A cemetery of instant messengers, which must include Skype, Viber, WhatsApp, Hangouts, ooVoo, Apple iMessage, Telegram, Line, Facebook messenger and hundreds more instant messengers who just have to go out soon.

The terrifying situation that has developed in the field of Internet communications, the threatening prospect of developing tools for instant messaging, audio-video calls and the annoying disputes about what kind of messenger is good, proper and safe pushed me to write this text.

Recent years, the competition in the market of instant messengers as never before. Accessible Internet for everyone in the smartphone has allowed instant messengers to become the most frequently used applications. Only the lazy one is not writing his instant messenger. Every day comes a new application that promises to make a revolution in the ways of communication. It even reaches the point of absurdity, like the Yo application, which allows you to send only one word to each other.
Each messenger has its own audience, agitating to use exactly their favorite service. As a result, you have to get a bunch of accounts in various services and install a bunch of applications to be able to quickly contact all the necessary people.
')
The current situation is so terrible that in the long term it threatens the fundamental principles of communication. In this article, I will try to convey one thought with concrete examples:

_ Why is such an important technology for humanity, like instant messaging and audio-video calls, cannot be monopolized by any company. How it hinders the development of technology, threatens the freedom and security of communications.

I must say at once that I do not suffer from the open source brain, and I do not have any phobias about proprietary products, I myself use closed programs and protocols. The specific examples described below are provided solely to demonstrate the problems of the existing centralized architecture. I do not hate at all these products and companies, and, on the contrary, I believe that they can easily evolve. Only the existing model of their work should die.



The Internet, as we know it today, exists thanks to open standards. All levels of network interaction, starting with the physical (signal coding by wire, radio, optical channels) and up to the application level of applications (HTTP, E-mail) are open and accessible to anyone. Anyone can write your website, browser, email client. You do not need to ask someone for permission, buy patents or enter into contracts.
That is why we have many operating systems that can work with the Internet, and a variety of devices and applications that support popular protocols.

Imagine that an email could only be sent from Outlook to the same Outlook, but not to Gmail. And before sending an email, you would need to find out what the recipient has a mail client. Or, for example, voice calls from a mobile would work only between phones of the same manufacturer. That is, you could only call from Samsung to Samsung. Absurdity, isn't it?

This is exactly what the situation now looks like when you need to contact someone in a chat or make an audio-video call over the Internet. It is ruled by commercial companies whose goal is to reach the maximum audience. Therefore, each messenger is made isolated from others, and companies are zealously fighting for their users.

The thing is that at some point open standards have ceased to keep pace with user needs, and commercial companies have been able to offer much more attractive solutions. This ensured the huge popularity of commercial messengers. For example, at the time of dial-up, none of the competitors could provide such a quality of voice communication as in Skype, and even for free! Today, according to various sources, Skype accounts for about 40% of international calls.

With the massive proliferation of smartphones, a second wave of instant messengers spread. People gradually realized that paying huge money for one SMS is unfair, if you can chat all day in the alternative messenger for the same money. So, the once large SMS market began to deflate.
The same fate inevitably awaits telephone calls at some point. Mobile operators understand this and try to delay this moment as far as possible. First, they try to block VoIP-services in their networks, and then completely disguise themselves: MTS will launch an alternative to Skype

The situation is somewhat similar to the struggle of copyright holders against piracy: first with the possibility of home recording on audio tapes, VHS and CDs, and later with piracy on the Internet through the introduction of new-fashioned DRM , the adoption of laws like the DMCA . Which in the end ended in almost complete loss.

But mobile operators are part of very influential telecoms, which own a significant share of Internet channels. Therefore, most likely, the process of refusal of SIM-cards and voice services of the operator will be painful and long.
However, progress in this direction is already there. Developed by Samsung and Apple, the e-SIM standard will allow you to choose an operator directly in your phone, without having to insert a SIM card. As a result, the process of connecting to a new operator will not be more difficult than subscribing to a music service - including the phone you just bought, looked at the list of operators available in this region, chose the appropriate tariff, paid with a credit card and went.
In such circumstances, users will want to always keep their phone number. That number should have been iNum , which, I think, failed. Perhaps, instead of a phone number, there will be an ID in your favorite messenger communicator. Obviously, in this case, the user does not need anything other than the Internet from the operator. Therefore, a public request for the services of operators will sound something like this: "Give me access to the Internet and roll back with your additional services." Already, one can see the indignation of users using SIM cards in tablets exclusively for the Internet, when operators send them subscriptions to paid services, horoscopes, anecdotes, SMS packages, etc. In the future, this feeling will be formulated more clearly.


