托管应用程序的公司无法读取您的消息。这也意味着您的消息将受到三字母机构的保护,免受数据泄露和侵入性授权的侵害。
越来越多的消息传递应用程序正在提供端到端加密。Signal是最早支持E2EE的平台之一。近年来,其他应用都采用了Signal的加密协议(encryption protocol)
或开发了自己的E2EE 技术(E2EE technology)。示例(Examples)包括WhatsApp、Wickr 和 iMessage。
Facebook Messenger 和 Telegram(Facebook Messenger and Telegram)也支持E2EE 消息传递(E2EE messaging),但默认情况下未启用,这使得它们的安全性降低。Skype最近还添加了“私人对话”选项,该选项可为您选择的一个对话提供端到端加密。
谷歌的环聊(Hangouts)不支持端到端加密,但该公司提供了端到端加密的Allo 和 Duo(Allo and Duo)、短信和视频(text messaging and video)会议应用。
消息删除
安全性不仅仅是加密消息。如果您的设备或与您聊天的人的设备被黑客入侵或落入坏人之手怎么办?在这种情况下,加密几乎没有用处,因为恶意行为者将能够看到未加密格式的消息。
保护您的消息的最佳方法是在您不再需要它们时将其删除。这样可以确保即使您的设备遭到入侵,恶意行为者也无法访问您的机密和敏感消息。
所有消息应用程序都提供某种形式的消息删除(message deletion),但同样,并非所有消息删除(message removal)功能都同样安全。
例如,环聊和 iMessage 使(Hangouts and iMessage enable)您能够清除聊天记录。但是,虽然消息将从您的设备中删除,但它们仍会保留在与您聊天的人的设备上。
因此,如果他们的设备遭到入侵,您仍然会失去对敏感数据的控制。值得称赞的是,环聊(Hangouts)有一个禁用聊天记录的选项,这将在每次会话后自动从所有设备中删除消息。
在Telegram、Signal、Wickr 和 Skype(Wickr and Skype)中,您可以删除对话各方的消息。这可以确保敏感通信不会保留在对话中涉及的任何设备中。
WhatsApp在 2017 年还添加了“为所有人删除”选项,但您可以使用它仅删除您在过去 13 小时内发送的那些消息。Facebook Messenger最近还添加了“未发送”功能,尽管它仅在您发送消息后 10 分钟内有效。
Signal、Telegram 和 Wickr(Telegram and Wickr)还提供了自毁
消息功能(message feature),在经过配置的时间段后,它将立即从所有设备中删除消息。此功能特别适用于敏感对话,可省去您手动擦除消息的工作量。
元数据
每条消息都带有大量的辅助信息,也称为元数据,例如发送者和接收者 ID(sender and receiver IDs)、消息发送、接收和读取的时间、IP 地址、电话号码、设备ID(IDs)等。
消息服务器存储和处理此类信息,以确保消息按时交付给正确的收件人,并使用户能够浏览和组织他们的聊天日志。
虽然元数据不包含消息文本(t contain message text),但如果落入坏人手中,它可能非常有害,并且会泄露很多关于用户通信模式的信息,例如他们的地理位置、他们使用应用程序的时间、与他们通信的人等。
万一消息服务成为(messaging service)数据泄露(data breach)的受害者,此类信息可能会为网络钓鱼和其他社会工程计划等网络攻击铺平道路。
大多数消息传递服务收集大量元数据,不幸的是,没有确切的方法可以知道消息传递
服务存储的信息类型。(information messaging)但据我们所知,Signal拥有最好的业绩记录(track record)。据该公司称,其服务器仅注册您创建帐户时使用的电话号码(phone number)以及您登录帐户的最后日期。
透明度
每个开发者都会告诉你他们的消息应用程序是安全的,但你怎么能确定呢?你怎么知道该应用程序没有隐藏政府植入的后门?您如何知道开发人员在测试应用程序方面做得很好?
应用程序公开其应用程序的源代码(source code)(也称为“开源”)更加可靠,因为独立的安全专家可以检查并确认它们是否安全。
Signal、Wickr 和 Telegram(Wickr and Telegram)是开源消息应用程序(messaging apps),这意味着它们已经过独立专家的同行评审。Signal尤其得到了 Bruce Schneier 和 Edward Snowden 等安全专家的支持。
WhatsApp 和 Facebook Messenger(WhatsApp and Facebook Messenger)是封闭源代码,但它们使用开源信号协议(Signal Protocol)来加密它们的消息。这意味着您至少可以放心,拥有这两个应用程序的Facebook不会查看您的消息内容。
对于 Apple 的 iMessage 等完全闭源的应用程序,您必须完全信任开发人员,以免犯下灾难性的安全错误。
需要明确的是,开源并不意味着绝对安全。但至少您可以确保该应用程序(app isn)没有隐藏任何令人讨厌的东西。
Is Your Messaging App Really Secure?
Messagіng applications are one of the most—if not the most—important apps that we use
every day. Whether it’s to stay in touch with family and friends across the
world, contact coworkers, or run business operations, messaging apps like
WhatsApp, iMessage, Skype and Facebook Messenger play an important part in our
daily communications.
We often share things such as personal pictures, business
secrets and legal documents on messaging apps, information that we don’t want
to make available to the wrong people. But how far can we trust your messaging
apps to protect all our confidential messages and sensitive information?
Following are some guidelines that will help you assess the
level of security that your favorite messaging app will provide.
A Few Words on Encryption
Of course, all messaging platforms profess to encrypt your data. Encryption uses mathematical equations to scramble your data in transition to prevent eavesdroppers from being able to read your messages.
Proper encryption makes sure that only the sender and the
recipient of a message will be aware of its content. However not all types of
encryption are made equal.
The most secure messaging apps are those that offer end-to-end encryption (E2EE). E2EE
apps store decryption keys on users’ devices only. E2EE not only protects your
communications against eavesdroppers, but also makes sure that the company that
hosts the application won’t be able to read your messages. This also means that
your messages will be protected against data breaches and intrusive warrants by
three-letter agencies.
More and more messaging applications are providing
end-to-end encryption. Signal was one of the first platforms to support E2EE.
In recent years, other applications have adopted Signal’s encryption protocol
or have developed their own E2EE technology. Examples include WhatsApp, Wickr
and iMessage.
Facebook Messenger and Telegram also support E2EE messaging,
though it’s not enabled by default, which makes them less secure. Skype also
added a “Private Conversation” option recently which gives you end-to-end
encryption on one conversation of your choice.
Google’s Hangouts does not support end-to-end encryption,
but the company provides Allo and Duo, text messaging and video conferencing
apps that are end-to-end encrypted.
Message Deletion
There’s more to security than just encrypting messages. What
if your device or the device of the person you’re chatting with gets hacked or
falls into the wrong hands? In that case, encryption will be of little use,
because the malicious actor will be able to see messages in their unencrypted
format.
The best way to protect your messages is to get rid of them
when you don’t need them anymore. This makes sure that even if your device
becomes compromised, malicious actors won’t get access to your confidential and
sensitive messages.
All messaging apps provide some form of message deletion,
but again, not all message removal features are equally secure.
For instance, Hangouts and iMessage enable you to clear your chat history. But while messages will be removed from your device, they will remain on the devices of the people you have been chatting with.
Therefore, if their devices become compromised, you’ll still lose hold of your sensitive data. To its credit, Hangouts has an option to disable chat history, which will automatically remove messages from all devices after each session.
In Telegram, Signal, Wickr and Skype, you can delete messages for all parties to a conversation. This can make sure that sensitive communications don’t remain in any of the devices involved in a conversation.
WhatsApp also added a “delete for everyone” option in 2017, but you can use it to delete only those messages you’ve sent within the last 13 hours. Facebook Messenger also added an “unsend” feature very recently, though it only works for 10 minutes after you send a message.
Signal, Telegram and Wickr also provide a self-destructing
message feature, which will immediately remove messages from all devices after
a configured period of time passes. This feature is especially good for
sensitive conversations, and saves you the effort of manually wiping messages.
Metadata
Every message comes with an amount of auxiliary information, also known as metadata, such as sender and receiver IDs, the time a message was sent, received and read, IP addresses, phone numbers, device IDs, etc.
Messaging servers store and process that kind of information to make sure messages are delivered to the right recipients and on time and to enable users to browse and organize their chat logs.
While metadata doesn’t contain message text, in the wrong hands, it can be very harmful and reveal a lot about users’ communication patterns such as their geographical location, the times they use their apps, the people they communicate with, etc.
In case the messaging service falls victim to a data breach, this kind of information can pave the way for cyberattacks such as phishing and other social engineering schemes.
Most messaging services collect a wealth of metadata and
unfortunately, there’s no sure way to know what type of information messaging
services store. But from what we know, Signal has the best track record.
According to the company, its servers only register the phone number with which
you created your account and the last date you logged in to your account.
Transparency
Every developer will tell you their messaging app is secure,
but how can you be sure? How do you know the app is not hiding a
government-implanted backdoor? How do you know the developer has done a good
job at testing the application?
Applications make the source code of
their application publicly available, also known as “open-source,” are more
reliable because independent security experts can examine and confirm whether
they’re secure or not.
Signal, Wickr and Telegram are open-source messaging apps,
which means they have been peer-reviewed by independent experts. Signal in
particular has the support of security experts such as Bruce Schneier and
Edward Snowden.
WhatsApp and Facebook Messenger are closed-source, but they
use the open-source Signal Protocol to encrypt their messages. This means that
you can at least rest assured that Facebook, which owns both apps, won’t be
looking into the content of your messages.
For fully closed-source applications such as Apple’s
iMessage, you must fully trust the developer to avoid making disastrous
security mistakes.
To be clear, open-source doesn’t mean absolute security. But
at least you can make sure that the app isn’t hiding anything nasty under the
hood.