Whisperbot is a new free service that claims it delivers confidential messages to your friends without e-mail.
According to their own site, they say: Stop using e-mail for your confidential messages!
While this is a nice slogan to have on a site, we say, stick to e-mail and add encryption.
Here is why Whisperbot should be avoided for any confidential messages:
- Message transport in cleartext - the submitter and the reader are accessing the 'confidential' messages via HTTP protocol by default - thus any typed and read content is open to sniffing and archiving via proxies
- Message is stored on Whisperbot servers with unspecified and not very reliable security measures - supposedly, Whisperbot stores the messages in encrypted format. This cannot be confirmed, but even if it can, since the message is presented to the recipient in the original form, the message is stored in reversible encryption. Thus, the security of the message is the same as a safe full of money with the key left in the lock.
- Security is based on obscurity - the main point of the security measures of Whisperbot is that the path to the message is unique and not known to anyone except the recipient. But the path to the message is sent to the recipient via cleartext e-mail, which can be captured and read at any number of places on the path of the e-mail message.
- Message retention cannot be controlled - the message is kept on the Whisperbot servers for an undisclosed amount of time, thus opening it up to the possibility of a later access by someone else.
Instead, for confidential messages you should rely on e-mail, with the added security of GNU Privacy Guard (GPG)
Talkback and comments are most welcome
3 Controls to Secure Corporate Off Computers
Example - SMTP message spoofing
No Privacy - Saw You Cheating on Image Search
Creating secure CD/DVD media for transport usingTruecrypt