______________________________ Archimedes gropes for a foothold

It can be seen how in such conditions the influence of instant messengers increases. From the alternative, the instant messenger is transformed into the dominant means of communication. It is terrible to imagine what will happen if the current trend continues, and we will have hundreds of isolated, incompatible programs.

_ Why in no case should Skype, Viber, WhatsApp, Telegram, Hangouts and other proprietary handicrafts be the dominant global messenger.

In order to understand the danger of a monopoly in the technological sphere, you can look, for example, at business solutions that only work in Internet Explorer, which is why a frankly bad product has to be supported and used everywhere.
Or on the formats of electronic document management. Since the moment was missed, the proprietary doc took the dominant position, and there is still no single standard for electronic document management.

The media often raises the question: what kind of messenger is “protected” in reality? This usually refers to the security of the transport protocol, which in most cases is ridiculous, because, in addition to the secure protocol, there are still a large number of entities that may contain vulnerabilities.
Whether a specific messenger is safe or not - the question is wrong until a specific threat is indicated. Security is not a finished product, but a whole complex of technologies and architecture, and each threat must be considered separately.

Skype

I have been using Skype for about ten years. I have the second most frequently used program after the browser.
For me, Skype is more than just IM, I conduct working negotiations in it, I communicate with friends, I make new acquaintances in public skype conferences.
Skype completely replaces social networks for me, I do not even have an account on VK and Facebook, because it is more pleasant for me to see and hear the interlocutor.

I use all the features of Skype to the maximum: group video calls, desktop demonstration, chats, file transfer, calls to regular phones, SMS, direct numbers for rent, subscriptions.

I tried all the Skype development tools: Skype4Com, SkypeKit SDK.
I have experience working with Skype solutions for integration with VoiP business systems, such as Skype for Asterisk and Skype Connect.
I actively tried to improve Skype, wrote reports about problems and found vulnerabilities in the bug tracker until it was closed. In particular, I found two critical errors that allow you to remotely trigger the termination of the Skype client for Windows.

I really love loved Skype, and I think I have enough experience and moral right to write all this.

Why is Skype cool?

Today, Skype is the most advanced program in its class, which is an order of magnitude superior to all the closest competitors, and here's why:

• Sound quality.
  According to my observations (and I tried enough), other things being equal, Skype always has the best sound quality. And it's not just about bitrate (although the SILK codec is great), because of the dynamic routing, Skype gives minimal latency, so with a low Internet quality it gives the best result. Any SIP even nearby did not roll. At this point, many may say: “But we have HD codecs in SIP!”, However, with the proviso that in real life they work through time. About this next item.
  Echo cancellation Skype allows me to bring a voice to the speakers, while the interlocutor does not even understand it. Only in Skype I can turn on the loudness of the speakers and hear / answer from another room without the slightest hint of echo.
  
• Armor piercing and durability
  Skype - devilishly cunning program that can prolazit through any sophisticated firewalls, poorly configured NAT-s and blocking.
  In whatever strange conditions you are, even if the Internet is limited to tcp-requests to port 80 and 443, Skype is still likely to work. I often observed situations when Internet access is blocked, but the cunning Skype still works, because I managed to find a neighbor on the physical network that has the Internet, and went through it. All other programs can only dream of such flexibility.
  Against this background, nagging SIP-providers about the fact that you have poorly configured NAT, does not pass RTP, UPnP / NAT-PMP does not work correctly, it looks just ridiculous.
  
• Encryption
  It is important for me that my communication is protected from interception and analysis. And even despite all sorts of Microsoft Government Security Program, according to which, at the request of special services, all the necessary data can be transferred to interested authorities, I can be sure that at the network level no provider is able to intercept my conversations, even if newfangled DPI systems are Difficulties with Skype traffic.
  It is encryption at the network level that many messengers present as a function that makes the program secure. Next, I will consider why traffic encryption is not synonymous with security.
  
