This message will ‘self-destruct’ in 3, 2… by Jason Kornwitz February 22, 2017 Share Mastodon Facebook LinkedIn Twitter Some members of the Trump administration have begun using Confide, a self-destructing messaging app. David Choffnes Associate Professor of Computer and Information Science See More Snapchat, Telegram, and other self-destructing messaging apps are particularly popular these days, especially among college students. Now, some members of the Trump administration have reportedly begun using Confide, yet another encrypted messaging app that deletes chats once they are read. And The Washington Post reported that White House staff members are “so fearful of being accused of talking to the media that some have resorted to” using the app to gossip in private. Confide claims to use “military-grade end-to-end encryption to keep your messages safe,” an appealing feature for the many lawyers, journalists, political operatives, and others who routinely share sensitive information. But the company does not employ any cryptographers, according to reports, and one security researcher has called its app a “triumph of marketing over substance.” We asked assistant professor David Choffnes, a mobile systems expert in the College of Computer and Information Science, to explain how ephemeral messaging apps work and whether you should trust them to keep your conversations confidential. First and foremost, how does self-destructing messaging work? While “self-destructing” sounds appealing, there are no explosions or smoke at work here. Instead, we have to focus on the fact that any messages transmitted over the internet can potentially be recorded for future analysis. Given this, the goal of “self-destructing messaging” is to make it likely that the message contents are undecipherable to anyone except the recipient, and that the time window in which the message is decipherable is brief. To achieve the former, such apps use strong encryption using decryption keys that are difficult to guess, and to achieve the latter they “throw away” the decryption keys immediately after the user reads a message. There are a number of other techniques they use to protect message contents from being read outside of the app, including preventing screenshots. However, even this does not solve the problem—a user could simply take a picture of the screen with another device to preserve contents. And a forensic analyst could possibly recover decryption keys that were not fully erased from a device. These techniques are harder to pull off than intercepting messages from non-self-destructing apps, but not impossible. National Security Agency leaker Edward Snowden said on Twitter that he uses an encrypted chat app called Signal, whose code is available for public review. How important is it for independent experts to evaluate the security of these kinds of apps on a regular basis? I also use Signal. In general, the more eyes that are looking at a piece of software, the more likely vulnerabilities will be found and fixed quickly. To be clear, though, this does not mean that the software is free from flaws. The OpenSSL project, responsible for code that secures most online financial transactions, made headlines in 2014 for the Heartbleed vulnerability that put user information at risk for a large fraction of websites. Despite the fact that software inevitably has vulnerabilities, public review at least ensures that users are aware of them and allows them to verify when they have been fixed. With closed systems, vulnerabilities may never become publicly known or fixed, despite being actively exploited by other parties. Let’s say a particularly paranoid person asked you to help him pick out a self-destructing messaging app. What app would you recommend? Any secure system is only as strong as the weakest link. Our research on public-key encryption systems shows that the weakest link is often the people tasked with managing and evaluating the security of connections, not the cryptography itself. So the weakest link is generally the users themselves, who are being asked to evaluate whether to accept a new public key or understand the implications of transport layer security versions, key lengths, ephemeral key reuse, and man-in-the-middle attacks. If this sounds like nonsense to you, you’re not alone—and this is the problem. We’re asking non-experts to make decisions they are wholly unqualified to make. So which app do I recommend? The answer doesn’t necessarily matter because security depends on decisions that each user makes when using the app. But if you’re paranoid, perhaps you will educate yourself on these concepts and choose the one that best meets both your security and usability needs, either based on direct inspection or relying on studies by auditors you trust.