The messaging app Confide got a big publicity boost from Donald Trump’s using it. It does seem like a useful thing for highly confidential communication, if it works well. (Also for evading public records requirements.) It lets you read a message only once, a line at a time, with no going back. But it’s valuable only if it’s really secure, and some people have disputed that.
Patrick O’Neill, writing on Cyberscoop, claims the application is “profoundly insecure.”
To encrypt messages, Confide uses OpenSSL, according to a preliminary independent review of the software by Jean-Philippe Aumasson, the principal research engineer at Kudelski Security. The OpenSSL version the app may use, 1.0.1f, dates back to January 2014 and has been obsolete and broken for years. This version is vulnerable to the Heartbleed bug that was disclosed in April 2014. The full scope of facts on how Confide works are not yet entirely clear due to the lack of transparency.
An article on The Register agrees there are security issues, at least by strict government standards:
The software appears to use OpenSSL 1.0.2j, which was last patched for security bugs in September 2016 and isn’t FIPS 140-2 validated. That should rule it out of government use right off the bat, we’re told.
Some people are nervous because Confide’s code isn’t open source, so it’s difficult to tell exactly how it works. It’s interesting that the two articles don’t agree on what version of OpenSSL it uses, even though both are dated February 15. Some reflexive thinking may also be in play: “If Trump uses it, it can’t be trustworthy.”
To its credit, Confide has a page for reporting vulnerabilities.
With reports of ICE people forcing citizens to unlock their phones at the border, Confide sounds attractive for its automatic deletion of messages. Whether its communication security is up to par is an open question.