end-to-end encryption - bitdefendercentralhub

Videocalls became much more widespread after the COVID-19 pandemic began, and they continue to be a popular alternative to face-to-face meetings. Both platforms and users soon got over the teething problems, and learned to take basic security measures when hosting videoconferences. That said, many online participants still feel uncomfortable knowing that they might be recorded and eavesdropped on all the time. Zoom Video Communications, Inc. recently had to offer explanations regarding its new privacy policy, which states that all Zoom videoconferencing users give the company the right to use any of their conference data (voice recordings, video, transcriptions) for AI training. Microsoft Teams users in many organizations are well aware that turning on recording means activating transcription as well, and that AI will even send premium subscribers a recap. For those out there who discuss secrets on videocalls (for instance in the telemedicine industry), or simply have little love for Big Tech Brother, there are less known but far more private conferencing tools available.

What can we protect ourselves against?

Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.

Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.

Signal: a basic tool for smaller group calls

We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.

Signal lets you set up videoconferences for up to 40 participants in a familiar interface

WhatsApp and Facetime: just as easy — but not without their issues

Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.

Jitsi Meet: self-hosted private videoconferencing

The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.

Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website

Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.

Matrix and Element: every type of communication — fully encrypted

The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.

Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.

Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.

The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.

Element is a fully featured environment for private conversations, with video chats just one of the available options

Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.

Zoom: encryption for the rich

Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.

Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it

You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.

#Top #apps #encrypted #private #videocalls

We’ve published multiple comparisons of secure messaging apps with end-to-end encryption, shared recommended settings, and described the respective flaws of these apps. But what about folks who want secure messengers but who aren’t exactly tech-savvy? This blogpost is just for them – based as it is on an extensive study and published report entitled What Is Secure? by a group of experts from the agencies Tech Policy Press and Convocation Research and Design.

The report contains recommendations for both users and developers. But since not everyone will read through all the 86 pages of text, we summarize the paper’s main conclusions below.

Object of study

The researchers interviewed user groups in Louisiana in the United States, and Delhi, India, to determine the strongest and weakest points of current messaging apps. The following popular apps were examined:

Apple iMessage
Meta (Facebook) Messenger
Messages by Google
Signal
Telegram
WhatsApp

The study focused on the way humans respond to in-app tips, and the way they understand the meaning of each feature. More importantly, the respondents were asked about any specific fears, and in what ways they think secure messaging apps are or could be useful in their lives. Some of the interviewees said they are worried about potential physical violence, such as domestic violence, in connection with messaging, while others fear persecution by the authorities. This had a major effect on their perception of “secure”.

Key finding

End-to-end encryption is only one aspect of security. Encrypted messaging won’t solve every problem a threatened user is having. Therefore, one needs to think through a strategy against motivated adversaries. Is there a risk of your phone being seized? A risk of you being forced to unlock it? Are you afraid that someone may try to obtain your data from the company that owns the app using litigation or a legal order? Or infect your phone with spyware? Would it be easier for the bad guys to try and extract that data from the person you’re chatting with? For many, the answer to each of the above is no, so an encrypted messaging app provides sufficient security in and of itself. And even if your answer is yes, that’s no reason to give up encryption and secure messaging: they just need to be one layer of your defenses.

As further tips, the researchers recommend that the above vulnerable user groups take several technical steps (more on those below) but, most importantly, not to carry their phones in places where they could be physically seized or forcibly unlocked. They suggest getting a second phone for such dangerous places, and keeping the main device with a person they can trust.

General tips on secure messaging

The biggest secrets are best delivered face-to-face. No method of digital communication is completely secure. Therefore, the riskiest information – especially if posing a threat to health or even life – should be discussed in person, not in a chat.

Don’t make decisions blindly. Users make conscious efforts to protect their privacy, but they often rely on popular opinion about security – not verified sources. Few read documents that accompany messaging apps: terms of use, or transparency and government data sharing reports. Research carefully what your messaging service actually stores and where, and with whom it shares data and has shared in the past. That information can be found in transparency reports and in the press.

Carefully review the app settings. Make sense of each setting and turn on all the securest options. Bear in mind that parts of the privacy settings may be spread across the phone’s general settings (especially true for iMessage in iOS, and Messages by Google in Android) or sections of the app settings (typical of Telegram).

Avoid hybrid modes. Several messaging apps support both encrypted and unencrypted messaging. In iMessage and Messages by Google, you can send open texts and encrypted messages in the same chat; however, this is a bad idea since these message types are always confused. Both Messenger and Telegram have separate encrypted and unencrypted chats, with the unencrypted mode used by default. The paper recommends using messaging apps based on full encryption: Signal or WhatsApp.

The more features – the higher the risk. Extra features, such as stories, bots or links to social networking services, provide extra surveillance and data-leak channels. It’s best to turn off these kinds of features or avoid using the app altogether.

Disable link previews, geolocation sharing, and GIFs. These features do come in handy sometimes, but they can be used to track you down by various parties, including linked websites. Another potential leak channel is finding and sharing GIFs in chats.

Messaging apps that work without a phone number are helpful. These include, to a certain extent, Telegram, Messenger and iMessage, although it does take some effort to configure each of them to use your internal username or e-mail as your identifier when chatting. According to the report, WhatsApp and Signal are planning to add a feature like this too.

Use disappearing messages. The most squeamish among us can enable chats to be deleted automatically after a short period of time, such as one minute. Unfortunately, not every messaging app has options like these, and in some of them, the shortest visibility period is 24 hours. Disappearing messages do little to protect you from screenshots or other ways that chats can be saved. Auto-deleting messages is helpful if you expect that strangers will be poking around in your phone shortly.

Encrypt chat backups. Default cloud backups are a frequent leak channel, so it’s imperative that they’re encrypted (something that needs to be enabled manually in both WhatsApp and iMessage), saved locally (for example, on an SD card if using an Android phone), or turned off altogether. Any local backups should be encrypted as well.

Compare encryption keys with the people you chat with. This procedure is called Сontact Key Verification (in iMessage), Safety Numbers (in Signal), Security Code (in WhatsApp), and Encryption key (in Telegram), and it helps make sure that you’re chatting with the right person – using the right device. Encryption keys can be verified for each chat by comparing codes or meeting face-to-face.

Protect yourself against account hijacking by turning on two-factor authentication. This feature comes under a variety of names, such as Two-Step Verification, Registration PIN, or something else, but the essence remains the same: logging in to the same account on a new device requires an extra verification step.

Train the people you chat with. This is critical for groups that chat about sensitive subjects. This requires that the members all share and observe the following ethics and security rules:

No forwarding of confidential information
No screenshots or other copies of the information in the chat
Supporting a culture of privacy within the community
Using the app settings wisely
Disabling potentially risky chat features

What’s the securest messaging app?

Signal is the clear leader in the study, but the requirement to expose your phone number makes the situation somewhat complicated. The table below contains a comparison of the key messaging-app security features, with the safest option in each row highlighted in green.

	Apple iMessage	Meta (FB) Messenger*	Google Messages	Signal	Telegram	WhatsApp
End-to-end encryption in one-to-one chats	In certain cases*	Special type of chat	In certain cases*	Always	Secret chats only	Always
End-to-end encryption in group chats	In certain cases*	Special type of group	In certain cases*	Always	Never	Always
Verified encryption protocol	No	Yes	Yes	Yes	No	Yes
Encrypted backups	Yes, optional	No backups	No	Yes, on by default	No backups	Yes, optional
Manual comparison of encryption keys	Yes	Yes	No	Yes	Yes	Yes
Phone number-free registration	Yes	Yes (complicated)	No	No	No	No
Hiding phone number from contacts	Yes	Yes	No	No	Yes	No
Links with other services or accounts in these	Yes	Yes	No	No	No	Yes
Hiding metadata**	Partial	Partial	Partial	Yes	Partial	Partial
Storing metadata**	Yes	Yes	Yes	No	Yes	Yes
Self-destructing messages	No	Five seconds or longer	No	One second or longer	One second or longer	24 hours or longer and one-time viewing
Disabling link previews	No	No	No	Yes	Secret chats only	No
Blocking screenshots	No	No	No	Yes	Secret chats only	No
Screenshot alert	No	Yes	No	No	No	No
* Available as long as all parties are using the same platform (iOS or Android) and the appropriate app settings.
** Confidentiality settings to avoid showing to other users the following metadata partially or in full: the user’s photo, the user’s other contacts, chat and group memberships, IP address, and chat times.
The table is based on the data of the report What Is Secure?

#encrypted #messaging #apps #properly #chats #confidential

Tag: end-to-end encryption

Top apps for encrypted, private videocalls