VOIP (IN)SECURITY: ALTERNATIVES TO SKYPE AND WHATSAPP
Skype was released on August 29, 2003 and was quite a revolution. With Skype the voice and video information was packetized and transmitted over internet protocol networks; people could call for free, using only an internet connection. Skype was then acquired by Microsoft that started to work with NSA in the PRISM surveillance program in order to access private calls and messages from nine big companies including Microsoft, Apple, Google, Facebook.
Since this happened, writing the words “skype” and “secure” in the same statement, it has become nonsense.
Fortunately many protocols help us to secure our conversations in combination with security applications for messaging and video calls.
OTR (Off the Record messaging) allows us to have private conversations over instant messaging. The key features of OTR are:
All the communication is strongly encrypted. The content of you messages cannot be seen by the servers.
The messages you send don’t have any digital signature.
You can be sure to know who you’re talking to.
- Perfect Forward Secrecy
No previous conversation is compromised if you lose control of your keys.
XMPP is Extensible Messaging and Presence Protocol, a secure and decentralized (everyone can run his own XMPP server) protocol for chatting, voice and video calls.
To create a Jabber (this was the original name of XMPP) account, you can sign up with one of the numerous servers that offer a jabber service, it is not important which one you choose. Once you’re done with that, you can download an instant messaging tool like pidgin. When pidgin starts, it will ask you to create a new account. Choose XMPP as “protocol”, the username you chose during the account registration as “username”, the name of the server as Domain (e.g. jabber.org), and the password you chose during the account registration as “password”. In “Advanced” set 5222 as the default port and your server’s address. To connect over tor, in “Proxy” set 127.0.0.1 as “host” and 9050 as “port”; click on “save” and you’re done with your account’s creation. Now you can activate OTR in the plugins menu checking the box which says “Messaging Off The Record”. When you start a conversation with a friend, you’ll see “not private” in the bottom-right corner. Click on it and choose “start private conversation”. If your friend has OTR too, you’ll see “unverified” near his contact. Click on it and choose “authenticate buddy”. There are several ways you can do it, for example you can make him answer to a secret question. Once he’s done with that, you’ll see “private” in the bottom-right corner.
For what concerns encrypted calls, the ZRTP protocol is what you need. ZRTP stands for Zimmermann Real-Time Transport Protocol and it was developed by Phil Zimmermann, Silent Circle’s owner. From Silent Circle:
“ZRTP is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie–Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.”
Silent Phone developed by Silent Circle, protects you from MITM attacks using ZRTP for every call. Anyway you don’t need to buy a Silent Phone to use ZRTP, there are numerous applications that use this protocol by default.
Signal is an open-source application available for android and iOS developed by Open Whisper. It uses ZRTP to allow us to make secure calls. Every time we open a new conversation with a contact we can verify that we’re talking to the right person opening settings and clicking on “verify safety number”. A safety number is a 60-digit number you can compare with the one of your contact to make sure that your conversation is private. You can also use a desktop version with which you can call and text your contacts from your computer.
Until this point we talked about secure messaging and secure calling but if you also want secure video-calling, you can use Threema.
To use this app, no telephone number is requested, because a Threema id is generated. This grants you full anonymity and also means that you can use Threema also on devices without a SIM. You can verify your contacts scanning a QR-code or comparing some keys and the messages, files and even the status messages are end-to-end encrypted. A desktop version exists also for this app and you’re not forced to use Chrome, you can also use Firefox. Additionally, Threema declares to be an independent and self-financed company based in Switzerland, “a country with some of the most user friendly privacy laws in the world”.