• aexiruch@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    3 years ago

    A face-to-face conversation, held in a proper SCIF (Secure Compartmentalized Information Facility), with no decorations, transparent furniture, the best sound isolation you can buy (think bottom of a salt mine and still wrapped in isolating material), no windows, no air-conditioning, shielded from thermal imaging, bring no devices at all, and all participants stark naked (ideally you’d add body cavity search and MRI); That way you can avoid most eaves-dropping.

    • N0b3d@lemmy.ml
      link
      fedilink
      arrow-up
      12
      ·
      3 years ago

      And then shoot the other party, because a secret shared is no longer a secret.

      • aexiruch@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        Well, if eliminating parties is on the table, I’d have to recommend shooting yourself (better: pack your head in a lot of explosives, less chance to accidentally survive), so good ol’ rubber-hose cryptanalysis doesn’t work either ;-)

    • AES@lemmy.ml
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      3 years ago

      Ok… that is a bit over the top. What about digital messaging.

      • aexiruch@lemmy.ml
        link
        fedilink
        arrow-up
        10
        ·
        3 years ago

        Fair enough, I was feeling a bit cheeky ;) I guess you really mean digital, electronic, semi-instantaneous, text-based communications, aka “instant messenger”. I tend to be very careful with recommendations, they always can turn out to be bad advice… For what it’s worth I use either email with GnuPG or Signal. I have a long list of caveats for both, but I do use them…

        • Randoom@lemmy.mlOP
          link
          fedilink
          arrow-up
          3
          ·
          3 years ago

          I read somewhere (on lemmy) that signal might not be a safe and secure option. and i have deleted my account. 😑

          and i use the openPGP app. is this good enough to protect my missile launch codes?

          • aexiruch@lemmy.ml
            link
            fedilink
            arrow-up
            7
            ·
            3 years ago

            As I said, I have reservations about Signal, but I have not found one where I have fewer, so… As to “the” openPGP “app” and literal missile launch codes, it really depends on what exactly that app is (there are many implementations of RFC4880) and on what environment it is running. Most likely it’s adequate for normal people though ;) I use GnuPG 2.x on QubesOS, and OpenKeychain on GrapheneOS, but I’m a cryptology-nerd who enjoys coming across slightly paranoid ;)

              • Hagels_Bagels@lemmygrad.ml
                link
                fedilink
                arrow-up
                10
                ·
                edit-2
                3 years ago

                Not to blow anyone’s trumpet, but this may actually be less secure, as there is always the possibility that the postman/postwoman/postperson will open your letter and read them, then replace them in a different envelope. They could also shine bright light through the envelope to get a better view of the writing, or possibly use some form of scanning such as MRI?

                Please read some of these methods that people have suggested on the internet from 2008, which I have found through Google.

                i think the actual “classic” way probably doesn’t involve a microwave… try ironing the letter with a lot of steam. but of course opening a sealed envelope is very easy. reclosing it once you’ve opened it is the real trick. consider the attentiveness of your audience. will the person whose mail you’re reading notice if you open really carefully and then re-seal with a glue stick? probably no…

                If it’s not a heavy or security-print envelope, throw it on a backlit scanner (any flatbed scanner with a nice, bright transparency lamp should work) and get a 24-bit color scan. Open the scan in Photoshop and manipulate the gamma correction or color correction curves to maximize the contrast between the envelope and the text inside. Rotate as necessary. You can usually get something and you don’t even have to break the seal. This, of course, is unlawful and unethical, and should never actually be done.

                Just open it up, read it, then destroy it. The recipient doesn’t need to know that they had a piece of mail.

                Upside down can of computer duster air works wonders in making the envelope transparent. Then it evaporates, leaving no traces.

                Edit: Dentists can also discreetly read your mail.

      • Hagels_Bagels@lemmygrad.ml
        link
        fedilink
        arrow-up
        7
        ·
        3 years ago

        You could use end to end encryption which uses one of the more secure and complex encryption/decryption methods available, and only give the private key to that one individual, and using a device which you know does not contain any hardware or software backdoors for any government or business entity. Rotating encryption keys on a scheduled basis can also help verify that only the recipient has access to the correct keys.

