Tech

Encrypting Messaging

Some personal thoughts on a choice of reasonably secure and private enough messaging apps.

Mathew Sims

10 min read
Encrypting Messaging
Photo by kuu akura / Unsplash

Most of us now “talk” more through apps than in person, which means enormous pieces of our lives—relationships, health admin, work crises, family logistics—flow through systems we don’t run and can’t easily inspect. Those systems can be logged, mined, breached, subpoenaed, or slowly repurposed into surveillance infrastructure, usually without you ever being directly asked.[1][2]

Using properly encrypted calling and messaging apps is not about being secretive; it is about not giving away more than you need to, by default, every time you send a message or make a call.[2:1][1:1]

What “secure messaging” actually means

When an app claims to be “secure”, you can usually break that down into a few concrete questions:

  • Does it use end‑to‑end encryption (E2EE) for messages and calls, so only you and the other person can read/listen, not the provider’s servers?[3][1:2]
  • Are those protections on by default, or hidden behind some obscure “secret mode” you have to remember to enable?[4][5]
  • How much data does the service log about who talks to whom, from where, and when?[6][2:2]
  • Is the protocol documented and open to inspection, with independent audits and cryptographic analysis?[7][8][9]
  • Are there usable safety features—disappearing messages, verification of contacts, sane group behaviour—rather than just a marketing page?[10][11]

End‑to‑end encryption is the big one. In a proper E2EE system, messages are encrypted on your device and only decrypted on the recipient’s device, using keys that never leave those endpoints. The server can shuttle ciphertext around, but it cannot simply look at the content “by policy” or “for quality and training”.[1:3][3:1]

Even then, metadata—who you talk to, when, and from roughly where—can still exist, and it is often just as valuable commercially and politically as message content. The best apps work hard to minimise and obfuscate this, not simply to encrypt the text of your chats.[2:3]

Why privacy and security matter (even if you’re “boring”)

The standard line of defence is “I’ve got nothing to hide”. The problem is that privacy is not about hiding wrongdoing; it is about limiting exposure and maintaining boundaries that make abuse and exploitation harder.

A few very down‑to‑earth reasons to care:

  • Bulk collection and “store now, analyse later”: once messages are logged in readable or weakly protected form, they can be mined indefinitely for profiling, political inference, and commercial targeting.[1:4][2:4]
  • Breaches are routine: when a provider stores content or rich metadata, attackers only need to get lucky once for large datasets to spill.[6:1]
  • Safety from harassment and stalking: abusers thrive on exposed message histories, location inferences, and account takeovers.[2:5]
  • Future risk: what feels like a harmless rant or personal detail now can look very different in a new job, country, or relationship.[2:6]

Moving to properly encrypted calling and messaging does not make you a “high‑risk” person; it simply stops you volunteering to be low‑hanging fruit.

How end‑to‑end encryption works (briefly)

End‑to‑end encryption sounds mystical, but at a high level it is straightforward. Each device generates cryptographic keys; when you start a conversation, your app fetches the other person’s public keys, does a handshake, and derives shared secrets that are then used to encrypt each message and call.[3:2][1:5]

The Signal Protocol—used in Signal itself, WhatsApp, and several other systems—combines a one‑time X3DH key agreement with the Double Ratchet algorithm to give you forward secrecy and post‑compromise safety. In practice, this means that even if someone gets access to a long‑term key later, they cannot decrypt everything you ever sent; keys keep changing as you chat.[7:1][10:1][3:3]

If you want to dig into the details, Signal’s own documentation and academic reviews are a good starting point:

What encryption does not do is fix a compromised phone or a bad backup configuration. If somebody has physical access to your unlocked device, or if you upload unencrypted chat histories to a random cloud, you have effectively opted out of most of the benefits.

Convenience vs control

Many of the worst privacy decisions in mainstream apps are not accidents; they are side‑effects of business models. If your revenue comes from targeted advertising and behavioural profiling, you want rich data: who talks to whom, when, for how long, about what, and how those interactions respond to nudges.[6:2][2:7]

Strong, properly done end‑to‑end encryption makes some of that much harder, because content is not available for large‑scale analysis. So “free” apps with tight ad‑tech integration often stop short of doing everything they could for security, or they provide a secure mode that is off by default and awkward to use.[5:1][4:1][1:6]

Seen through that lens, moving to a secure messenger is not an aesthetic choice; it is a decision about whose incentives you are willing to live under.

Signal: the current gold standard

If you want one app that lines up with what modern cryptography can sensibly deliver for everyday people, that app is Signal.[12][13][2:8]

Signal combines a few key properties:

  • End‑to‑end encryption by default for one‑to‑one chats, groups, and voice/video calls, using the Signal Protocol.[14][10:3][3:5]
  • Open‑source clients and protocol specs, allowing independent researchers and auditors to tear into the design.[8:2][14:1][7:3]
  • A non‑profit foundation and donations model, not an advertising or data‑brokerage business.[2:9]
  • Very limited server‑side data: Signal is engineered to retain as little information as possible about your contacts and communication patterns.[2:10]
  • Additional protections such as “Sealed Sender”, which hides who initiated a message from Signal’s own servers in many cases.[2:11]
  • Practical privacy features like disappearing messages, registration lock, safety‑number verification, and (on some platforms) encrypted backups.[10:4][2:12]

The core cryptography has been analysed favourably in academic work and independent audits, and the protocol has become widely influential. WhatsApp’s end‑to‑end encryption, for example, rides on the Signal Protocol under the hood.[9:2][15][16][7:4][8:3][3:6]

Useful links to point readers at:

For most people, installing Signal and nudging key contacts over is the single highest‑impact privacy upgrade available.

