SimpleX Chat – the first messaging platform that has no user identifiers of any kind (not even random numbers)

We’ve just released the version 4.1 – you can download the mobile apps via the links here: GitHub - simplex-chat/simplex-chat: SimpleX - the first messaging platform operating without user identifiers of any kind - 100% private by design! iOS and Android apps are released 📱!

We’ve also just received the draft of security audit report prepared by Trail of Bits – a US security consulting company that has many technology companies, several blockchain projects and government entities as its clients. The report is positive, there are some findings to fix/improve, but nothing critical. Most improvements will be released in 4.2 by the end of the month when we plan to publish the report as well.

See technical details and limitations here: simplex-chat/README.md at stable · simplex-chat/simplex-chat · GitHub

The most common questions

How can SimpleX deliver messages without user identifiers?

To deliver mesages, instead of user IDs used by all other platforms, SimpleX has pairwise identifiers for message queues, separate for each of your contacts. In the current version of the protocol each queue is used until the contact is deleted. Later this year we plan to add queue rotation to the client protocol, so that even conversations don’t have long term identifiers visible to the network. This design prevents leaking any users metadata on the application level.

How is it different from Matrix, Session, Ricochet, Cwtch, etc., that also don’t require user identites?

Although these platforms do not require a real identity, they do rely on anonymous user identities to deliver messages – it can be, for example, an identity key or a random number. Using a persistent user identity, even anonymous, creates a risk that users’ connection graph becomes known to the observers and/or service providers, and it can lead to de-anonymizing some users (e.g. by using ML to correlate the data from observed anonymous network with the existing public networks).

Even with the most private messengers built on top of Tor network, having a persistent identity means that if you talk to two different users via the same profile they can prove that they communicate with the same person, as they would use the same address to send messages.

With SimpleX there is no meta-data in common* between your conversations with different contacts within the same user profile - the quality that no other messaging platform has.

* on the application level, transport level metadata can be protected by using Tor – SimpleX apps support Tor via Orbot or any other SOCKS (or VPN) proxy.

I’m no expert but it seems very promising ! The challenge now is to convince my friends and family to use it, after spending months trying to make them use Signal ^^

It’s still ok to use Signal. SimpleX is great in a way that you don’t give any extra information. For me it would be awesome, as there are many times I want to speak to some people without giving them my phone number, and they won’t need to create an account or something. That said I will keep using Signal with my family/friends as they already know my phone number.

It’s not a competition to use the most insane secure app ever with your family/friends, just use what fit your needs.

Haven’t tried simpleX fully yet, but one great usability I see is for my kids. Since nobody except the ones you accept can message you, no connection to other social media and no registering; its perfect as there is no need to worry about strangers trying to contact them or that any other information about them will end up on the web. My thought is to try it out within the family and maybe some of their friends if they are interested.

Thank you! We did think about it being used to communicate with kids and other potentially vulnerable people, we probably could highlight this scenario in our comms.

We would have to add some parental features though before we do it - for example, preventing the user from making or accepting the new connections without some additional credential.

But even as is, the lack of user discovery makes it much safer.

Also, we have just received our security audit report - I will share once Trail of Bits publishes it!

This would be a great addition. Looking forward to future updates.

We have completed the security assessment, see the announcement here: SimpleX blog: Security assessment by Trail of Bits, the new website and v4.2 released