Confide, a Favorite App of the White House, May Not Be Secure

A New York City based start-up company, Confide, offers a text messaging system “with encrypted messages that self-destruct.” You can download the app at getconfide.com

Confide lets its users “discuss sensitive topics, brainstorm ideas or give unfiltered opinions without fear of the Internet’s permanent, digital record and with no copies left behind.” “Messages disappear forever after they are read once, making them as private and secure as the spoken word.”

What a description! Everyone’s dream come true, right? Certainly a perfect app for individuals wanting to communicate about classified information, military plans, or other top secret information.

It is no surprise, then, that Donald Trump and members of the White House staff allegedly use the Confide text messaging app.

Is Confide really secure?

An article in CyberScoop, an online cybersecurity news site, asserts that many of the claims made by Confide are not valid: https://www.cyberscoop.com/confide-favorite-app-trumps-white-house-triumph-marketing-substance/

Which security protocol: SSL or TLS 1.2

First, it is unclear if the Confide application uses SSL 3.0 (Secure Sockets Layer) or its more robust and secure successor, TLS 1.2 (Transport Layer Security version 1.2)1

The author cites a security researcher:

“To encrypt messages, Confide uses OpenSSL … The OpenSSL version the app may use, 1.1.f, dates back to January 2014 and has been obsolete and broken for years. … The full scope of facts on how Confide works are not yet entirely clear due to the lack of transparency.”

Note the use of the word “may” above. No one knows for certain (except for the Confide software engineers) the protocol version used by the Confide app.

While it is certainly true the earlier versions of OpenSSL contained flaws, vulnerabilities and weaknesses, the most recent version of the OpenSSL library also implements TLS. Thus, the Confide app would be “TLS capable”. Furthermore, if the apps only ever speak to each other, then it is very easy for the programmers to force the apps to select only TLS 1.2 and the cipher suites of their choice.

Man in the Middle Attacks (MITM)2

The author also cites another security researcher: “The whole point about TLS is that it can be attacked by man-in-the-middle attacks.”

However, the cited articles concerning MITM attacks do not seem to support this claim. The MITM tools referenced in the article did not actually attack TLS. None of them would have necessarily been useful or relevant to a specialized app like Confide.

All applications that fail to perform the critical step of validating credentials are vulnerable to MITM. The article suggests that TLS is somehow unique in this property; it is not.

Of course any security protocol can be implemented improperly. That’s why we recommend testing to find and fix bugs in the TLS stack or engine. Testing ensures that the TLS implementation is sufficiently robust so that it is not vulnerable to the wide range of attacks in today’s Internet.

IWL encourages the Confide staff to be more forthcoming and transparent with the technologies incorporated in the Confide app, and to perform exhaustive testing and report on the results.

Footnote 1: Definition of TLS – Transport Layer Security: https://en.wikipedia.org/wiki/Transport_Layer_Security

Footnote 2: Definition of a MITM – Man In the Middle Attack: https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Simple illustration of how MITM attacks work: https://wordtothewise.com/2014/09/cryptography-alice-bob