Ask Slashdot: Are There Secure Alternatives To Skype? (theguardian.com) 237
How can you make a truly secure phone call? An anonymous Slashdot reader writes:
I have a Windows 8.1 phone and mostly use it for Skype calls and chats. A bit of browsing every now and then, and checking public transportation schedules... What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?
Alternatives: Yes (Score:1, Troll)
There are loads of alternatives to Skype, that offer similar (but not identical) functionality. The one I use is WeChat, not because it is better than the rest, but just because it is what the people I care about use it. It can do the usual things: chat (text etc) and calls (w or w/o video). No doubt there are many others. As for security: surely you are joking? How would these companies operate, if they couldn't get their cold, clammy hands on the info you send?
Re: (Score:1, Insightful)
WeChat is built to gather data and send it not only to the company, but direct to China's government. No
Re:Alternatives: Yes (Score:5, Informative)
You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security
Re:Alternatives: Yes (Score:4, Funny)
Tencent? Pffft!
Let us know when 50 Cent releases his own videochat client.
Re: (Score:3)
Re: (Score:2)
Lol you nerd. That was a jay z song not 50 cent.
Close enough.
Re: (Score:3)
You are kidding, right? WeChat is owned by Tencent which has tight connection to te Chinese government. It's worse then Skype in terms of security
The original poster said security of any of them is a joke. That being said, the question that needs to be asked is who are are you trying to be secure from? If you're a drug dealer in the USA then having a secure client controlled by a country who is not likely to share with your local government is probably not a bad solution. The chinese government is not going to be too concerned about domestic crimes in the USA. Personally, if I was worried about security, I would opt for fragmenting my communicati
Re: (Score:3)
This assumes that the CIA hasn't already hacked these Chinese services, for no reason other that being a Chinese communications service, especially when there are certain to be Chinese government-mandated back-doors already in place just waiting to be exploited by the CIA.
This is part of the argument against mandating encryption back-doors in the US, that goes beyond US spying: if you build a back-door for someone, eventually someone else will find it.
"the enemy of my enemy is my friend" doesn't work when y
WeChat = Tencent = Chinese Communist Party (Score:5, Insightful)
WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.
That being the case, I have to seriously question the credibility of anybody suggesting WeChat in the context of basically anything.
Re: (Score:3)
WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.
I know that - give me some credit, I am after all able to find the keys on my keyboard - and I didn't say I recommend it, only that I use it, as do most Chinese, apparently, or at least those that I know; and I used it as an example of what kind of functionality one should be able to find with little effort in a large number of apps. And as I did point out, it is not realistic to expect things like anonymity or security from a free tool that, for it function, relies fundamentally on all traffic passing thro
Re: (Score:2)
If someone is looking for a secure alternative to Skype, why would you recommend an alternative that is, at best, no more secure, and more than likely FAR LESS secure? I understand that the compromise is worth it to you, because other people you know want to use it to converse with you, but to recommend this as a secure alternative doesn't exactly strike me as being very helpful at all.
Re: (Score:2)
If someone is looking for a secure alternative to Skype, why would you recommend an alternative that is, at best, no more secure, and more than likely FAR LESS secure?
If you go back and read what I originally wrote, you will see that I specifically commented, that there is no app like that, which IS secure. That was really the whole point of my comment - if you want to use a free app, which offers significant benefits, it simply cannot be secure; the company needs to make money, and they offer a free app to bait people into providing them with the data they are after for whatever commercial purpose. If the communications were secure, anonymous, etc, how would they be abl
Re:WeChat = Tencent = Chinese Communist Party (Score:2)
Re: (Score:2)
Well depending on who and where he is, he might have much less to fear from the chinese than the american government...
If you're going to be spied on by someone, might as well have it be someone who has no interest in your activities nor any jurisdiction over you.
Re: (Score:2)
That being the case, I have to seriously question the credibility of anybody suggesting WeChat in the context of basically anything.
WeChat is used by all the Asian hookers around here. So if you want a seriously good time, WeChat is useful.
Re: (Score:2)
Then his friends and family are stupid and need to be ridiculed into migrating to something more secure. Like effectively anything else, including smoke signals and pig latin.
Re: (Score:2)
Sure, he can try ridiculing his friends. I doubt he would be successfully, as he would be the weird one, when in many circles literally any person with a cell phone will use WeChat. Should he also try preaching to his acquaintances? Good luck, I say. What next? Ridiculing POTS, and make people convert because it is not secure?
Re: (Score:3)
If necessary, yes.
The old adage about everybody except you jumping off a bridge comes to mind, and this isn't the XKCD case where the reason for leaping is nebulous and open to humorous investigation. We've established the mob is stupid. Your choice comes down to telling them they're stupid and why, silently refusing to participate, or leaping just because everyone else is - even though you know it's a stupid idea.
Re: (Score:2)
Right, if every single person around you continuously keeps jumping off bridges and are fine, you would the weird one to not do it. You dont seem to understand the network effect.
ToX (Score:2, Funny)
Tox is a alternative, no sure if it is ported to windows phone...
Re: (Score:2)
Wrong site.
https://tox.chat [tox.chat] is the correct one.
Maybe Ring? (Score:2)
Network Effect (Score:5, Insightful)
Options are plenty. But the point is how you can persuade all your contacts to switch to the niche app of your choice with you.
Re: (Score:2)
Maybe using an application (like Jitsi, as other posters already suggested) can interoperate with other messengers. You can register a SIP address and then chat with any other user that has a SIP address, no matter what their comm client is. At least in this manner you won't have to convince all your friends to switch to just that one client that works best on your platform (but you would still need to convince them to move from Skype, securely configure some new software client that works on their device,
You can't (Score:1)
Simply put, there is no such thing as a truly secure phonecall.
Any "easy" solution coming out of or running through the USA needs to be "insecure" thanks to CALEA - Communications Assistance for Law Enforcement Act - but even if this were not an issue, the endpoints can still be bugged and systems hacked.
You may be able to get a fair part of the way there by setting up your own infrastructure (ie something which runs over a VPN and/or ZRTP) - Maybe look at Silent Circle for an ?easy? partial solution to you
Signal, WhatsApp, etc (Score:3, Informative)
Signal is open source. Use Signal if you want real security.
WhatsApp is closed source but uses the same encryption in Signal. Use it if you need something people already use.
In either case, turn on security notifications and learn what they mean, and verify your contacts by reading out their fingerprint over the voice connection.
Telegram's encryption is kinda broken. Therema's encryption is broken. iMessage only works on iOS and it's slightly broken. I donno if Allo does voice, but you must turn on encryption manually, so it's probably broken if you imagine the user can be tricked.
Re: (Score:1)
Tox is better than Signal. It's peer to peer, so no servers needed. It also does video calls, has clients available for more platforms and it's completely open source without proprietary components.
Re: (Score:2)
Re:Signal, WhatsApp, etc (Score:5, Interesting)
I'm sure we'll eventually see if WhatsApp really is using the Signal system correctly all the time. I mean this is Facebook they even follow you around even if you've never even signed up for Facebook.
Re: (Score:3)
Check the EFF Secure Messaging Scorecard (Score:5, Informative)
Electroic Freedom Foundation created the Secure Messaging Scorecard [eff.org] to help answer this question. The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are. But both Signal and Silent Phone are available for Android and iOS. Either of these might be worth considering as alternatives for the types of things you current use Skype for today.
Re: (Score:3, Informative)
Re: (Score:2)
The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are.
Why is that a problem? Why would I want to use a protocol why isn't available on both desktops AND mobiles? Being artificially limited to only one platform sounds like a PITA.
Re: (Score:2)
The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are.
Why is that a problem? Why would I want to use a protocol why isn't available on both desktops AND mobiles? Being artificially limited to only one platform sounds like a PITA.
Interpreting the parent post as an English sentence, it would seem that the problem isn't with the mixing, but, rather, with the lack of indications as to which platform(s) the app is for. While you might only be interested in apps available for both mobile and desktop, it's conceivable that others may only want an app for one or the other and, therefore, a platform indication may be useful to their research and selection.
Re: (Score:2)
But why are messaging protocols that exist only on desktop or on mobile even considered in this list? Why would someone WANT to artificially limit his messaging possibilities to only a fraction of the population?
Re: (Score:2)
But why are messaging protocols that exist only on desktop or on mobile even considered in this list? Why would someone WANT to artificially limit his messaging possibilities to only a fraction of the population?
The protocols themselves are probably platform agnostic, but the user interface and/or OS/library support may not be. In addition and more likely, if it's a standalone application, the developer may only have experience coding for mobile or desktop. For example, I can easily code just about anything in several languages for Windows, Linux and Unix and cross-platform, but don't have any experience writing for Android or iOS - even in Java, I'm not familiar with the mobile libraries and classes. Just my $0.
Ennetcom stopped? (Score:2)
Inherently Insecure (Score:5, Informative)
Having said that, it might be possible for us to brainstorm the sort of attributes that would help to make your VOIP calls less insecure. The collective wisdom of slashdotters might then be able to suggest some alternative products for you to consider. Things to look out for might include:-
1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
2. A solution that not only uses the latest approved encryption algorithms, but which makes the swapping of an algorithm a relatively easy process [think user-selectable option, addition of a library file with the algorithm code]. The upgrading of key strength/entropy parameters should be even easier...
3. A solution that includes, within the encryption stream, random white noise padding (to make it much harder to determine the precise amount of data being exchanged) might be nice.
And so on...
I did think about including an option that said, "For each legitimate call channel that you set up using the central register of logged-in users, pick three more logged in users at random and simultaneously exchanged random, encrypted data packets with those users too." Unfortunately, there are multiple issues with that. First, what if one of those random users really was under surveillance by a three-letter-agency. Using the "association" rules, that agency would then start monitoring you *real* closely... and second, running four calls for the cost of one might actually degrade your network/audio performance if you happen to be on a slow link.
Bottom line; there is no easy answer to your question, but please don't consider using Skype and "secure" in the same statement...
Re: (Score:2)
An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose.
Mod negative infinity: conspiracy theory
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
I'm not so sure with mobile devices that's as easy as it sounds. I'm not aware of the situation in other countries but in Australia you normally sit behind NAT and don't get a publicly routable IP address. I once inquired with with a carrier if it was possible to get one so I could VNC into an embedded system using a dynamic DNS arrangement and the answer was it was only available as an add-on option for corporate accounts, and that meant having a minimum of 500 phone services.
Re: (Score:2)
I'm not so sure with mobile devices that's as easy as it sounds. I'm not aware of the situation in other countries but in Australia you normally sit behind NAT and don't get a publicly routable IP address. I once inquired with with a carrier if it was possible to get one so I could VNC into an embedded system using a dynamic DNS arrangement and the answer was it was only available as an add-on option for corporate accounts, and that meant having a minimum of 500 phone services.
That sucks, on the other hand getting scanned from all over the world sucks as well.
DS-Lite: routable on IPv6, CGNAT on IPv4 (Score:2)
Does your ISP also fail at IPv6? I've read about a lot of ISPs giving each subscriber his own /56 on IPv6 and using carrier-grade NAT only on IPv4. This technique is called DS-Lite [wikipedia.org] (not to be confused with a Nintendo product).
Re: (Score:2)
--You could use a "jump server" - setup a cheap Linux cloud server on digitalocean or the like, SSH into that with X forwarding, install vncviewer on the Linux side, and vnc from there.
--Or if I'm misunderstanding and the embedded system was behind NAT, you might setup ssh -> digitalocean with port forwarding and keepalives (from the embedded side), and get back in that way with the cloud server acting as the middleman. That way you shouldn't have to open firewall ports.
Re:Inherently Insecure (Score:5, Interesting)
An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose
There's no evidence that the NSA can break properly-implemented modern cryptography. In fact there's considerable evidence that they cannot, including both Snowden's statements, and the fact that the NSA recommends it for classified US government data, among other things.
Re: (Score:2)
Re: (Score:2)
It's not completely developed yet, but Tox is usable, video and text. It's not bulletproof security, but can't be worse than Skype.
Re: (Score:3)
"An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose"
So, you're claiming AES has been broken?
Re: (Score:2)
This is because we've learned, thanks to Edward Snowden, that much of what we thought we knew about the security of western encryption schemes was entirely wrong.
We learned that it doesn't have to be an attack directly against the algorithm itself, but could be against the PRNG. Subsequently,
Re: (Score:2)
I'm aware that the NSA have already published guidelines concerning potentially quantum-safe algorithms, but I haven't as yet seen a robust peer-re
Tox (Score:1)
Completely P2P and encrypted. See tox.chat
Again? (Score:4, Informative)
If we could not ask the same questions every month [slashdot.org], that would be great.
Re: (Score:2)
Ha, okay so apparently that link is from 2012. But this was just talked about recently, the story topic was some supposedly secure messaging app that wasn't that secure, or so opaque that it was really relying on security by obscurity and "trust us" mentality rather than evidence of how it was secure, but it touched off the same "where to next?" comment threads.
Re: (Score:2)
No, but this time it's different, they actually found a Windows Phone 8.1 user!
Re: (Score:2)
WebRTC (Score:4, Informative)
WebRTC-based services, in the form of e.g. https://meet.jit.si/ [meet.jit.si], are end-to-end secure and decentralised. Not sure if Windows Phone has any browser which supports WebRTC, though.
Re: (Score:3)
Also you can easily run your own Jitsi bridge on a device you control.
Someone should make a simple to install website you can put on your own server somewhere which works like this:
https://appear.in/ [appear.in]
It probably already exists somewhere.