WhatsApp: a pragmatic bridge, not a destination

WhatsApp quietly gives a lot of people decent crypto they never asked for. Since 2016, it has used the Signal Protocol to provide end‑to‑end encryption for individual and group chats, calls, photos, and videos, with encryption enabled by default when both sides are on a current version.[15:1][16:1][17][18]

WhatsApp’s own documentation is worth linking from your post:

The catches:

  • Metadata and ecosystem: WhatsApp sits inside Meta’s stack, which means your contact graph, usage patterns, and device information can be combined with Facebook and Instagram data even if message content is encrypted.[2:13]
  • Backups: cloud backups require extra configuration to be end‑to‑end encrypted, and if you leave them off or misconfigure them, your chat history may be stored in a way that is accessible to the cloud provider.[17:2][19:1]

If your entire family or social group lives on WhatsApp, using it is still meaningfully better than falling back to SMS, but the longer‑term goal should be to shift important conversations to Signal.

iMessage and FaceTime: strong, but locked in

On Apple‑to‑Apple connections, iMessage and FaceTime provide strong, well‑engineered end‑to‑end encryption as part of a tightly controlled platform. Apple’s security docs go into detail on the key handling and device security model, and there is no advertising business riding directly on your message content in the same way as some competitors.[20]

The downsides are all about reach and fallbacks:

  • The moment a conversation involves non‑Apple devices, you are at the mercy of SMS/RCS and other weaker channels.[20:1]
  • People often do not notice when a thread silently drops down to SMS/MMS, which is not end‑to‑end encrypted and is vulnerable to interception.[20:2][1:7]

If your world is pure Apple, iMessage/FaceTime are fine. If you live in the real world of mixed devices, Signal is a better universal standard.

Telegram: polished, but not secure by default

Telegram has managed to brand itself as a “secure” app, but its actual security story is much messier than people assume.

By default, Telegram’s regular chats use client‑to‑server encryption, which means Telegram’s servers can access your messages in principle. Its end‑to‑end encryption exists only in a separate “Secret Chat” mode, which:[21][22]

  • Must be explicitly enabled per chat.[4:2][5:2]
  • Only works for one‑to‑one conversations, not standard group chats.[5:3][21:1][4:3]

Useful references to link directly:

Telegram is fine for public channels and low‑stakes chat where you care more about features than serious privacy guarantees. For genuinely secure messaging and calling, it should not be your primary tool.

Threema: privacy‑first and paid

Threema is a Swiss messenger that has built itself around privacy rather than scale. It offers end‑to‑end encryption for messages, calls, group chats, and file transfers, and it does not require you to link a phone number or email to your account.[23][6:3]

Key pages worth linking:

It is a strong option if you and your contacts are willing to pay a small one‑time fee. In practice, Signal usually wins on adoption and transparency, but Threema is a respectable alternative if you value not tying an account to your real‑world phone number.

Session, Matrix/Element, and other advanced options

There are a few other projects worth at least knowing about:

Both give you more control over infrastructure and, in Session’s case, stronger anonymity properties, at the cost of complexity and, often, performance. For most people, they are second‑order choices after “get off SMS and onto Signal”.

SMS, normal calls, and RCS

For completeness:

  • SMS and plain old telephone calls are not end‑to‑end encrypted; carriers can access them and they are vulnerable to interception and SIM‑swap style attacks.[17:3][1:8]
  • RCS, the successor to SMS, has an end‑to‑end encrypted mode in some implementations, but it is not consistently deployed across all carriers and devices yet.[17:4]

For readers who want a neutral explainer, you can link the general overview at https://en.wikipedia.org/wiki/End-to-end_encryption.[1:9]

Treat SMS like a postcard and unencrypted calls like a loud conversation in a crowded café. Use them when necessary, but do not confuse them with private channels.

Using secure apps securely

Installing Signal (or Threema, or Session, or an Element client) gets you most of the way; a few habits get you the rest:

  • Enable disappearing messages for chats that do not need a permanent archive, especially in Signal and WhatsApp.[17:5][2:14]
  • Learn how to verify safety numbers / security codes with key contacts; Signal, WhatsApp, and Matrix/Element all provide some form of this.[11:3][10:6][17:6]
  • Use a strong device passcode and keep your OS and apps updated.[2:15]
  • Understand backup behaviour: read Signal’s docs, WhatsApp’s encrypted backup FAQ, and any equivalent for your chosen app before you start exporting chat histories to the cloud.[19:2][10:7]

Security is always a chain. A good app with good defaults makes it harder to mess that up, but it cannot save you from every possible mistake.

