Peerio is a chat and storage service with big security claims

4 Comments

A Canadian outfit called Peerio has put its eponymous secure messaging and cloud storage app into public beta, promising a much more usable alternative to PGP email and file encryption.

Peerio was released on Wednesday for Windows, Mac and Chrome (which also gives Linux users an option) – apps for Android and iOS are in the works. It’s not quite perfect just yet, but it’s an intriguingly user-friendly take on secure cloud communications and storage.

“Our goal is for Peerio to succeed PGP in the use-cases of mail and file sharing,” co-founder and lead cryptography designer Nadim Kobeissi told me via a Peerio encrypted conversation. “We’ve developed a system built on foundations that are more modern, stronger, and simpler than PGP. Anyone who uses Peerio for a few minutes will quickly see how it’s years ahead of using PGP with Thunderbird, and never go back.”

Open-source and audited

The two-decade-old PGP is certainly a pain to use — at least, if you want to get it right — largely because of the complexity of PGP key management. Rather than requiring users to have their private key file to hand, Peerio requires them to create memorable (and long) passphrases that are then used to locally generate private keys for each session. The passphrase is used to log into Peerio for the first time on each new device. After that, a shorter, easier-to-type password can be created for that device, and two-factor authentication is also available.

Peerio incorporates the encryption technology of Kobeissi’s Minilock file encryption app. Users have usernames rather than email addresses and their client-generated, abstract avatars are used to verify their cryptographic identity (the client can automatically detect changes.)

From a functionality perspective, Peerio is a cross between email (albeit without the universality) and instant messaging. Files can be attached to messages, and conversations are threaded and searchable. There’s no draft functionality at the moment, which can be a pain when jumping between conversations mid-message, but Kobeissi said this will come soon and drafts will be safely encrypted.

Kobeissi, a PhD student in applied cryptography, is best-known as the creator of the Cryptocat chat app, which had a nasty security scare in 2013 (a bug left group chats vulnerable for months). However, this time round his co-creation has been audited by “expert cryptographers and system penetration testers” (Germany’s Cure53, per Wired). What’s more, the client code is open source and available on Github for scrutiny by whoever can offer it.

Metadata issue

Kobeissi seems pretty confident about Peerio’s security. When I asked whether it was tough enough to be a secure channel for leaking information, he replied: “I think people doing something like leaking state secrets should not depend on the internet at all, personally. But I would say that Peerio can protect the content of people’s communications, even if they’re operating from a highly surveilled context.”

However, the service’s end-to-end encryption only protects the contents of communications, not the metadata about who contacted whom and when. Peerio’s Canadian servers still hold users’ contact lists, the number of files and messages sent, and message timestamps. Kobeissi told me access to this metadata is “quite minimal and well-guarded” and he and his colleagues “pledge to fight any overreaching government requests”, but still, the information is there and, unlike the contents of messages, available to Peerio itself. Will Peerio create a way to encrypt this metadata? “One thing at a time,” Kobeissi said.

Peerio’s team includes four permanent staff, but numbers 12 with hired contractors – the outfit has $250,000 in seed funding. The plan is to make money by charging for premium features such as more than a gigabyte of storage, and by targeting the business market at some point.

For a product just entering public beta, Peerio seems admirably clean, functional and user-friendly. As long as people don’t find nasty vulnerabilities – and the firm deals with its metadata-related issues — it could be a viable mass-market encrypted communications and collaboration service. (A minor warning, though: If you import a contacts list, Peerio will send out an invite to everyone on it.)

4 Comments

Encryptitall

The more, the merrier, I second that! Having looked around about peerio today, I don’t understand why it’s to be a Gmail alternative without email compatiblity. That’s their marketing, I guess. Thanks for not writing it on Gigaom.
tutanota.de seems like a viable option for end-to-end encrypted email. At least it’s the only open source one I am aware of.

David Mytton

It’s great to see many different startups try and tackle the issue of encrypted communications. There was a good talk at 31C3 about why the existing GPG tools are difficult to use[1] and it comes down to things like key exchange and not making a mistake not encrypting when you think you are.

However, I think there are several key hurdles to overcome, the main one being piggy-backing on an existing form of communication. Most of the new products we’re seeing require users to download a new app, which necessarily requires anyone you want to communicate with to have the app too. Using an existing transport layer such as phone/VOIP, SMS or email is much easier to get people to adopt because they already have it.

Of course, you could say that about PGP (your recipient has to have a key pair, which is indeed one of the big issues with PGP) but this just swaps one barrier for another rather than solving it completely.

And commenting specifically on Peerio, they do not have a good track record with Cryptocat and once you get tarnished with a reputation for poor security implementations, it may be hard to win back trust. Good to see they have done a 3rd party audit and the code is open source.

Personally, I’m interested to see what Whisper Systems release to go along with their existing Red Phone and TextSecure applications, the latter’s technology is already in Android Whatsapp.

[1] http://media.ccc.de/browse/congress/2014/31c3_-_6021_-_en_-_saal_g_-_201412281130_-_why_is_gpg_damn_near_unusable_-_arne_padmos.html#video

David Meyer

Thanks David – great comment. I think Nadim deserves a second chance, and it was good to see that there’s already been an update to fix the spamming-contacts issue. Regarding what Open Whisper Systems come up with, I’m also looking forward to see that develop. The more the merrier really – I reckon competition will benefit everyone, particularly in the open source context.

Comments are closed.