RE: Let's Talk About Secure Messaging Apps
There are only few things I dislike about Signal (even though it is still better than most other end-to-end encrypted messaging apps out there).
One is their annoying insistence of using phone numbers, which as you mentioned hurts privacy (especially with the app sending contact information on the phone to their servers to help with discoverability). It is nice that apparently as of December Wire allows usernames. However, I read that they are apparently using an older version of Open Whisper Systems' Double Ratchet protocol, which, short of actually studying in detail what does differences are, makes me a little bit nervous to trust compared to Signal's more battle-tested protocol.
Another, which I am not sure if any of these secure open source end-to-end encrypted messaging apps have currently resolved, is the need for a great user experience when using multiple devices while maintaining synchronization between them. If I am not mistaken, I think the Double Ratchet protocol makes doing this more complicated because there needs to be communication between the various devices to keep everything in sync. It should be possible to, for example, jump between laptop and mobile app to respond to messages in a conversation thread while maintaining end-to-end encryption and having the full identical copy of the conversation on both devices.
I would love to see a messaging application use the Signal Double Ratchet protocol but leveraging human-readable account names on a blockchain to establish the secure end-to-end encryption between the users rather than phone numbers or even usernames in a namespace managed by a central authority.
By the way, there are two properties relevant for messaging applications that you didn't bring up in your post: forward secrecy (so that future compromise of private keys does not need to leak past history, unless explicitly backed up) and plausible deniability (so that even the person you were communicating with does not have cryptographic proof they can show to others that you said any particular thing). The Signal protocol (and I guess Wire's protocol too as a result) have both properties. The trade-off with having forward secrecy is that if users want to have their conversation history backed up, it requires a more complicated process to do so. I am not aware if Keybase has plausible deniability. They have made the design decision to avoid forward secrecy for the sake of easier backup of conversation history, however they are apparently planning to add a special "exploding messages" feature which will have forward secrecy, which seems like an appropriate compromise.
Great points all around, @arhag, thanks! Yes, Wire's protocol is based in part on the Axolotl Ratchet, which was later upgraded to be the Double Ratchet, which is technically only part of the Signal protocol (as Double Ratchet only manages the cryptography, and not the key exchanges, etc etc). According to Wire, they went off-book from the official Axolotl protocol because they wanted to not require a phone number, and Axolotl (and Signal still today) use the phone number to provide some of their security guarantees, so removing it isn't trivial and takes some innovating.
And yes, I think I was clear that I do not regard Wire's protocol as being as secure, from a confidentiality and integrity standpoint, as Signal; however, Wire is much more available, what with it's easy and friendly usernames (rather than SUUUUUUPER finicky phone numbers in Signal, et. al.) and it's nice UI/UX. And all of that comes with the addendum that, AFAIK, Wire's protocol has not been seriously attacked, even after having been formally reviewed by a university's security department (they found a potential MITM vuln that the servers could exploit on video calls, I think, but MITMing video calls is tricky in its own right, and Wire said they knew about it and were planning to fix it; not sure if they have yet or not).
Yeah, Wire has an acceptable UX for adding more devices. I'm not sure about Signal's. On Wire, you can add a new device to your account at any time. If you or your contacts have previously verified all the keys in any conversation, Wire yells loudly and won't let you send messages in those conversations until you've confirmed that you know there's an unverified key in the conversation (even if it's supposedly your own key). New devices cannot decrypt old messages, only new ones going forward, so a new device gets nothing historical, and if people have been verifying keys, probably nothing new either. The place Wire really fails is when I add a new device, I ought to be able to verify it on one of my old devices, and then have the old device send a signed assertion to all my other devices/my contacts saying "Hey, old key you've already verified here, just letting you know that according to me, the new device is legit too." Now, the contacts can decide for themselves whether they accept that assertion, but in general there's no reason to assume that an old key is compromised just because a new device showed up on the account.
As to blockchain integration, yes yes a thousand times yes, I'd like to see this done really well too. Keybase might be it, but I haven't taken the time yet to look into it.
As to forward secrecy and deniability... Yeah, you'll note I actually never even talked about keys in my article. That alone warranted enough prose that I got scared off. There are so many posts that could be written and not even scratch the surface... Haha. And one can't properly understand forward secrecy and deniability without understanding keys (symmetric and asymmetric) at the very least.