In 2016, we started running the messenger review series on decentralize.today since we anticipated how significant they would become in the mix of communication options and the impact on privacy.
Predictably, we have reviewed (and re-reviewed in some cases) the usual suspects, Threema, Signal, Matrix, Telegram and co., however, we have also looked to add some of the lesser known services.
Most of the above mentioned providers are better than using the true suspects when it comes to invasions of privacy etc., yes, WhatsApp, iMessage or Facebook Messenger and the like. However, being brutally honest, only a few will keep you truly safe and secure when you are in a terrible situation.
As an extreme example take Ukraine, where the internet might be down or blocked at any given time. In that scenario, the best encryption alone won't let you communicate with others. The same goes for Russia where social media and apps are getting blocked or shut down in some areas, and people are disconnected from real news.
Likewise, conventional or some 'privacy' messengers can be hacked or snooped on, providing 3rd parties information on individuals and their planned activities.
The next issue among most messengers is metadata as many have an identifier attached, say your telephone number, email etc.
This makes most messengers, secure and private by design, unable to let you communicate anonymous. Threema is an exception here, if you chose to use it that way, but yet again the concern is of it being a centralized application.
Signal has on its side the fact that Edward Snowden uses it daily (so he says), but I would still not trust it in a really tough situation. Aside from that fact, it runs across AWS and Google servers which could go down at any time. Yes, the beauty of centralization ;)
So what can you really do when you are in a situation what requires more than just encryption. What can you do as a journalist or an activist in a zone without internet? What can you do when disaster strikes and the power goes off and takes the Wi-Fi with it?
The simple and best solution is Briar. We reviewed this almost 2 years ago, but a lot has changed (improved!) since then, so let's dive in.
Briar, unlike most messengers, does not relay on any servers! It is pure and truly peer-to-peer, completely decentralized. More so, as Briar works over Tor, to hide your real IP address. Additionally, you can use Briar without internet! You can send and receive messages within the same Wi-Fi network (even if the Internet is down) and/or send messages via Bluetooth.
Briar is using its own encryption called Bramble.
The encryption has been audited by Cure53
For the six Cure53 testers who completed this assessment, the overall low severity translates to an application with a good understanding of vulnerability patterns and threats.
the quality and readability of the app’s source code was rather exceptional
Still, provided that the documented issues get fixed properly, the application is able to offer a good level of privacy and security. In other words, the Briar secure messenger can be recommended for use.
The E2EE works on one-on-one messaging as well as in group chats.
Briar lets you connect via a QR code which ensures the two parties are who they pretend to be (!). Additionally, you can connect from distance via Link which you can share from your app.
Briar uses an onion like identifier to connect to each other. You can still use a nickname and a profile picture, but the real identifier is a long address, similar to an onion (tor address).
Briar let you connect to nearby people, what allows a perfect communication during protests. If I remember back, Telegram was used in Hong Kong and countless people got busted because of using Telegram during the resistance. No, I am not a Telegram fan, and even they do have a nice-looking app, what works perfectly, it is not reliable for people who need to be safe or be under surveillance.
As mentioned, Briar can be used even offline, so even when governments, shut down the internet during protests, you would be able to communicate. A more series example is of course Ukraine, this near-by communication, totally encrypted can save lives or find loved once!
Briar is 100% open-source, and is available on f-droid. You can also download it via the Google PlayStore!
Briar also has a desktop version for Linux, but it is not yet capable to do group chats, blogs and RSS feeds, and has some more useful features missing.
Sadly, Briar is also not available on iOS, so it's Android all the way (for now)!
Briar was developed for and by activists. But it is as close to the app James Bond would use.
The Wi-Fi/Bluetooth connection is based on the principle of a mesh network, so everyone extends the network by using it, which in turn extends help to others nearby to join the mesh and exchange encrypted messages.
Briar also uses Tor when you sync using an internet connection. This can be enabled and disabled, but I would highly recommend using it!
Briar avoids the following censorship & surveillance of messaging, forums and blogs by use of the following:
Briar uses the Tor network to prevent disclosure of users and all contact lists are encrypted and only stored on their own device.
Communications between devices are end-to-end encrypted, protecting all content.
The end-to-end encryption prevents keyword filtering, and its decentralization means that there are no servers to block.
Take down orders:
Each user within a forum retains a copy of all posts so that there is no point where a post can be deleted.
Denial of service attacks:
Forums have no central server to block/hack, and each subscriber has access to the content, even when offline.
Briar can operate over Wi-Fi and Bluetooth to ensure the service can be maintained during blackouts.
The range of Bluetooth and Wi-Fi is around 10 metres, depending on obstacles. Clearly this isn’t enough for communicating across a city or even within a large building. So when Briar receives a message from a nearby contact, it stores the message and can pass it on to other contacts when they come within range.
Please note that Briar will only synchronize messages with your contacts, not with nearby strangers who are running Briar. And it will only sync the messages you’ve chosen to share with each contact. For example, if you invite your contacts X and Y to join a forum, and they accept, then messages in that forum will be synced with X or Y whenever they’re within range. So you can receive forum messages from X in one location, travel to another location, and deliver those messages to Y.
But this doesn’t work for private messages: they’re only synchronized directly between the sender and recipient.
Briar combats the following adversarial threats:
Monitoring, blocking, delaying or modifying traffic on long-range communication channels
Monitoring, blocking, delaying or modifying traffic on short range communication channels (Wi-Fi, Bluetooth etc.)
The network can't have it's standard cryptographic primitives broken despite access to and usage of it by hostile agents, thereby eliminating their ability to interact or influence regular users.
Moreover, Briar doesn't support Screenshots, this is not just to protect you if anyone gets hold of your phone and wants to forward a screenshot, but also to protect you from Android. This can share screenshots between apps, as well as collect metadata from your phone. (Signal also has this feature, but on Briar you can't switch it off!)
Briar supports image attachments and disappearing messages. On top of which, Briar lets you share via the APK offline. This means people around you who do not have an internet connection can download Briar from your phone when you share it. This it does via a local hotspot when you share Briar within the Briar app with others.
Another neat feature is sharing encrypted files and chats via an SD card or removable flash drive. This also gives you the opportunity to encrypt files during border crossings, and you can then decrypt your files via the Briar app upon arrival.
Briar lets you follow RSS feeds, which means that you can follow any blog or website that supports RSS. These feeds will be downloaded over Tor so no-one, not even the website owner for the feed, will know your real IP address.
A built-in Forum lets you post and share with others. In Forums, every user can add other Briar enabled contacts.
Here, only the admin can add users.
Briar has a built-in blog, you can write an entry and all your contacts can read it.
This feature lets you give two people in your contact list each other's contact info, so they can make their own connection in Briar.
Briar is the best and safest communication on-and offline, unfortunately, it is not available on iOS (yet). It is, however, an app which no real rival when it comes to anonymity! In a serious situation or when disaster strikes it can be the app that makes a difference. We highly recommend it for journalists, activists and anyone else who needs something beyond your usual every day messenger.