The Electronic Frontier Foundation (EFF)’s new Secure Messaging Scorecard is designed to answer one important question: Which apps and tools actually keep your messages secure and safe from prying eyes?
The results have been mixed. In the midst of many positive reactions from technology companies and users, the scorecard stoked a wave of criticism from several prominent figures in the security industry, who deemed the effort inaccurate, misleading, and vague.
Peter Eckersley, the EFF technology projects director, defended the scorecard to the Daily Dot and said it was just “the first phase of an ongoing campaign for secure and usable cryptography.”
Here are the primary points of contention.
Did the EFF give too much credit to Skype?
@mattblaze @EFF Skype communications are not confidential to Skype. The report is actually wrong from what we know from public info.
— Jacob Appelbaum (@ioerror) November 4, 2014
The EFF scorecard gives Skype two check marks for being encrypted in transit and encrypted so the provider can’t read it.
That was a hard sell for many privacy advocates, who immediately pointed to reports from the Edward Snowden, leaks saying the National Security Agency (NSA) had tripled the amount of Skype video calls being collected through Prism.
“There are always going to be difficult cases when you’re evaluating complex software,” EFF’s Eckersley said. “There are clear indications that the NSA intercepted Skype conversations. However, we don’t know if that was a break in the cryptography itself that would allow anyone to intercept, or if it was a compelled man-in-the-middle attack where Skype was made by authorities to give out fake keys to targets.”
As a result, Skype receives a negative in the “Can you verify contacts’ identities?” column.
It seems clear that the problems with Skype go even deeper than the considerable criticism the scorecard piled on it. For many readers, the two check marks it did receive imply a modicum of security that likely does not exist on Skype today.
CryptoCat gets a perfect score and a lot of criticism
CryptoCat, a dead-simple chat program designed to be secure and easy to use, received a perfect score from EFF. This raised the hackles of some members of the security community.
Cryptocat got seven stars from EFF? Now you know anything EFF says about secure* is to be ignored!
— The malware monster! (@osxreverser) November 4, 2014
So far as I know, there has never been a serious cryptographic audit of Cryptocat.
— Thomas H. Ptacek (@tqbf) November 4, 2014
It’s easy to see why CryptoCat’s perfect score is being criticized heavily: The program has a problematic history of broken security, crackable keys, and a variety of attacks.
The EFF defended the score, arguing that the messaging app had been audited by independent experts, thus validating its secure technology:
“Actually, the quality of the audits [CryptoCat] has received have been exemplary,” Eckersley said. “Finding all those problems is the audits doing what audits are supposed to do. They turned up many bugs and they’ve been fixed. That’s what audits are.”
This turns up another issue many critics have with the scorecard: What is an audit? A simple check mark says nothing about the quality of the audit, if it’s public, if it focused on cryptography, or what its results were. In other words, a check communicates nothing about the quality of an audit, just that one took place in the last 12 months.
“We would love to have a standard for top-shelf audits,” Eckersley responded, “but such a standard is impossible to define.”
Eckersley resolutely stood behind CryptoCat’s perfect score while security experts like Jacob Appelbaum, a Tor developer, and Thomas Ptacek, founder of Matasano Security, continue to point out flaws.
Buried PGP recommendation
PGP, likely the most important secure-messaging technology, is hidden in a secondary review section that is difficult to find. PGP is featured and recommended as the security of choice in the EFF’s guide for journalists.
• • •
Despite the arguments over the scorecard’s specifics, the EFF is pleased with the feedback so far.
“We are actually very excited about the responses to this scorecard,” Eckersley said. “We’ve seen tech companies working really hard to improve their security.”
One of the big targets of the scorecard are the tech companies who make the messengers. The EFF wants to incentivize these companies to make their products more secure by publicizing the grades and setting a clearer road map toward better security.
As a result of the scorecard, “at least one household name tech company said we had to pull a team off another project to audit this project. They found a lot of problems and fixed them,” Eckersley said.
Whatever problems exist in this scorecard, it’s only the first step. The EFF says it’s willing to update the card and that the next evaluations will be more informed.
“What we’re trying to do here is solve a problem,” Eckersley concluded. “The problem is: There’s currently no secure, reliable, and usable protocol that the Internet can switch to do secure messaging. We know we’re going to need such a protocol, it’s going to need new engineering work, new usability to work, a lot of research and development effort. We’re trying to incentivize Silicon Valley and these projects to get to work.”
Photo via takacsi75 (CC BY 2.0)