Enlarge (credit: Confide)
A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that’s billed as providing “battle tested, military grade” end-to-end encryption and is reportedly being used by individuals inside the US government.
One of bulletins, published by security firm Quarkslab, warned that current versions of Confide—including those available for Macs, PCs, iPhones, Android devices, and Apple Watches—don’t provide true end-to-end encryption at all, at least as that term is commonly defined. Unlike competing secure messaging app Signal—which prevents even authorized insiders from accessing the keys needed to decrypt messages—Confide engineers, or people who hack the Confide service, can easily create keys that can be used to decrypt messages as they’re sent in real time.
Quarkslab researcher Jean-Baptiste Bédrune tested Confide and found that the main encryption layer protecting messages in transit is transport layer security (TLS), a protocol that’s trivial for authorized people inside Confide to turn off. TLS has faced its share of bypass hacks over the more than two decades it has been in use. In Wednesday’s post Bédrune wrote: