Glacier leverages the OMEMO (OMEMO Multi-End Message and Object Encryption) protocol, an adaptation of the Signal Protocol for all messages (text, media, audio, video).
Glacier supports multiple devices associated to the same account. A Glacier session is set up between each device. Messages are encrypted and authenticated with a random key and the encryption of that key is sent as message content of a Glacier message.
A Double Ratchet algorithm to establish secure sessions between every combination of devices for you and your contact(s). The Double Ratchet Algorithm uses Curve25519, AES-256, and HMAC-SHA256. These sessions are then being used to communicate secure keys to all devices. Glacier will generate a new key for every message. That key is used to encrypt your message with AES-GCM.
Glacier end-to-end encryption provides the following guarantees:
Nobody else except sender and receiver is able to read the content of a message.
Compromised key material does not compromise previous message exchanges. It has been demonstrated that OMEMO provides only weak forward secrecy (it protects the session key only once both parties complete the key exchange).
A session which has been compromised due to leakage of key material recovers from the compromise after a few communication rounds.
Every peer is able to authenticate the sender or receiver of a message, even if the details of the authentication process is out-of-scope for this specification.
Every peer can ensure that a message was not changed by any intermediate node.
The usability of the protocol does not depend on the online status of any participant.
Media shared in voice and video calls is encrypted end-to-end and can never be accessed by Glacier. Each participant negotiates a separate DTLS/SRTP connection to every other participant. All media published to or subscribed from the call is sent over these secure connections, and is encrypted only at the sender and decrypted only at the receiver.
Glacier does not mediate in the media exchange, which takes place through direct communication among the Glacier users. The only exception is when media exchange requires TURN. In that case, a TURN server will blindly relay the encrypted media bits to guarantee connectivity. The TURN server cannot decrypt or manipulate the media.
Calls made outside (external) of Glacier using Glacier Dial are encrypted with TLS/SRTP to our servers. Calls are then routed on your behalf to the Public Switched Telephone Network (PSTN). The call data from Glacier servers to the non-Glacier user is unencrypted.
Your messages are secure and private. They can only be read by you and the recipients of your messages. We cannot prevent someone from using a camera to take a picture of a message on a screen, so we recommend practicing safe message handling, using Disappearing Message Timers, and keeping your device locked with a strong passcode.
In addition, Glacier cannot read or decrypt any messages. Messages are encrypted by the sending device and go through our servers in encrypted form, and are then decrypted by the receiving device using Glacier Chat. Our servers do not have access to decrypted messages or keys, which ensures your privacy and security.
Minimal logs are kept for the purpose of continued operation and maintaining system integrity. None of our logs contain user communications, message content, or message tracking information. What little they do record contains only sender and receiver device information, and only while encrypted messages are routing through the system.