Kullo, meaning “secret” in Mandinka language, is a new secure messaging program for Windows, Mac OS X and Linux (mobile phone app planned). Still in early beta, I recently got an invite to try it out after I joined their mailing list. Bear in mind that being an early release, the software is in active development with not too many features yet, but usable.
Creating an account in Kullo is very easy, there is no need to enter any name or email address, choosing a username and password are all the essentials, this creates a a #kullo.net address for you that can be distributed to friends, but they must be using the same program to be able to communicate with you securely.
The messenger is not compatible with other networks like Yahoo or Jabber, Kullo has its own open source protocol. It is is end to end encrypted, the master keys are created in your computer during account set up, encryption and decryption take place locally.
I had no friends in Kullo so I added Kullo’s CEO address as my contact without asking to see how it works, no friendship or contact relationship is needed to send and receive messages, whenever you get someone’s Kullo address, you are free to write to him, just like with email, they can’t be blocked, but according to the CEO all necessary filters to stop harassment will come as they increase the number of users, spam filtering is not needed at the moment. Kullo digital’s signature ensures that a message really comes from the sender, the return address can not be faked, this makes blacklisting possible.
I liked the easy lay out, quick to reply button and easy swap in between contacts, attachments can be sent too, with a maximum size of up to 100MB. There is a central server for Kullo located in Germany, the server is used to sync messages if you go offline, since everything is encrypted before uploading, you are safe from governments trying to get access to the server, data can not be decrypted without the private encryption key held in your computer. The company is upfront about the customer details they keep, this is limited to the number of messages, size and IP addresses of the devices used to connect to the server can also be seen but they are not stored.
Encryption wise I don’t know how safe Kullo is, I am not an expert cryptographer, but I liked that their protocol is open and third party developers can deploy it freely to build their own messaging engine. Assuming security has been properly implemented, I think that this is a safe way to communicate, you can’t make voice or video calls, but it is simple. The major risk is that the person you are chatting with could be impersonated if he has his laptop stolen while still logged in Kullo.
I liked that Kullo’s company employees are not able to read the data travelling the server, this is the best insurance you can have to protect from a government abusing data privacy laws. No matter how secure and honest a company tells you they are, if they have a way to read your data it can be exploited by anybody, hackers and spy agencies alike, giving the user power over the decryption keys solves this problem, let’s hope that more companies follow suit.