Secure Messaging#
Reference of end-to-end encrypted messaging applications, the underlying protocols, and the threat models they cover (and don’t). Operator concerns are usually metadata, key verification, multi-device sync, group MLS support, and forced-update / key-rotation behavior during account compromise.
For broader cryptographic context, see Cryptographic Primitives. For threat actors who target messaging compromise, see Hacker Groups.
End-to-end encrypted apps#
App |
Protocol |
Org |
Notes |
|---|---|---|---|
Signal |
Signal |
Signal Found. |
Reference E2EE; X3DH + Double Ratchet; Sealed Sender; private contact discovery; phone-number-based; group MLS in progress. |
Signal Protocol |
Meta |
~3B users; metadata to Meta; backups optional E2EE; closed source. |
|
iMessage |
Apple |
Apple |
Per-device keys; 14B+ devices; iCloud backups + ADP = E2EE; PQ3 (post-quantum) since iOS 17.4 / Mar 2024. |
Facebook Messenger |
Signal Protocol |
Meta |
E2EE default since Dec 2023; rolled out gradually. |
Google Messages |
Signal Protocol |
RCS Universal Profile + Signal-derived E2EE for 1:1 + group; Messages app only; ad-supported. |
|
Wire |
Proteus / MLS |
Wire |
Signal-derived; multi-device; commercial enterprise tier. |
Threema |
NaCl |
Threema |
Anonymous IDs; Swiss; paid; OSS clients; Threema Work. |
Element / Matrix |
Olm / Megolm |
Matrix.org |
Federated; Element client; cross-signing; verified devices; bridges to Slack / Discord / IRC. |
Session |
Session Protocol |
Oxen Privacy |
No phone or email; Lokinet-onion routing; Loki-based. |
Briar |
Bramble |
Briar Project |
P2P over Bluetooth / WiFi / Tor; android-only historically; censorship-resilient. |
SimpleX Chat |
SimpleX |
SimpleX Chat |
No global IDs; per-conversation queues; XMPP / SMTP inspiration. |
Status |
Status Network |
Status |
Decentralised; Ethereum-based identity. |
Berty |
Berty |
Berty |
IPFS-based; offline-first. |
Cwtch |
Cwtch |
OPS Privacy |
Tor-based; metadata-resistant. |
DeltaChat |
OpenPGP / IMAP |
Delta Chat |
Email-as-transport; PGP keys. |
Tutanota |
n/a (Tutanota) |
Tutanota Mail |
Encrypted email; not classic chat. |
Proton Mail / Wire |
OpenPGP |
Proton AG |
Encrypted mail + chat (Proton Wallet / VPN bundle). |
Skred |
n/a |
Skred |
No-account encrypted messaging. |
Wickr Pro / Me |
Wickr Protocol |
Wickr (AWS) |
Originally enterprise; sunset for consumer. |
Olvid |
PSIM |
Olvid |
No identifier; QR-pairing; FR. |
RetroShare |
PGP / DH |
RetroShare |
F2F P2P with onion-style routing. |
Mainstream non-E2EE-default#
App |
Notes |
|---|---|
Telegram |
“Secret Chats” only are E2EE; default cloud chats are server-side encrypted but accessible to Telegram. MTProto v2; Russian origin; channels + bots; widely used for both legitimate broadcast + OPSEC-poor private chats. |
Discord |
TLS in transit; no E2EE; voice/video uses DTLS-SRTP; Discord can read messages. |
Slack |
TLS; KMS / EKM available; Slack can read messages. |
Microsoft Teams |
TLS; E2EE for 1:1 calls only. |
Google Chat |
TLS; no E2EE. |
Server-mediated; subject to Chinese regulation; limited in foreign use. |
|
LINE |
Letter Sealing E2EE optional; default not E2EE. |
Viber |
E2EE for 1:1; group chats not by default. |
Snapchat |
Snaps E2EE; Memories not. |
Instagram DMs |
E2EE on by default for 1:1 since Dec 2023. |
KakaoTalk |
KR; “Secret Chat” is E2EE; default not. |
CN; not E2EE; subject to regulation. |
Underlying protocols#
Protocol |
Notes |
|---|---|
Signal Protocol |
X3DH (key agreement) + Double Ratchet (forward + post-compromise security); the de-facto standard. |
MLS (RFC 9420) |
Messaging Layer Security; IETF standard for E2EE groups; tree-based key derivation; scales to thousands. |
OMEMO (XEP-0384) |
XMPP E2EE based on Signal Protocol. |
OTR / OTRv4 |
Off-The-Record (legacy); deniability + perfect forward secrecy. |
