brucethecollie Posted August 17, 2015 Share Posted August 17, 2015 A friend of mine created an app called Caligo Chat. It has end to end encryption, you can put an expiration date on messages so they disappear at a set time and you can delete some or all of any conversations. And you don't use your phone number at any time. If you have any questions I can relay them to the developer who is making an updated and improved version (I think they've made it easier to add a contact in the newer version that will soon come out). Just wanted to pass along to those that value privacy. Link to comment Share on other sites More sharing options...
WorBlux Posted August 17, 2015 Share Posted August 17, 2015 I'm really skeptical about claims X software is secure, particularly when there is no qualified third-party code review and full source isn't availible. (How well are private keys protected, are random number souces random enough, is it implemented correctly...) First off the dissapearing messages is kind of hocus pocus. There are side channels in which a log can be made and presumes everyone is using an unaltered original client. If someone reverses a client or injects modified code into the client these guarantees go out the window. I'd particularly like to point out a trade-off made here. To allow asynchronous communication the app allegedly uses PKI infrastructure directly which is secure so long as the keys used are. And some sort of server is storing and forwarding messages. That server makes an easy point to tap and store encrypted messages to be tried against any future recovered keys. Ditto for compromising the path to/from that server. (How is that secured BTW?) My thought that for highly critical security you want the pki behind a decentralized blockchain so you don't even know who is reading what, (which really isn't practical on mobile devices) or a synchronous protocol that allows for perfect forward secrecy like OTR. 1 Link to comment Share on other sites More sharing options...
jason_ Posted August 18, 2015 Share Posted August 18, 2015 I'd second that any serious privacy minded application should be open source. Without the ability to verify the encryption/decryption process I don't see how one can judge the privacy value of the application. Encryption is notoriously easy to screw up and even if the message is deleted from a user's phone, there are computers between sender and receiver that could intercept and store the message (albeit encrypted and therefore useless IF the encryption is done properly). Link to comment Share on other sites More sharing options...
brucethecollie Posted August 19, 2015 Author Share Posted August 19, 2015 Great feedback from both of you, I will pass it on. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts