Secure Messaging for Paranoid Realists

Last modification on 2022-03-01

In honor of the EARN IT Act clawing its way back out of the grave (again), I want to discuss resilience to anti-encryption measures of all kinds.

But first, what is paranoid realism, and what makes someone a paranoid realist?

Healthy Doses of Paranoia

Having worked in security for so long, it's difficult to not see most technology as fundamentally broken. Web apps are built on APIs without any access control, EDR can't keep up with some of the most basic bypass techniques, and on and on we go.

Test turning your own webcam on via Meterpreter and you'll understand what I'm getting at: this shit is easy, and you may not know when you're being watched.

There are three ways of approaching this new, substantiated feeling of paranoia: ignorance, fatalism, and realism.

The first is the easiest and just involves sticking your head in the sand. The second is deciding that because there are things you can't control, you might as well not do anything about anything.

Finally, realism (or pragmatism, if you prefer it) involves doing the best with what you have. Technology will never be hack-proof, but it's also never been easier to take some meaningful steps to improve your resiliency against the inevitable.

All three can be characterized by their response to the idealism of perfect security:

Ignorance is simply unaware of it or refuses to be aware of it.
Fatalism is aware of it but sees it as unattainable and therefore worthless wholesale.
Realism is aware of it and knows that something is better than nothing at all.

One of my favorite books, "Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid", was written for this mindset. From the book's introduction:

It's not that everyone on the Internet is trying to attack you, but there's

always someone who wants to break into your system. Even if you think you have nothing of value, someone wants to own your computer. And you won't realize the value of what you have until someone else has it. That's just human nature.

If you're not paranoid on the Internet, you're in trouble.

Michael W. Lucas, "Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid"

Dispelling Fatalist Mythology and Threat-model-ism

Choosing to remain ignorant is the choice of each individual. I can do nothing about this, and I wish you luck if that's your path.

Fatalism, on the other hand, I have a refutation for. Additionally, fatalism's close cousin, threat-model-ism, this is for you, too.

The argument that you should only care about encryption if your personal threat model requires it, whether for messaging only or for as much internet traffic as possible, is made by many seemingly knowledgable people, much to my concern.

For example, a VPN will not make you anonymous on the internet. Sure, it can hide your source IP from the destination and it keeps your ISP from snooping on a good portion of your traffic, but it doesn't do much more than that.

Keeping my ISP out of my data in transit is a good enough reason for me to use one, even if it's just to keep them from throttling certain services, as Comcast did with Netflix not long ago.

I also would rather them not sell my browsing habits to advertisers or tell me what proper use of the internet constitutes. Even if these practices are not predatory to an Orwellian level yet, they could get there in the future.

And even if they don't, caring about privacy as a principle is the only reason you need to run a VPN, encrypt your messages, et cetera.

Lastly, threat models evolve. Many small businesses probably wouldn't have considered themselves very interesting to multi-million-dollar ransomware gangs 10 years ago, but they've been such easy targets recently that they're now one of the most common victim types.

I could go on for much longer about this, and I may do so in future posts, but that's not the goal of this one.

What is the EARN IT Act?

The EARN IT Act is yet another government attempt at breaking encryption in order to protect children online. While protecting children is a noble and worthy enterprise, like any other effort, there are methods that work and methods that don't.

According to Stanford, not only does EARN IT not work, but it will actually do the opposite of what it intends to do:

...the EARN IT Act would do little to protect child sex abuse victims – to the contrary, it risks making it even harder to track down and convict offenders.

I encourage to read the entire article linked above. In the end, true to form for over a decade, this is a case of people with power exercising said power in areas they fundamentally misunderstand. What is unclear is how long this phenomenon will continue to plague us.

While we have no answer to that question, we can at the very least take steps to reduce the impact of weaponized ignorance of this sort by utilizing systems that are the opposite of fragile, or as Nassim Taleb puts it, "anti-fragile".

Communication channels that are not fragile are the true resilience to legislation like this, so we need a way to evaluate them and choose the ones that really work.

Evaluating Anti-fragility (AAA)

In order to objectively evaluate communication platforms and protocols for anti-fragility, we have to establish criteria. The information security industry has been using confidentiality, integrity, and availability (CIA) for a long time and it's a good measurement set, but it doesn't really cover enough for me.

Instead, I've come up with the three As to evaluate a platform or protocol: availability, anonymity, and autonomy.

Availability: it does not have to suffer impact of external events.

Something that is completely out of my control, such as downtime of a server I don't own or maintain, should not inhibit my ability to communicate. Whether it's the Signal servers, a CDN, or the entirety of us-east-1, my communications should be unaffected.

Anonymity: the ultimate privacy is pure anonymity, and this must be possible.

I should be able to completely control the details of my identity, from source IP to registration details. No phone numbers, email addresses, physical addresses, or anything that sits outside the function of the platform/protocol.

Autonomy: it can be used without third-party permission or interference.

I should be able to use it without anyone else's input. No one, including my ISP, VPS provider, domain name registrar, smartphone app store, federal government, et al should be in control of how I communicate, nor should they be able to easily place an injunction on my use.

Note: These metrics operate on the idea of perfection, so nothing will likely ever fully meet them. This is on purpose so that we can remain objective and honest as we are realists here, and we prefer better over stagnant.

Case Studies of Popular Platforms

Below are some examples of how common messaging platforms and protocols match up to AAA. Let's use a 1-5 scale.

Note: This is not a comprehensive or systematic list, nor are each of the platforms I mention in the list comprehensively or systematically scored. I am trying to make a point with some fuzzy numbers, though I may soon catalog these by metrics and score them more consistently.

SMS

Availability: 0 Anonymity: 0 Autonomy: 0

Not much to say here. It's horribly insecure, out of our control, and dependent on cell towers we don't own.

iMessage

Availability: 3 Anonymity: 2 Autonomy: 1

This is probably my favorite one to pick on because some iPhone users see non-iMessage users (or, derogatorily, the undesirable green bubbles) as members of lower socioeconomic castes, which is profoundly cringe.

I'm not exaggerating either. I've spoken to people who purposely exclude Android users from group chats with friends for not having iMessage. This has happened to me personally, also, and all I can do is look at all my Signal conversations and not care.

It's a great communication channel for iPhone-to-iPhone communication, but it is by no means anti-fragile. The servers and OS (the user gateway) are fully in Apple's control, as is the encryption.

I've heard that it's also a uniquely American thing to use iMessage universally, which brings me to my next platform.

WhatsApp/any social media chat feature

In Europe, Asia, and many other areas of the world, WhatsApp is the staple communication plaform. However, like any platform run by a giant company (Facebook), it scores fairly low on all three As.

The data is definitely being collected, the traffic runs through centralized locations...need I say more?

Availability: 3 Anonymity: 1 Autonomy: 1

Case Studies for Niche (Non-Mainstream) Platforms

Signal

Availability: 2 Anonymity: 3 Autonomy: 1

Signal is the app that actually made me write this blog because I resisted it for a very long time.

I wanted a perfect solution for all my non-SMS communication that wouldn't add to my existing paranoia, but many of the alternatives at the time were difficult to adopt for most people or were being bought up by bigger corporations with unclear motives (Keybase and Wire, looking at you).

However, I had to realize that some encrypted chats were better than no encrypted chats. This is paranoid realism at work and is how you have to approach this stuff sometimes.

Now if they would just build an F-Droid version...

Availability: 2 Anonymity: 3 Autonomy: 1

This is the one I really want to drive some points home about.

It's not the only service that masquerades as an end-to-end encryption service for chat while maintaining a master encryption key and centralized servers.

Telegram's clients are open-source, but their back-end infrastructure is not. This is where everything is stored and where all the data travels through, so this is a big red flag.

Any possibility of compromising any part of AAA is not acceptable. There has to be trust between developers, the platform, and the users, and this is not possible without completely open-source code and standards, front to back.

Matrix/XMPP

Availability: 4.5 Anonymity: 4.5 Autonomy: 5

I am well aware that these are not the same thing, but I've lumped them together because, in my opinion, there are the best options we currently have.

The code is all open-source, server to client and back.
The encryption is truly E2E, which we know because we can look at it.
You can host your own server for yourself or anyone else.
Communication is federated, meaning no central server controls who I talk to.

That said, I've only given them both 4.5 for the first two As. This is because without a central server, they are dependent on external factors such as your VPS provider and other infrastructure you have no control over.

Perhaps if you were to self-host them at home, that would change, but I haven't thought through that one.

Between the two of them, the cons that they don't share cancel each other out and, I think, provide the best option for secure messaging at the moment.

Honorable Mentions

These are some projects that I think have promise, mainly because they're doing things differently. I don't use them personally and never have, but I expect that they will eventually have niche followings of their own and am watching them with great interest.