Should You Be Using Signal for Secure Messaging?
If this weekend has shown us anything, it's that the fire of protest is alive and well in America, and that activism will not stop in the face of opposition. Regardless of your political affiliation, and think most can agree that supporting and maintaining freedoms (such as that of the press, or the right to assemble) is important now more than ever. No matter who is in the Oval Office, groups within and without the government understand that knowledge is a commodity, and intercepting information and communications has become a priority among intelligence agencies and independent operatives.
Back in October, I posted about the use of WhatsApp and Wickr for secure messaging. Neither is the first choice for many security experts or journalists. That distinction falls to Signal.
Why?
If we look at the outdated version of the EFF secure communication scorecard (as of this writing, they promise a new one is coming soon), you can see the criteria for which they rate secure messaging applications. As mentioned in the post I wrote about Wickr and WhatsApp, Wickr gets a 5/7 score, while WhatsApp gets a 6/7, and Signal gets a 7/7. Since that scorecard was published, Wickr has published their protocol, so I would image that their score would be sitting at 6/7, much like WhatsApp.
The difference is that Signal is open source, and the source code is readily available for audit. Security experts and open source champions cite the open source nature of the application as being more readily adjustable should a vulnerability be found. In addition, there is no guarantee that WhatsApp and Wickr truly implement what they say they do. We have to trust them.
In the case of Wickr, at least one independent security expert has said that they were allowed to audit the source code.
WhatsApp, meanwhile, has its own set of issues--not the least of which is that it is owned by Facebook. That alone will keep most people away; however, WhatsApp does have the largest user base, which is significant if your primary goal is communication. Recently, WhatsApp came under attack by the Guardian for a "backdoor" that according to the cryptography community, isn't actually a backdoor. In fact, EFF recently chimed in to note that this so-called backdoor is actually nothing more than a security trade-off that fits with WhatsApp's model as a communication tool, and that it's irresponsible to call it a backdoor.
Of the three, Wickr is actually my first choice, mainly because of the way it handles self-destructing messages and photos. Signal recently did implement self-destructing messages, but the setting is hidden deep within the UI and is on a per person basis. You have to turn it on for each person, and then adjust the time setting. Wickr's interface is much easier, and ties the self-destruct interface to the same controls as sending the message.
Still, if you have reservations about Wickr as a company, or refuse to use closed source applications, Signal is the gold standard--recommended by people like Edward Snowden. If you are absolutely in need of the most promising secure messaging, you might as well start there.
What about WhatsApp?
Bill and I use WhatsApp when we want to communicate securely. Mostly this is because WhatsApp has a Windows Phone app (Bill uses Windows Phone), while Signal and Wickr do not. Depending on your level of security needs, it's possible to successfully use WhatsApp--within a certain degree. Take a look at the EFF's post on issues with WhatsApp, and then follow their guide, which has suggestions on how to solidify the security. This includes things like turning off cloud backups, not using the web application, turning on key change notifications, and turning off Facebook data sharing.
WhatsApp is a communication tool first and a security tool second. Use it to take advantage of the large user base, or to communicate with friends who can't access better apps. If you can use Wickr or Signal, however, use one of them, and if you absolutely must be ultra-paranoid, stick to Signal.
It is worth noting that WhatsApp implements the Signal Protocol from Open Whisper Systems--the group that builds the Signal app. Sometimes your choice is less about the cryptography and more about the implementation, the company, and overall trust.
Personally, I have all three installed on my phone. I like Wickr's functionality the best, but trust Signal the most. I use WhatsApp when my contacts are unavailable on the other two, and even then, only for moderately sensitive data.