Re: (Score:2)
Not for ever - they are working on a method of doing bridge-based WebRTC which is nevertheless end-to-end secure - see https://datatracker.ietf.org/w... [ietf.org] . AIUI, the way it works is that it established point-to-point encrypted tunnels between the endpoints for key distribution so the bridge isn't able to decrypt the data even if it wanted to, and yet, you don't need N->N transmission of streams.
Gerv
DIY (Score:2)
Windows Phone? (Score:4, Insightful)
If you run Windows Phone or Windows 10 you should say goodbye to any sort of privacy.
https://www.gnu.org/proprietar... [gnu.org]
As of now there are no commercially available smart phones that respect your freedom entirely. Depending on where you draw the line,
your best bets are Replicant [replicant.us] or at the very least CyanogenMod without any Google Apps.
F-Droid [f-droid.org] is a package manager for Android that only contains software that respects your freedom.
Re: (Score:2)
Given that their list of supported devices [replicant.us] are all no less than five years old and even then with missing support for any feature other than making calls, Replicant is currently a joke.
Re: (Score:2)
I'd say quite a bit of work, since you'd have to port each component separately and run the risk of bricking it. Strictly for tinkerers only at this stage. It's more like pre-alpha, given the complete lack of several features even on the supported handsets.
LINE (Score:2)
I have family in Japan, where LINE seems to be popular.
http://line.me/en/ [line.me]
It is a Japanese company:
http://linecorp.com/en/company... [linecorp.com]
But it supports English speaking very well, too, and on the major platforms.
Unfortunately not on Linux PC's yet.
Re: (Score:2)
Its Korean, not Japanese.
And its really crappy btw.
Re: (Score:2)
If you follow the links I provided it says the following:
LINE Corporation is based in Japan.
LINE Plus Corporation was established in March 2013 in South Korea as a subsidiary of LINE Corporation.
I don't know what you think is crappy, but my family uses it and it works for voice calls and text messaging over the internet, nothing crappy there.
Re: (Score:2)
All that being said, it's no more secure than Skype.
You cannot make secure phone-calls (Score:3)
As soon as you involve the phone-system, you are compromised. However, you can have a secure voice-chat, with numerous technologies. If you run your own server, something like mumble may serve. Needs a dedicated client, but security is apparently pretty good. Works on Linux.
Re: (Score:2)
Leave it to an AC to say the most naive thing possible. Remember "we kill people based on meta-date"?
Use a WebRTC peer-to-peer session (Score:5, Informative)
Use a Web site to set up a WebRTC peer-to-peer session. I like talky.io, which uses peer-to-peer for one-to-one chats. There are many others, and if you don't like them or don't trust them, you could pretty easily build your own.
The security properties of peer-to-peer WebRTC are pretty good:
-- end-to-end DTLS with perfect forward secrecy
-- all protocols involved are IETF standards and have had a decent amount of public security review
-- Firefox/Chromium implementations are fully open source that you can build yourself and run on Windows/Mac/Linux/Android
-- the Web site that sets up the connection could MITM you, but there are many WebRTC sites to choose from and it's pretty easy for anyone to set up more.
I kinda wonder why governments aren't complaining about WebRTC. It's probably just not popular enough yet.
Re: (Score:3)
Yep, governments and others haven't really noticed yet.
If you run your own server with the website/relay software then it really is full end2end and based on the proper crypto, etc.
People will figure this out eventually.
EditorDavid seems to have missed something (Score:2)
What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Looks to me like the anonymous poster is willing to abandon his Windows Phone so I don't know why the blurb below the poster's quote immediately asked for a solution "especially for a Windows Phone user".
I get the wish for secure phone calls to a certain extent, but the anonymous poste
It depends (Score:2)
If you want the " telephone " experience where you can call anyone, anytime then probably not. Both you and the one you're calling must use compatible systems before you can consider securing it.
If, on the other hand, you're trying to setup a secure call to a known party then there are ways to accomplish this but requires some prep.
Example. Grab a flavor of VOIP software you like to use. Build a central server running something like Asterisk on it. Lock down your network, ensure the only means to access
Depends on what you want (Score:4, Informative)
The best totally anonymous desktop messaging protocol I am aware of is Pidgin (Windows, Linux) and Adium (macOS) using the "Off-The-Record" extension. I don't know if there's any good solutions for video chat.
The only secure method... (Score:2)
..for video/audio calls and other similar communications is heavily encrypted endpoint-to-endpoint VPN traveling though ports that won't get blocked.
