Messaging Protocols

Step-by-step guides and detailed information on secure messaging apps for Android, iOS, Windows, Mac and Linux.

Some protocols are used by many applications, so all the applications that use these protocols will share the same features.

Protocol Communication types
Tox Text, voice, video, screen sharing, file sharing
Encryption protocol: NaCl
Shared Secret exchange: ECDH25519
Message Encryption Cipher: XSalsa20
Business model: Free open source project
Perfect forward secrecy: Yes
Messages stored on server: Never
Websites: toxcore source
Last tested: 8/09/2020
Notes:

toxcore was forked to continue development

Several clients are available and are developed independently of the core: Clients list.

Be careful on Android, Antox is listed on the official website as a client but it was last updated in 2018. I found the client TRIfA on F-Droid which is very feature complete and recently updated.

On the MacOS the qTox client works very well, and lets you choose where to save documents you receive from other Tox users. This lets you choose and encrypted file system if you wish to protect these files.

I was able to place a video call between TRIfA and qTox (on the same network).

Tox uses the NaCl Box model for encryption:
  • Diffie-Hellman key exchange using Curve25519
  • These keys are hashed to derive a shared secret
  • The shared secret is combined with a unique nonce to encrypt the message
  • Poly1305 is used to create a message authentication code

Information provided by JR

What is leaked to the world:
- Your IP address and the time you are online is revealed to your contacts. When chatting to another contact, you are connecting directly to them.
- Tor activity for contact finding.
- Not sure what else? There may be more. Going to have to read the documentation.

My verdict: Try it!

Tox has a lot of promise, the clients need more polishing but they are available for most platforms which will help adoptability.
You may need to carefully test the clients you use and ask what clients your contacts are using to be sure these apps do not leak data. The protocol may be excellent, but if the apps do not handle the information properly once decrypted, that compromises security.
XMPP with OMEMO Text, group chat, photos, files
Encryption protocol: Signal
Shared Secret exchange: ECDH25519
Message Encryption Cipher: AES-128
Business model: Nonprofit XMPP Standards Foundation
Perfect forward secrecy: Yes
Messages stored on server: Yes
Websites: Getting Started
Last tested: 12/01/2018
Notes:

XMPP is a messaging protocol upon which many applications are based. XMPP uses a federated server system, in which a user creates an account on an XMPP server. Any XMPP compatible application can be used to connect and communicate through the XMPP server to other users on any other XMPP server.

XMPP was not originally designed with encryption, however encryption functionality has been added in the form of OMEMO messaging.
OMEMO Clients:
[Information provided by JR]

What the server sees:
- Your plaintext chats unless you use encryption such as OTR, PGP, or OMEMO.
- Your contact list is saved to the server in plaintext
- Precise time you logged in or out
- Precise time you sent any messages to a contact and what messages they send you.
- Whether you are online or not, and your status.
- Who you contacted, when, and how frequently.
- Hash of your password.

Excellent cryptographic analysis
XMPP Server Compliance Results

My verdict: A great option for a wide base of users. However beware of data leakage.

XMPP is a protocol, and clients are built on top of that so there are many options across all platforms which will help adoptability.
One drawback is the clients are all different so there is a lack of consistency in experience and features across platforms. Also you do not know which client your chat partner is using, so even if you use a secure client on your device you have no guarantees that they are using a secure client.