The simple recommendation

If you want the short, actionable version for a personal blog:

  • Use Signal as your primary app for messaging and calls; point curious readers at the docs and protocol pages if they want the gory details.[12:2][3:7][10:8]
  • Keep WhatsApp as a pragmatic bridge where you must, but link people to WhatsApp’s own E2EE FAQ and encrypted backup docs so they understand the trade‑offs.[15:2][19:3][17:7]
  • Treat Telegram as a feature‑rich chat client, not as a security tool, unless you are explicitly using Secret Chats and understand the limitations.[22:2][21:3][4:5]

Most people do not object to privacy; they object to hassle. Signal’s great achievement is that it raises the security baseline without turning normal conversations into an operational security exercise. The more of us who treat that as the default, the harder it becomes for “read everything, retain everything” to remain the norm.[7:5][8:4][2:16]
[27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46]

  1. https://en.wikipedia.org/wiki/End-to-end_encryption ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. https://proton.me/blog/is-signal-safe ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  3. https://en.wikipedia.org/wiki/Signal_Protocol ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  4. https://privacyinternational.org/guide-step/5540/telegram-secret-chats-end-end-encrypted ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  5. https://www.howtogeek.com/709484/how-to-start-an-encrypted-secret-chat-in-telegram/ ↩︎ ↩︎ ↩︎ ↩︎

  6. https://threema.com/en ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  7. https://www.pindrop.com/article/audit-signal-protocol-finds-secure-trustworthy/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  8. https://cyberscoop.com/signal-security-audit-encryption-facebook-messenger-whatsapp/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  9. https://positive-intentions.com/docs/research/signal-protocol-security-audit/ ↩︎ ↩︎ ↩︎

  10. https://signal.org/docs/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  11. https://element.io/en/features/end-to-end-encryption ↩︎ ↩︎ ↩︎ ↩︎

  12. https://signal.org ↩︎ ↩︎ ↩︎

  13. https://www.bbc.com/news/articles/c1kjd091019o ↩︎

  14. https://en.wikipedia.org/wiki/Signal_(software) ↩︎ ↩︎ ↩︎

  15. https://signal.org/blog/whatsapp-complete/ ↩︎ ↩︎ ↩︎

  16. https://www.praetorian.com/blog/whatsapp-end-to-end-encryption-why-signal-protocol-is-well-designed/ ↩︎ ↩︎

  17. https://faq.whatsapp.com/820124435853543 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  18. https://sheetwa.com/blogs/whatsapp-end-to-end-encryption-guide/ ↩︎

  19. https://faq.whatsapp.com/490592613091019 ↩︎ ↩︎ ↩︎ ↩︎

  20. https://its.h-da.io/element-docs/en/first-steps/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  21. https://core.telegram.org/api/end-to-end ↩︎ ↩︎ ↩︎ ↩︎

  22. https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/ ↩︎ ↩︎ ↩︎

  23. https://threema.com/en/why-threema/privacy ↩︎ ↩︎

  24. https://cyberinsider.com/secure-encrypted-messaging-apps/threema/ ↩︎

  25. https://docs.getsession.org/session-network/session-protocol/onion-requests-and-message-routing ↩︎ ↩︎

  26. https://getsession.org/faq ↩︎ ↩︎

  27. https://ghost.org/help/using-markdown/ ↩︎

  28. https://www.markdownguide.org/tools/ghost/ ↩︎

  29. https://forum.ghost.org/t/pasting-markdown/41192 ↩︎

  30. https://easycloudsolutions.com/2015/07/13/markdown-guide/ ↩︎

  31. https://www.qoncious.com/questions/using-ghosts-markdown-editor-effectively ↩︎

  32. https://en.markdown.net.br/tools/ghost/ ↩︎

  33. https://www.reddit.com/r/Ghost/comments/gd6xpl/how_do_i_view_the_raw_markdown_content_of_a_post/ ↩︎

  34. https://www.thememyblog.com/blog/ghost-cms-koenig-markdown-editor/ ↩︎

  35. https://www.fastcomet.com/tutorials/ghost/how-to-use-markdown-editor ↩︎

  36. https://coursework.vschool.io/the-editor/ ↩︎

  37. https://www.boardx.us/effortlessly-generate-perfect-markdown-formatted-ghost-articles/ ↩︎

  38. https://ghost.org/changelog/markdown/ ↩︎

  39. https://polymath.net/2020/12/ghost-markdown-backend/ ↩︎

  40. https://github.com/KDE/ghostwriter ↩︎

  41. https://news.ycombinator.com/item?id=37420664 ↩︎

  42. https://www.youtube.com/watch?v=_G19opiXqBU ↩︎

  43. https://www.youtube.com/watch?v=O_yIPQOPQxA ↩︎

  44. https://ghostwriter.kde.org ↩︎

  45. https://jekyllt.github.io/jasper2/the-editor ↩︎

  46. https://www.reddit.com/r/linux/comments/lkcvuk/ghostwriter_distractionfree_markdown_editor/ ↩︎

Read more