• Stability
  Skype on the desktop, at least on Windows and OS X, is very stable and rarely crashes. This allows you to keep active video calls without interruption for several days. In this case, with a small load on the CPU, in contrast, for example, to solutions on WebRTC, which load the processor and are terribly unstable.
  
• Functionality and convenience
  A huge functionality: group video calls, screen sharing, file transfer, the ability to edit the last sent message (!), Outgoing to regular phones. All this in the standard package as a convenient customer. No plugins or extensions.
  

Why should Skype die?

• Unsafe
  Not just unsafe, but extremely dangerous!
  Skype still reveals your IP addresses, including local ones. From this data, you can find out your current location and build a map of movements.
  While there was a public bug tracker, it was possible to observe how Skype has been fixing a vulnerability for a remote DoS client for Windows for over a year.
  Vulnerability that allows you to remotely unlock the microphone off, repaired about six months.
  I had to literally beg the developers to pay attention to the vulnerabilities, because of which it was impossible to use the program.
  
  When a vulnerability was published that allowed hijacking any account that email was known for, I tried to get to the support for 24 hours, but I could not. But hacked accounts Alexei Navalny and Anton Nosik .
  By the way, after this incident, Skype has not revised its account registration policy without confirming mail. You can still specify any mail during registration and accounts will be displayed during the search, which allows you to spam the search results if you look for an account by email.
  
  At the time of this writing ( !!! ), I know at least two vulnerabilities that allow irreversibly blocking someone else’s Skype account so that the victim will no longer be able to use it. In this case, it is enough for an attacker to know only the login of the victim, no mail and passwords are needed. Again, I could not get through with this problem to support and wrote on their forum . The problem is still not fixed.
  There is no way to reach a qualified support, all the letters are wrapped in the Indians who quote the FAQ and do not want to believe that the problem is really on their side and need to be passed on to the developers.
  
  So, despite the fact that Skype is positioned as a secure messenger, and its transport protocol is really safe, it is not just unsafe, but frankly dangerous. Because of the size of the bureaucracy within the company, real security problems are resolved for a very long time, but in each new version a dozen new video emoticons are added.
  
  From this the conclusion follows:
  
  

  secure transport protocol does not make the messenger safe

  
  It is important to keep this in mind when reading the next marketing nonsense about triple levels of encryption, key length, military grade security and other nonsense unrelated to real security.
  
  
• Closeness and unpredictability
  It is impossible just to take and write an alternative Skype client, because its protocol is closed and often changes. Therefore, on what devices will work Skype, decides only the company itself. Some time ago there was SkypeKit SDK, which allows you to develop a client for integration into your own devices. To do this, it was necessary to sign several documents on non-disclosure, promise not to run skypekit on the server, issue a personal certificate (which, if anything, could be revoked), and it was possible to proceed with the development. But then the company changed its mind and decided to withdraw support for skypekit and block all existing purchased versions. The same happened with Skype4Com, and with Skype for Asterisk. Therefore, if you decide to integrate Skype support into one of your products, be prepared that tomorrow it may stop working, and all development efforts will be in vain.
  The situation is similar with the desktop client interface. After the release of the next new version, you have to find a way to turn off the crazy fantasies of marketers like video smileys on a half-screen, missing volume buttons, and more.
  It’s impossible to predict what Skype will come up with tomorrow, and that’s scary.
  

Such a great deal of attention is paid to Skype because it can be considered the flagship in the messenger communicator industry. He has the richest functionality and competitors are still very far from him. However, it is the oldest and has distinct symptoms indicating the need to eliminate it.

Problems Skype, one way or another, can be attributed to all popular messengers. I will not consider his closest competitor Viber, because I do not have enough experience to use it.

Telegram

I will consider Telegram separately, as it is considered to be an instant messenger, fundamentally different from competitors, and not suffering from the disadvantages of Skype, Viber, WhatsApp. It is presented as a long-awaited protected alternative to all existing instant messengers. The media advertised it as a means of communication, which even terrorists use quietly, as it is safe. However, in most cases, security is considered as a separate entity without consideration of specific types of threats, which is fundamentally wrong.

I myself always use a telegram, and I must admit that it is really beautiful in terms of usability. I was not so excited about any other messenger. What is it worth its stability with a bad internet. In a bad signal environment where GPRS barely catches, no other messenger works so well. But when it comes to the security and exclusivity of the Telegram, it must be admitted that it suffers with all the same symptoms as its competitors.

Why should Telegram die?

• Centralized management.
  This is the main problem of all the services described here. I often meet with a lack of understanding of the seriousness of this argument. It would seem that the bad thing is that some company completely controls your communication? After all, they are all good guys there, and they don’t ask for money, and the API is convenient, and the emoticons are beautiful.
  But we must not forget that this is always a company that pursues its own interests, and, most likely, among them there is no task to work all their lives at a loss for the sake of world peace.
  Already, one can already observe how, under pressure from another commercial company, Telegram identifies topics that cannot be spoken to: Telegram removed 78 chats about the “Islamic State” at the request of Apple .
  Or decides what data can not be shared: Telegram began to block music bots at the request of Apple , Telegram restricted access to porn bots for residents of Iran .
  This means that a single company of good guys will always be vulnerable to pressure from influential structures. These structures can be whole states in whose jurisdiction the company operates. That is, at any time, some information or actions may become unsuitable for the policy of the company controlling your communication, even if the laws of your country do not prohibit it.
  It is impossible to predict how tomorrow the policies of individual states will change, and therefore such an easy opportunity to influence communication tools is simply unacceptable.
  
• Centralized architecture.
  This problem is inextricably linked with the first. A single point of failure allows at any time to limit access to the service for entire countries or even completely eliminate Telegram by a court decision.
  Telegram servers, along with the correspondence that is stored on them in the clear, can be removed at any time, if so decided by the state in which they are located.
  Despite the fact that the client part of the Telegram protocol is open, the server part is still closed for third-party auditing. In fact, the security of ordinary chat rests on the word of honor of the Telegram team. They kind of say: "We will not read your correspondence, honest word!". Probably, this is the case, but by itself the possibility of a certain group of people to have unlimited access to private information throughout the world is unacceptable.
  
• SMS authentication
  Telegram is as secure as your mobile operator, due to SMS authentication. Suffice it to recall the story of how attackers five times reissued the Beeline SIM card . Telegram allows you to protect yourself from this by setting an additional password, but by default it is not used.
  
• End-to-end encryption
  I must admit that using this function in Telegram is really convenient. It is especially nice that you can set a self-destruct chat timer and not worry about whether the other person will delete the chat log at the right time.
  But the key verification procedure is far from straightforward. Each time the key imprint is different. It is not clear by what channels it is supposed to compare it. It is not possible to once verify the chat key in order to further verify its authenticity independently, as is the case with OTR.
  

As a result, despite the fact that Telegram is made very well, and in most cases it is much safer and more convenient than analogs, it cannot be called a qualitatively different solution from competitors. This is all the same commercial product that carries threats to the freedom of communication.

And what about my favorite% messenger_name%?

All the above symptoms, in one way or another, relate to the majority of top-level instant messengers known today. The centralized architecture and management of one company is the biggest nail in the coffin of each of them. Therefore, it makes no sense to describe in detail the shortcomings of each separately.

A brief table of popular messengers and the reasons why they should die

Messenger	Diagnosis	Must die
ICQ	• Centralized architecture owned by Mail.ru in Russia • Easily vulnerable due to domestic security forces • No end-to-end encryption
Viber	• Centralized architecture • Binding to phone number • Closed protocol • No end-to-end encryption
Whatsapp	• Centralized architecture • Closed protocol • Binding to phone number • No end-to-end encryption • Fee for use
Google hangouts	• Centralized architecture • Closed protocol • Google account required • No end-to-end encryption
Face Time / iMessage	• Centralized architecture • Closed protocol • Works only on Apple devices.

SIP and Jabber

When real security is needed, you still have to use the good old open source protocols.
For voice, this is SIP + ZRTP, and for text XMPP + OTR. But against the background of all commercial services, we can say that these protocols often do not work than work.
It looks wild to me that, in many cases, when making calls through SIP, you can get a voice in one direction, problems with incoming or outgoing calls and a whole bunch of problems that all commercial solutions lack. I absolutely do not want to think about the type of NAT used in this network, wind up ICE or STUN, flashing ports when you just need to call. It's disgusting.