        I haven’t done any real project which uses encryption, so don’t call me an expert on different algorithms or methods of implementation. However I’d also stress that being excessively paranoid about people wishing to steal your information is not necessarily healthy. If the information you are communicating is important enough that people may try to use highly technical ways of breaking the encryption, it is always easier and more practical for them to make you give them access to that information yourself, through social engineering, rather than through hacking.

        • Randoom@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Thank you. I will follow these steps. and I completely agree with you on the 2nd para.

      • esi@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        Was that an accidental pun you just made there? Either way. I almost spit out my morning coffee.

        (tinfoil hats usually go over people’s heads)

  • Dessalines@lemmy.ml
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    3 years ago

    Matrix / Element or XMPP.

    We’ve had many discussions on here for why many of us think that signal isn’t secure.

    • atti@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      3 years ago

      True: here an interesting video about how using some services make you identifiable by connection maps. This affects also signal since you’re subscribed via your telephone number and people connect you through their contacts list. Additionally, metadata tell how often you talk to some people, what time, how many messages, etc. This shows to an attacker who are your main connections, etc. So things are not about which kind of service you use (which app), but HOW you use it. The video really invites you to think about how these complex things work. Btw here’s the video: https://www.youtube.com/watch?v=IWMZ17Iyu3o

        • Dessalines@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          It doesn’t, because neither matrix nor XMPP require the crucial piece of information linking you to your real identity: phone number, or email.

          • Helix@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            3 years ago

            If we learned anything from the predatory ad industry, it is that you don’t need a piece of proof of identity to track and even deanonymize people.

    • Helix@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      3 years ago

      Matrix / Element or XMPP.

      Still leaks metadata, but given that you use your own server and proper e2e keys with enabled encryption, frequent re-keying and current room/software versions, it’s arguably more secure than most messaging systems.

  • Lunacy@lemmy.ml
    link
    fedilink
    arrow-up
    14
    ·
    edit-2
    3 years ago

    I think the answer would be “depends.” There is no such thing like “safest way of massaging”. Every option comes with pron and cons. You have to choose carefully according to your trust, user case and threat model. If you want to learn more about “threat modeling” then you should read this article from EFF.

    Services like signal and matrix are usually recommended. They are good for the 99% of people.

    • Helix@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      There is no such thing like “safest way of massaging

      Well, you could take courses to not hurt the people you massage, for starters?

      • Lunacy@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 years ago

        Can you please elaborate? English is not my first language so i’m not really sure if i understand your comment.

        edit: i think i got it, you wrote a funny comment hahaha.

  • esi@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    3 years ago

    There is no one answer to this question as more factors need to be weighed in on. For example the most secure way of messaging would be no messaging at all essentially.

    One thing that has interested me for some time is that usually when people are weighing in on digital messaging security or privacy is that they usually just think of it “individually”. As in, from the perspective of one person using the messaging platform. Things change a bit when you had large groups of people.

    For example, Like many have noted, Signal is probably not 100% to be trusted these days, but because of its ease of use and its popularity it manages to (somewhat) secure the communications of millions of people. While more secure/private solution can be more cumbersome to use and therefor less popular, but will manage to 99.99999% secure the communication of maybe hundreds of people.

    So which one is better in this context. A platform managing to provide 50% security to millions of people, or a platform managing to provide 99.9% security to hundreds of people?

    edit: in short. it depends on the context and the people you are trying to secure communications with. You have to make compromises here and there to reach the maximum realistic security for that group of people. My family and nearest friends for example use Signal but I am constantly keeping an eye on other solutions and waiting for them to become viable for my situation. (especially after Signal becoming less and less interesting by every day)

    • Randoom@lemmy.mlOP
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      3 years ago

      actually I was using Signal. But deleted my account last week. Tried Matrix on element but the experience was not good.

      Tried Briar but messages sent when i stay offline do not get delivered. So that is not an option for me. Still searching for a good platform.

      • esi@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        yeah, that’s the thing with security and privacy, you often have to sacrifice convenience for those two. The reason messages don’t get sent is because there is no server in between to send the messages. But in the case of signal the messages get sent to the server and then wait there for the other person to come online. So right now IMHO for a lot of people Signal is the best/least bad we can realistically use (at least in the context I live in). But Matrix is coming closer and closer, and I am looking forward to it.

