ooking for a way to encrypt chats and enable off-the-record (OTR) communications using a fully open-source app? If so, ChatSecure might be a good solution. Read on for an overview of what the app does well and which limitations to keep in mind when you use it.
ChatSecure is only one of many tools for encrypting chats, but it aims to set itself apart by supporting all chat protocols and clients, as long as they are compatible with the XMPP and OTR communications protocols. “Unlike other apps that keep you stuck in their walled garden, ChatSecure is fully interoperable with other clients that support OTR and XMPP,” the program’s developers promise.
That’s a promise they keep. Built atop Google’s Talk app, ChatSecure — which was known previously as Gibberbot and Off the Record — is compatible with every modern, mainstream chat protocol and client, making it easy to communicate with other people no matter which configuration they have.
ChatSecure also performs well on the privacy front by providing protection at many levels. In addition to encrypting text and data communications, the app is compatible with Tor, which will allow you to chat anonymously. In addition, the app uses SQLCipher to encrypt conversation logs stored on a user’s local computer, preventing unauthorized access to past conversations.
For what it’s worth, ChatSecure’s code is also completely open-source, which means anyone can inspect it. That helps provide assurance against malicious, undocumented features that programmers could potentially integrate into the application.
Last but not least, ChatSecure passes the Electronic Frontier Foundation‘s review of secure messaging apps with flying colors. We’re not saying the EFF is the only definitive source for privacy reviews, but the organization’s findings regarding ChatSecure are worth nothing — especially since only a handful of the secure chat apps and tools that the EFF reviewed performed positively in every category, as ChatSecure did.
For all that ChatSecure does to help keep messaging secure and private, it has limitations. Most of them are not the fault of the ChatSecure developers themselves, but they’re still worth keeping in mind.
One blatantly obvious, yet significant potential problem for users keen on privacy is that they can’t be sure the people they’re talking to are also using ChatSecure, or an app that is similarly effective at protecting privacy. Because ChatSecure works with almost all other chat clients, the computer on the other end of the conversation could be running any kind of software, which may or may not be keeping your data as secure as ChatSecure.
ChatSecure also can only do so much to keep conversations using the AIM protocol (also known as Oscar) secure and private. AIM relays all chat information to a central server. It also does not encrypt conversations on its own. ChatSecure encrypts communications using its own encryption layer, which theoretically keeps even AIM chats secure, but the fact that there is no double layer of security when using the AIM protocol makes man-in-the-middle or other attacks easier. The lack of built-in AIM encryption could also allow third parties to see a user’s buddy list.
None of this is ChatSecure’s fault. The app does the best it can with a protocol that is subject to fundamental security and privacy flaws. You probably shouldn’t use AIM in the first place if you care about privacy. But, if you do, know that even ChatSecure can’t guarantee your privacy.