[OPSEC] Surespot/ChatSecure

What instant messaging apps do you reccomend? I hear SureSpot is compromised, ChatSecure uses jabber(xmpp) + otr which I believe is the go-to program at the moment.

I have heard of a blackberry app called 'xshield' but I have not been able to find any information about it.

Chat secure doesn't use pgp tho I don't think, does it have some kind of key exchange to make sure you are talking to the person you are intending to talk to?


Comments


[2 Points] Bud509:

Do you have any source to backup the claim that Surespot is compromised. Surespot is open source so it seems safer to me than Wickr which is closed source.

On the computer use Pidgin with the off the record plugin and login through an XMPP account created through a site called wtfismyipxmpp(well google that cause that's not actually the site name.


[2 Points] lordredvampire:

I use Tor IM using Jabber. Works fine.


[1 Points] iliveintor:

if you're looking for quick secure comms, jabber (xmpp) + otr is my recommendation. If you want to get even more private about it, you can tunnel your xmpp through tor or proxies to protect your privacy. if you don't really care about anonymity you could just go textsecure which uses your phone lines but encrypts with private/pub keys. Torchat is also a great alternative but a bit more difficult to setup and use. Offshore email providers that protect users is also good and everyone knows how to email these days.

as for chatsecure though, what happens is that you want to pick a xmpp server/provider that requires users to use otr (encryption) so that no users will be sending unencrytped data. So yes, there is an key exchange that chatsecure and textsecure support. There are some xmpp servers that don't require this key exchange and allow freely encrypted data in and out the servers. It works just like pgp - Public and private keys (you and your contact). I find this sometimes difficult because the exchange of keys can be buggy sometimes and when it doesn't exchange properly, none of my messages will go through :(

wickr is also another option but not much information on their methods are public. eff did do audits on many apps and platforms. you could find it on their site


[1 Points] Tatoline:

What about Telegram's secure chat? It uses secret key protocol. I used Surespot before but I realized that I can use Telegram faster with my phone. Don't you think Telegram is secure?


[1 Points] ThisIsNotMarc:

Would still using GPG encryption inside of these instant messengers be a viable OPSEC measure? So when you send someone a message, the message has first been encrypted by using your app of choice?


[1 Points] None:

Otr is good. Don't trust it though. It doesn't take forever to generate keys like pgp and there's no authentication as to who is actually at the keyboard, like pgp if a passphrase is used.


[1 Points] None:

Xabber w/ XMPP+OTR.