Off Topic (Score:2)
Don't use a proprietary OS? (Score:2)
Sorry, but if you care about privacy, using a proprietary OS is a non-starter. You simply MUST use an open-source operating system. The idea of security on Windows or IOS is absurd. These companies can insert whatever backdoors they wish at any time, and you have no way of knowing or doing anything about it. This isn't a matter of my-platform's-better-than-yours, it's simply the fact that proprietary software and security are not compatible.
Try Linphone (Score:2)
There are ways to encrypt.
Let me see if I've got this right (Score:2)
So you plan to reach out to one of the dozen or so Windows Phone users by finding them on slashdot?!
Re: (Score:1)
If they care so little about what we do then they wouldn't try to spy on us.
Little kids like you don't understand the importance of privacy because you don't work or have any sensitive personal data. All you do is listen to music, play video games and watch porn, which is why you mentioned those things specifically. When you grow up you might come to appreciate privacy, if you have any left by then.
Re: (Score:2)
I'm rapidly approaching middle age and I still enjoy music, video games, and porn.
That said I also appreciate the importance of privacy, so they call this wisdom. :-)
Re: (Score:2)
It's not necessarily a bad thing to admit, really. You're only further perpetuating and demonising the stereotype, it's not too different from the crazy Christians who didn't want Little Jimmy touching himself in bed.
Obviously he meant gaming. What were you thinking of... Oh, wait... (grin)
Re: (Score:1)
Chill out and let them do their work to catch terrorists, don't draw unnecessary attention to yourself (like by being paranoid), and you'll have no trouble.
Who were they listening to when the terrorists were in San Bernardino? Because they missed that one completely. Not to mention all the mass shootings taking place in the US even using Stingray. If they're work is to catch terrorists... I'm afraid they're failing really bad. The only logic that I find from that, is that surveillance is not to catch terrorists. And if it truly is, the three letter agencies need to fire all the staff, top to bottom, and start hiring competent people.
Re: (Score:1)
The only reason they want to listen in on everyone is control/power and the fabricated reason is terrorism (which if true means that they are admitting defeat to terrorists). That's why they throw a childish tantrum if you even try to legally record one of them (see: public "illegal" wiretap excuse).
Re: (Score:3)
All terrorists have to do to surprise us again is attack us with a new technique. While the three-letter agencies are making our lives miserable at airports, one jogger tossing a vial of hacked Ebola into a big-city reservoir could be the next 9/11.
Re: (Score:2)
The last 100 years or so of history would disagree with you..
Comment removed (Score:5, Insightful)
Re:Why the obsession? (Score:5, Insightful)
It's not even that we don't trust,
we absolutely trust that if we allow the agents of government a great power to use in a narrow context, against a specific group of bad actors for the general benefit, that they will eventually without fail use that power in contexts never intended and against people never imagined, with only in regard to the benefit of the few power brokers.
Re: (Score:2, Insightful)
You've got that the wrong way around. The question you should be asking is "Why is the government so paranoid about terrorism?"
Take off the tin foil hat and stop being so paranoid about terrorists, you anti-American, freedom-hating douchebag.
Re: Why the obsession? (Score:2, Insightful)
Terrorism? Is there any single evidence NSA is achieving anything against terrorism? The only evidence we have of their work is that they spy the european MEPs, the european leaders, 56 millions germans, 48 millions italians, 50 millions of french... And the only warning france got before of bataclan came from Algerian services, which are doing mostly Humint....
Re: (Score:2)
I expect the issue is more to the point, as we have recently found out that our own government had been spying on us, despite the laws that says they shouldn't would make us feel a bit nervous.
In America there is a good deal of history where we had tried to find the un-americans among us. McCarthyism, blacklisting supposably Communist, Japanese internment camps during WWII are a few examples.
The danger with this local spying is the fact that we may say something that will get us flagged as un-american then
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Why are you people so obsessed with privacy from the government?
"the Tree of Liberty, it seems, needs to be refreshed from time to time with the blood of Patriots and Tyrants."
250 years of U.S. History, and a few THOUSAND years of collective social history, and still we have to ask a question like yours....
Re: (Score:2)
Remember all those AOL users before the world wide web became popular? They got loose and bred.
Welcome to Web 3.0
Re: (Score:3)
Even more amusing is that they all seem to have no problems with private companies hoarding all of this data. We have no Constitutional protections against private entities. Google and Facebook are far more powerful than the
Re: (Score:2)
Re: (Score:2)
or maybe you want to minimize anyone's digital dossier of you in case the future does alter such that information that is benign today becomes not so benign.
Re: (Score:2)
Yeah well, I can ask for Symbian but that's a dead platform too.