Last I knew it was strongly suspected that Skype could look at your messages. imessage doesn't pass the mud puddle test indicating apple can look at your messages. Facetime should probably considered suspect but I don't know of any articles that demonstrate how the key exchange is handled. BlackBerry also modified their messaging app to be able to give info to LE. Telegram doesn't have open source server code and uses home rolled crypto. Was telegram even properly audited?
I would also recommend categories for what metadata is exposed; if messages are encrypted at rest on your device; cross platform ubiquity.
You should include bitmessage, and i2p-bote.
I am glad that this is only the first step but I do think that you shouldn't have done it alphabetically but rather by score and usability.
It wasn't clear to us whether the NSA intercepts Skype by breaking the crypto, or by compelling injection of false public keys in order to perform a man in the middle attack. In the latter case it's the third checkmark (lack of ability to verify keys) that's their users' undoing. We're talking to Microsoft about that at the moment, and may revise that entry.
There's a weird case around iMessage and any tool that is provided by an OS vendor. I think we need to add a note about this, but in those cases that company could inject malware or a backdoor either in the messaging system or somewhere else in the OS. Since we're trying to tackle one hard problem at a time (secure messaging but not secure operating systems and software distribution) there should be an extra caveat about offerings from OS vendors.
The only tool that gives strong metadata protection right now is Pond, and we aren't listing unusable tools that aren't out of beta yet. We considered but haven't yet included bitmessage for the same reason.
question asked in good faith: does it really matter to a given user exactly how adversaries are successfully attacking Skype? shouldn't some of the things that we've already seen disclosed--e.g. that NSA gained significant, at-scale capabilities against Skype right after it was acquired by Microsoft--be enough to invalidate essentially any crypto-related promises the company may assert, or even those that an audit might support? if not, i think it's at least worth making a distinction between products with known backdoors and products without them. today's TAO attack is tomorrow's phd thesis, etc.
I disagree that the only tool that gives strong metadata protection is pond. i2p-bote, bitmessage, and chatsecure over orbot at least advertise themselves as giving metadata protection by design. Thought I didn't realize bitmessage was in beta still.
The iMessage issue isn't related to iMessage being developed by the same company that handles the OS. It is that Apple holds the decryption keys for your messages; this is security by policy not security by design. http://blog.cryptographyengineering.com/2013/06/can-apple-re...
I would also recommend categories for what metadata is exposed; if messages are encrypted at rest on your device; cross platform ubiquity.
You should include bitmessage, and i2p-bote.
I am glad that this is only the first step but I do think that you shouldn't have done it alphabetically but rather by score and usability.