      • Helix@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        3 years ago

        Tried Matrix on element but the experience was not good.

        Define that?

  • Lynn Stephenson@lemmy.ml
    link
    fedilink
    arrow-up
    10
    arrow-down
    2
    ·
    edit-2
    3 years ago

    The easiest option for secure messaging is obviously Signal. Although there are less convenient options that are considered more secure, such as Briar.

    • Helix@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      3 years ago

      that doesn’t hide metadata, the postal service can track it and you can trace back both the handwriting and reverse engineer the code. Someone can intercept the mail from many stations on the way, including your own post box.

      I’d say that many messaging services offer more protection than that method.

      You could, however, use PGP with elliptic curve cryptography, and send that via packet radio or something similar on a frequency only you know. To an uninvited person this only looks like garbage data or noise.

      • kat@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        Every AX.25 packet includes the sender’s amateur radio callsign

        The same callsign that’s tied to your physical address as provided to the FCC?

        • Helix@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          3 years ago

          You don’t have to follow these regulations. The requirements in the opening post were just for the most secure way of messaging, not a legal and secure way of messaging.

  • Danrobi@lemmy.ml
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    3 years ago
    • Session is an end-to-end encrypted messenger that removes sensitive metadata collection. Designed for privacy and freedom.

    • Jami is a chat, voice and video messenger. All communications are peer-to-peer and end-to-end encrypted.

    • Tox is a chat, voice, video, and file transfer instant messaging client using the encrypted peer-to-peer Tox protocol.

    • I2PChat is a P2P end-to-end encrypted chat messenger over the anonymous I2P network.

  • yiojaa@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    Receiver:
    setup tor onion service
    bind and listen a port by netcat

    Sender:
    start tor
    connect to the onion service with the port by netcat

    It may be the most secure and minimal way if we can ignore DoS or something bad.

  • GadgeteerZA@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    3 years ago

    Secure (knowing but not being able to access) being different from privacy (no-one knows who) and of course remembering that the more private especially, the more difficult to locate anyone you actually know as zero e-mail, phone numbers, etc should be used… I’d still say Matrix is the simpler and easier secure messenger for most to use and where they have a good chance of finding others actually using it.

    Can also mention Wickr Me, Wire and Threema. Briar Project would have been a good option except it is only Android which really holds it back from broader use. Another consideration is whether mobile to mobile is satisfactory (peer-to-peer is sometimes an issue with mobile) or whether you would use desktop clients along with mobile, as that then also narrows some choices. From a privacy perspective, specifically metadata is important and why Signal and WhatsApp fall down even though they may have secure E2EE.

    • Lunacy@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      3 years ago

      From a privacy perspective, specifically metadata is important and why Signal and WhatsApp fall down even though they may have secure E2EE.

      Actually, signal minimize metadata. The sealer metadata is encrypted, only the address remains unencrypted. Also, signal received subpoenas in 2016 from from the Eastern District of Virginia and in 2021 from from the United States Attorney’s Office in the Central District of California. Those subpoenas requested a wide variety of information that fell into this nonexistent category, including the addresses of the users, their correspondence, and the name associated with each account. In fact, signal only provided;

      • Unix timestamps for when each account was created
      • Unix timestamps for date that each account last connected to the Signal service.
      • GadgeteerZA@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        And of course the phone number… I really prefer something that requires zero phone number (like Session as an alternative) but thing is you’ll find most people on Signal (through their phone number)…

        • Lunacy@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          3 years ago

          I’d also prefer services that requires no phone number. However, in the end it’s not really a concern for the vast majority of people. In the context we usually live almost everyone uses privacy invasive services. so if a person ditch services like WhatsApp for Signal it’s a win. It’s highly unlikely that a regular Joe who doesn’t know a squat about privacy and security is going to use more private services like matrix,session, briar etc.

          Signal it’s quite good in this area, the initial setup and GUI it’s quite equal to WhatsApp, E2EE is on by default and doesn’t require any additional user interaction, the metadata collected is minimized etc.