VOIP (IN)SECURITY: ALTERNATIVES TO SKYPE AND WHATSAPP
Skype was released on August 29, 2003 and was quite a revolution. With Skype the voice and video information was packetized and transmitted over internet protocol networks; people could call for free, using only an internet connection. Skype was then acquired by Microsoft that started to work with NSA in the PRISM surveillance program in order to access private calls and messages from nine big companies including Microsoft, Apple, Google, Facebook.
Since this happened, writing the words âskypeâ and âsecureâ in the same statement, it has become nonsense.
Fortunately many protocols help us to secure our conversations in combination with security applications for messaging and video calls.
OTR (Off the Record messaging) allows us to have private conversations over instant messaging. The key features of OTR are:
All the communication is strongly encrypted. The content of you messages cannot be seen by the servers.
The messages you send donât have any digital signature.
You can be sure to know who youâre talking to.
- Perfect Forward Secrecy
No previous conversation is compromised if you lose control of your keys.
XMPP is Extensible Messaging and Presence Protocol, a secure and decentralized (everyone can run his own XMPP server) protocol for chatting, voice and video calls.
To create a Jabber (this was the original name of XMPP) account, you can sign up with one of the numerous servers that offer a jabber service, it is not important which one you choose. Once youâre done with that, you can download an instant messaging tool like pidgin. When pidgin starts, it will ask you to create a new account. Choose XMPP as âprotocolâ, the username you chose during the account registration as âusernameâ, the name of the server as Domain (e.g. jabber.org), and the password you chose during the account registration as âpasswordâ. In âAdvancedâ set 5222 as the default port and your serverâs address. To connect over tor, in âProxyâ set 127.0.0.1 as âhostâ and 9050 as âportâ; click on âsaveâ and youâre done with your accountâs creation. Now you can activate OTR in the plugins menu checking the box which says âMessaging Off The Recordâ. When you start a conversation with a friend, youâll see ânot privateâ in the bottom-right corner. Click on it and choose âstart private conversationâ. If your friend has OTR too, youâll see âunverifiedâ near his contact. Click on it and choose âauthenticate buddyâ. There are several ways you can do it, for example you can make him answer to a secret question. Once heâs done with that, youâll see âprivateâ in the bottom-right corner.
For what concerns encrypted calls, the ZRTP protocol is what you need. ZRTP stands for Zimmermann Real-Time Transport Protocol and it was developed by Phil Zimmermann, Silent Circleâs owner. From Silent Circle:
âZRTP is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses DiffieâHellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.â
Silent Phone developed by Silent Circle, protects you from MITM attacks using ZRTP for every call. Anyway you donât need to buy a Silent Phone to use ZRTP, there are numerous applications that use this protocol by default.
Signal is an open-source application available for android and iOS developed by Open Whisper. It uses ZRTP to allow us to make secure calls. Every time we open a new conversation with a contact we can verify that weâre talking to the right person opening settings and clicking on âverify safety numberâ. A safety number is a 60-digit number you can compare with the one of your contact to make sure that your conversation is private. You can also use a desktop version with which you can call and text your contacts from your computer.
Until this point we talked about secure messaging and secure calling but if you also want secure video-calling, you can use Threema.
To use this app, no telephone number is requested, because a Threema id is generated. This grants you full anonymity and also means that you can use Threema also on devices without a SIM. You can verify your contacts scanning a QR-code or comparing some keys and the messages, files and even the status messages are end-to-end encrypted. A desktop version exists also for this app and youâre not forced to use Chrome, you can also use Firefox. Additionally, Threema declares to be an independent and self-financed company based in Switzerland, âa country with some of the most user friendly privacy laws in the worldâ.