Very Private Messages
There is an interesting dichotomy involving messaging, including text messaging and email. We all engage in sometimes very private conversations using a medium that is about as insecure as one can find on the Net.
How insecure you ask? Well, there are several points along a given message’s route where it can be “sniffed” and read by someone you might not want to see it, including the Wi-Fi network you’re on, the servers in the cloud where it resides or the network as the message flies between the sender and recipient. Now for most emails, text messages and other communications, what you’re balancing is the convenience of the medium vs. the probability that someone will (a) care about your particular message and (b) have the ability to retrieve it and (c) be in a location where they can sniff the message. BTW: If either party is on a corporate network, it’s highly likely that every message will be copied and archived.
We can typically mitigate this risk by insuring that we secure what we can secure, like the connection between our device/computer and our email server using encryption. Assuming you’re doing this, you don’t know if the recipient is doing the same.
The best method to secure messages is to encrypt the message between the sender and receiver and do it in a manner that no entity in the cloud has access to the key. The problem with this solution is that it requires some real work to set up the installation of software (usually in the form of email client plug-ins) and the management of keys. It’s simply not gotten easy enough to entice the average user to bother with it.
So, what to do? When communicating sensitive information with others I typically use Dropbox or some other solution to place the sensitive data, then send a message to point the person to it. This has obvious disadvantages including a real question of how secure the information really is. For example, during litigation, could that information be discovered?
One very interesting solution to this problem is by a small company called Wickr. They have an app (for the iPhone only initially) that is unique in that it will allow you to send email, voice mails and pictures using a medium that has a couple very interesting attributes. First, it allows you to send to another Wickr account without requiring that the users manage the keys for the resulting encryption and it will totally erase any lingering artifacts after a set period of time so that it simply doesn’t exist any longer. The default is 6 days after it’s read, but it’s configurable for shorter periods.
The way it works is that you send a message from the app to the folks that you want to securely message with, then they either respond using their account name or sign-up and respond. You can now message back and forth securely using the app. After that, all messages back and forth between you and the other party are both private and temporary with all artifacts removed after the predetermined period of time (they also securely erase the message from the device’s memory). The company Wickr retains no identifying or decrypting information except the hardware ID that the app is running on and your account name. No keys, real name, address, credit card info … nada.
The message can contain a short text message (up to 1,500 characters), picture, short video or 15 second voice message. Since it’s short and only between Wickr apps, it would only be useful at this time for the most private of messages. Also, since it’s only between iPhones, consider the service to be a beta until they expand the service. They are planning Android and PC versions of the app in the near future as well as a premium service that will allow for more capability.
Let me know what you think of this solution or any other related topic.