Similar story with Jabber. How can you even imagine that in 2016 messages can simply get lost due to the disconnection of the server? Where is the normal proof of delivery and reading? Jabber is absolutely terrible in an environment with unstable Internet and on mobile platforms.

Until all these problems are resolved, one cannot even talk about the competition of open protocols with commercial messengers. I would be glad if today there was at least one open solution, worthy to take the place of the dominant messenger communicator in the world. But this is not.

How to be?

I sincerely believe that this topic is extremely serious and it is important not to miss the moment. We cannot allow the fundamental possibility of communication between people to be seized by someone, somehow limited, and potentially vulnerable.
Such an important issue for humanity, like the development of a unified standard for instant messaging and calls, should be handled by organizations like the IETF along with leading IT companies.

A good example is the story of OpenSSL. At the time of the discovery of the heartbleed vulnerability, everyone was horrified how vulnerable the entire industry was because of one mistake. After which the organization was created Core Infrastructure Initiative . It includes the largest IT companies like Cisco, Google, Intel. The goal of this organization is to support industry-critical programs such as OpenSSL, GnuPG, Network Time Protocol, and others.
I hope the importance of open communication tools will be realized before fatal problems are found in existing proprietary products, and such an organization will be set up in time to work on the necessary standards.

Internet Protocol allows you to connect any node to any other node on the Internet.Today, this is not entirely fair due to ipv4 problems, but imagine that a couple of years have passed and everyone already has ipv6, and every device at any time, with a connection, has a real, routable IP address. This will allow any device, be it a smartphone or a computer, to communicate with each other without the help of companies providing services for communication. Just find a way to tell your buddy your current IP address.
Add to this the presence of hardware support for cryptography in all mobile devices, allowing you to use encryption at no extra cost to the battery.

_ Such an environment will inevitably create P2P utopia, in which people can safely communicate directly, without third-party services.

While such ideas are being implemented in the form of prototypes, poorly suitable for everyday use, but the situation is changing every day. Some implementations can already be tried.

Tox

Probably the most advanced tool at the moment, approximating P2P crypto-anarchy. This is a completely decentralized messenger communicator, with voice, video, screen demos, conferences. All communications are encrypted by default and transmitted directly between users without servers. There are clients under Windows / Linux / OSX / Android. Unfortunately, the implementation of clients is damp in places, and some functions do not work between different platforms, but they are actively developed. I want to say thank you antonbatenev for the promotion of TOX on Habré.

Ring

Former SFLphone SIP client. Now it can work in 3 modes: as a normal SIP-dialer (centralized), as a federated service (with a self-hosted server that can communicate with other servers) and completely decentralized.
Roughly speaking, with this thing you can call via SIP via DHT. Unfortunately, the client under OS X is still damp and I could not fully use it.

Surely there are more implementations, but I really don’t know any real ones.
These implementations are far from ideal and simple users will most likely not like them.
It must be admitted that the success of a specific product is not only advanced technologies, but also usability, design, usability and simplicity. Probably, before such technologies take root, many more iterations of various protocols will take place.
I'm not ready to say exactly how the ideal protocol should be, but I will try to formulate the basic requirements:

• .
  . , , RFC. - . , , Email- , .
  
• .
  P2P, - . , Skype, , , . . P2P , . , Email Jabber, , . . , . , . , , , , -, . .
  
• 
  , , , DPI. , , HTTPS. , , Tor .
  
• 
  , . , , . , -, ProtonMail . , end-to-end , RedPhone. - , .
  
• 
  , . , Skype Viber . .
  

Conclusion

I do not urge to urgently abandon the use of your favorite messenger. Unfortunately, there is no worthy replacement for commercial products today, and so far we have to use the fact that it solves the problem better. The purpose of this article is to draw attention to a serious problem that awaits us in the future if measures are not taken today. It is also an attempt to respond at once to all disputes about what kind of messenger is better and why you should be skeptical about the news that another company has made another super mega messenger, now surely correct and safe.