Confide

Confide has had serious security vulnerabilities discovered (see here and here), including:

• Confide not require a valid SSL server certificate to communicate, creating a possible mechanism for Man-in-the-Middle attacks.
• Unencrypted messages could be transmitted, and the user interface made no indication when unencrypted messages were received, they said. The application uploaded file attachments before the user sent the intended message.
• Allowed an attacker to mine all Confide's user accounts, including real names, email addresses, and phone numbers.
• Confide failed to adequately prevent brute-force attacks on user account passwords. Users were permitted to choose short, easy-to-guess passwords.
• Confide’s website was vulnerable to arbitrary URL redirection, a weakness that might be abused to run social engineering attacks against its users.

Each and every one of these is a huge security flaw. Taken together, they are a disaster. Confide claims now to have fixed these specific problems. But it's hardly confidence-inspiring. What's worse is that the Trump administration's nincompoops have been using Confide to communicate.

Researchers were also able to gain access to 7,000 account records created over the span of two days, out of a database they estimated to contain between 800,000 and one million records. That gave them access to email addresses and real names. Out of just that 2-day sample, O’Horo and Davis were able to find a Donald Trump associate and several Department of Homeland Security employees who downloaded the application.

Better alternatives:

• Signal (open source)
• Tox (open source)
• Wickr (commercial)

For video:

• Jitsi Meet (open source)
• Wire (open source)

[Edited by JohnFastman, March 11]