A Private Conversation: Heml.is and Whistle.im
The modern concern with conversations is confidentiality. A private and secure conversation seemed a thing of the past until recently. Now there are several apps boasting an unbreakable, unhackable encryption and, thanks to the recent reveals from Edward Snowden, they have gained lots of tracks with the public.
Heml.is, engineered by the co-founder of the Pirate Bay bit torrent, is taken from the word “Helmis,” which is Swedish for secret. It is a text-messaging app that relies on XMPP with PGP for security. OTR it has yet to be released. But when it is, the software will be open source. However, unlike Cryptocat, which can be supported on any network as long as the user follows the proper set up of XMPP-BOSH and establishes a HTTPS proxy for BOSH, Heml.is will not be moved onto private servers.
The Pro's of Heml.is are:
- The design is quite beautiful, with an intuitive UI. The point of making this, according to the masterminds behind the privacy app, was to make this usable so those who are unfamiliar with cryptography and cyphers are able to encrypt messages as well.
- The .is domain gives Heml.is a great level of credibility. .is is a top level domain in Iceland, which is a country that is known not to cave in to pressure from foreign privacy laws as easily.
- The software is free and open source. The initial funding came from donations. The project was funded 100 percent in only 36 hours -- giving the developers enough for an initial release. There will be in-app purchases that will unlock certain features, which is how they will continue funding through the users, but there will be no ads, nor any selling of data, ala Facebook, to contend with.
The Cons of Heml.is are:
The server is private. Understanding that they are doing this so that they can ensure privacy and their claims of “even we can't spy on you” are reasonably reassuring. Even so, they have the server and the messages are logged until delivery. If it is not delivered, then the message remains on the server. Their developers are considering adding support for expiry.
It will only be released on limited platforms. Apple's iOS and Google's Andriod being the first. If the app preforms well and they are able to fund release on additional platforms as well but those are fairly large ifs. Currently there is no web based Helm.is.
It is not here yet so there is no way to test the software or view the source code for some time. The arrival date is “when it is done” with no real estimate of how long such an undertaking will require. While the developers behing Heml.is have been very vocal about their project with their blog and twitter accounts spouting out regular updates the release date remains as “soon”.
Whistle.im While You …
Whistle.im, which was created by a pair of German students in response to PRISM, is a web-based open source software that relies on an encryption mechanism with a bcyrpt authentication and TLS. The free messenger allows a username and sign in sans email verification or pin identification. Just make a User name and password on first login and don't forget them as they aren't stored. However, whistle.im seems to be what happens as a knee-jerk reaction from developers who possess a sudden and overwhelming want for privacy but are not sure how to go about achieving it.
The Pros of Whistle.im are:
- As long as you are using a privacy service like a VPN or TOR there should be no problem with keeping a confidential presence via whistle.im on the registration side. The software itself is still in beta so there could always be problems along the lines of Cyptocat's decryptocat.
- It's free and well designed so the environment is very user friendly. The Virtual Card is encrypted except to contacts and there is even a kill switch if the account has at any point become compromised. The contact search even works like an iPhone search making it very easy to use.
The Cons of Whistle.im are considerable:
- · The layout is nice but it is available on a very limited platform. There is no whistle.im for iOS nor is there even a fully functional app yet -- just a beta testing stage on Google Play. Getting a message to someone who is not at that screen at that precise moment would be quite difficult and would probably require messaging outside of the secured service to get them to check. For that level of inconvenience, an IRC channel would do the same for a lot less complication.
- The encryption is also in the Beta testing stage. They have end-to-end 2048 bit cryptography that seems functionally secure but even the developers will admit that this is a young project and the web security via instant messaging is a new and hot topic. According to the GitHub, the developers have set up the message is relayed via a public key through a TLS to their server and redistributed to the other user via a private key. To do this the service provider has to deliver the service key and if a fake service key is delivered than all messages via the server can be decrypted and read.
- Even more worryingly are the large holes in security that are very open to attack when the source code is put to scrutiny. Whistle.im could see a lot Man in the Middle server attacks or even users of this software could find their conversations hijacked. Without their SSL certificates being checked for validity if someone is determined to read the messages on this server there is not going to be a shortage of ways to try.
In all, it seems like we are still waiting for a completely secure messenger. Until then some conversations that should be kept private might need to go old school. The Postal Service could always use the business!
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)