[tptacek]

Truecrypt isn't a messaging system, is barely open source, and is barely trusted (though I think that's unfair). Compare, on the other hand, to "real" open-source disk encryption projects like EncFS/Ecryptfs.

OpenVPN is built on OpenSSL and was Heartbleedable.

Until a few years ago, SSH was a fiasco. Cryptographically, it has approximately the same security track record as SSL. It's also not a messaging system.

I didn't say I had a closed-source alternative for you. There aren't good answers here. I like TextSecure. I also like GPG, a lot. And I have a 4-figure bet with Matthew Green that OTR is more resilient than the other messaging systems. But OTR is mostly only OK if you don't use it with an actual chat client; once libpurple is in the picture, nothing is OK anymore.

[loadaverage]

how is SSH a fiasco? i'd love to read more about that.

"approximately the same security track record as SSL"? i'd say heartbleedable (openssl ssl) vs not heartbleedable (openssh) would be a rather incorrect approximation.

also, a messaging system could be tunneled through ssh.

[sarciszewski]

How about investing money and/or developer hours into securing libpurple then? :)