OpenPGP |
IETF RFC 9580 / RFC 4880; the email + file standard; weaker forward secrecy. |
S/MIME |
X.509 + CMS; enterprise email; no FS. |
PQ3 (Apple) |
iMessage post-quantum protocol; uses Kyber768 + ECDH (HPKE-style); hybrid; Mar 2024. |
Proteus (Wire) |
Signal-Protocol Rust port. |
Olm / Megolm |
Matrix’s Signal-derived 1:1 + group ratchets. |
Bramble (Briar) |
Custom transport over TCP / Tor / Bluetooth / WiFi. |
Lokinet / Onion |
Session uses Loki-based onion routing. |
SimpleX |
No long-lived IDs; per-message anonymous queues. |
Key verification UX#
Mechanism |
Notes |
|---|---|
Safety numbers |
Signal; per-pair fingerprint; QR or read-aloud. |
Security numbers |
WhatsApp; same idea. |
Cross-signing |
Matrix; sign your other devices once; trust transitively. |
Verified devices |
Wire / Threema; per-device keys. |
Authentication ceremo ny |
Generic IETF term for any out-of-band fingerprint exchange. |
Trust on First Use |
SSH-style; weak but common. |
Web of trust |
PGP; signed key exchanges in person. |
Key transparency |
Apple PQ3 + WhatsApp + Google; published log of (account → key) bindings; user can audit. |
Threat models / adversary#
Property |
Notes |
|---|---|
Confidentiality |
Only intended recipients can read. (Most apps above.) |
Integrity |
Cannot be tampered with by network attacker. |
Authentication |
Sender is who they say they are. |
Forward secrecy |
Past messages stay private if a key is compromised later. |
Post-compromise sec |
Future messages stay private if a key is compromised once. |
Deniability |
Recipient can’t prove who sent the message. |
Metadata privacy |
Server doesn’t see who talks to whom (Signal Sealed Sender, Session, SimpleX, Cwtch). |
Censorship resistance |
Works without central server (Briar, Cwtch, RetroShare). |
Anonymity |
No phone / email / persistent ID required (Session, SimpleX, Cwtch, Briar, Threema). |
Multi-device |
Fan-out and ratchet sync without breaking FS / PCS. |
PQ-secure |
Apple PQ3, Signal PQXDH (PQ-secure key agreement, Sept 2023). |
Operational pitfalls#
Backups can leak everything. WhatsApp Google Drive backup, iMessage iCloud backup (without ADP), Signal cloud-save, review backup posture; ADP / E2EE backups must be enabled explicitly.
Multi-device complicates verification. Re-verify each new device.
Phone-number leakage. Signal / WhatsApp expose your number to everyone you message. Username support added in 2024.
Sealed Sender still leaks recipient to Signal server for delivery.
Telegram Secret Chats are device-bound, they don’t sync across devices. Group chats are never E2EE on Telegram.
Metadata is the win. Even E2EE leaves rich metadata (who, when, how often, group membership). Metadata- resistant designs (Session, SimpleX, Cwtch, Briar) trade UX for less-correlatable comms.
Force-add to groups is a known abuse vector (WhatsApp / Signal). Restrict who can add you to groups.
Disappearing messages trim retention but not server metadata or screenshots.
PQ migration, Signal PQXDH (Sept 2023) and Apple PQ3 (Mar 2024) are partial; full PQ secure key agreement is now the bar; long-lived ratchet keys still classical in many implementations.
Hardening#
Verify safety numbers / cross-signing for every contact who matters.
Disable cloud backups, or require a strong recovery key (Signal PIN, ADP, Wire passphrase).
Use disappearing messages (matched to mission needs).
Restrict screen sharing / clipboard managers when sensitive conversations are on screen.
Don’t bridge sensitive Matrix rooms to Slack / Discord unless every party agrees.
For source / handler pairs: SecureDrop / OnionShare > any consumer messenger.
Consider air-gapped + Faraday devices for top-tier sources.
Replace devices on suspected compromise; don’t migrate installs.
References#
Whisper Systems / Open Whisper Systems history