it had been been 55 days when I left the comments on HN
Probably didn’t see it - please share the link.
SimpleX is not the program you want to use. I have on several occasions tried to get epoberezkin to answer basic questions, but every time they run to the hills.
“This is not the language you want to use”. This suggests that everybody is less smart than you, and you know better what should and should not be used. Every technology has its limitation, and nobody should indiscriminately recommend any tech for all cases.
SimpleX prides itself with having no identifiers.
We never said that, and no tech can work without identifiers. What is important though, and it’s a unique quality of SimpleX network, is that SimpleX user profiles are not assigned any distinct identifiers in the network, unlike all other networks do.
SimpleX server knows your IP-address by default.
Every server you connect to knows the IP address - it includes your ISP, VPN providers, websites and services you connect to, and even Tor and i2p relays, and your peers in p2p networks.
But the CEO pretends this is not an issue. They ignore the fact IP-addresses are constantly used to determine identity of copyright infringers using torrents etc.
Again, you are ascribing me the words I never said. It is impossible to use Internet without IP addresses, as you know. And it indeed may create issues if users do not manage their network transport security. But these issues are not specific to any particular system, and while there are tech solutions that reduce impact of IP address visibility to some servers, including Tor, i2p SimpleX network, and some other solutions, there is no technology that protects IP address in all cases - and Tor also is not such technology.
They either tie to the household, or to the person if they live alone.
This is sometimes correct, and sometimes it is not, depending on who can use it to tie it to that level. ISP can always do it, but it is not always the case for the third parties. Security of IP address (and security in general) can be only be discussed in the context of “security from whom” - the whole concept of security requires the presence of attacker.
SimpleX is not transparent enough about the fact the server can trivially correlate the IP addresses that converse.
First, we were transparent about it when it was the case. It is covered on the front-page of the website, and in all technical documents that cover the security limitations. It’s absolutely fine to criticise how we disclose our security limitations, but I suggest you show some other comparable service that is as explicit in disclosing it - I’ve only seen Pond doing that, where we modelled it from.
Second, with the addition of 2-hop routing (aka “private message routing”) in the messaging protocol it is no longer the case - even if both servers are operated by the same owner, it would be far from trivial, and it would require server code modifications that would be a violation of privacy policy. Neither having access to server storage or traffic observation does not allow it.
Third, with the addition of the second operator to the app (coming this November), it would be impossible even if one of the operators does modify server code in violation of the privacy policy - private message routing protects not only IP addresses, but also sessions.
There is queue rotation, but since unauthorized users must not be able to change the queues between Alice and Bob, the server must authenticate Alice before this action. This means Alice is recognized by the server, regardless of which IP-address they connect. So Alice can’t rotate their queues without the server knowing which queue pair Alice and Bob use next.
This is incorrect. Queue rotation is agreed between the clients, and the queue the clients rotate to is not known to the server as its address is agreed inside e2e encrypted messages. Clients always choose another server to rotate to (as long as the client has another configured server), and with the addition of the second operator, the clients will choose the server of another operator. So it is very non-trivial to connect which queue the connection rotated to.
Since the server knows the queue ID between two users in long term (that is, unless they re-register for Simplex and start fresh), the server can keep accumulating all queue IDs associated with Alice and Bob. The server can also associate every IP-address it has seen Alice connect from to that user.
It is based on incorrect assumption, so it is incorrect. Further, because of 2-hop routing, while a modified server can indeed determine the list of queues the client connects to in default configuration, the server still cannot determine IP addresses that send messages to these queues, so it does not provide the knowledge of user connection graph, even if server modifies the code.
If Alice and Bob use Tor from day one, and somehow never fail to misconfigure Tor and leak their IP, SimpleX is probably OK. If they ever fail, then the user is permanently deanonymized.
What you don’t say, that it would be the case even if clients connect via Tor, as while servers can’t see IP address of the client (Tor relay can see it instead), the servers can see client sessions. This is disclosed in the privacy policy. To mitigate it the clients offer an option to use separate Tor circuits for each connections, but it will create much more traffic, so cannot be enabled by default.
But irrespective of that, this does not show how IP addresses and message queues connect to conversation graph.
This is why SimpleX sucks compared to Cwtch. Cwtch uses anonymous Tor IDs, that are trivial to spin up, and take down. You can have as many user IDs as you want, even 1:1 mapping for all contacts to micromanage your online status for every contact.
This statement ignores the limitations of Tor, that many parties operate a large number of Tor relays and therefore are able to deanonymize Tor hidden service addresses that are used for a long time. Even with the addition of guards a successful attack on hidden service anonymity is possible over several months or maybe even weeks of usage, so Cwtch should be disclaiming that users have to rotate these addresses too, as otherwise Tor relay operators that run many nodes can build the connection graph between IP addresses and hidden service addresses used for a long time.
What I believe is a very important quality of SimpleX network is the lack of operator anonymity - it allows client to choose different operators for message delivery route (something that will be available this month). Any network that provides onion routing and at the same time allows anonymous participation of routing nodes can be used to break the security model by any party that runs many nodes - a single operator controlling even 2-3% of nodes results in a high probability of successful deanonymization over a prolonged usage.
My huge issue with SimpleX, is the CEO is vacillating between the positions of “Tor has vulnerabilities, therefore it’s not 100% solution”, and at the same time offering Tor as an opt-in solution for paranoid users (their words, not mine.)
There is no contradiction here, it is called “security in depth” or “defence in depth”. SimpleX has an alternative security model with packet routing (as opposed to Tor’s circuit routing) and with operator transparency (as opposed to Tor’s operator anonymity), so we believe that for many users SimpleX alone offers a better security/usability trade off than using it with Tor. It doesn’t mean that Tor should not be used - it can be used in addition to SimpleX, as a transport level anonymisation network, providing better overall security to some users. Further, we use Tor’s SOCKS proxy circuit isolation property to further improve Tor anonymity by using more than one circuit - something I am aware of only Tor browser doing.
Tor is obviously not a panacea, but the CEO conveniently forgets, is there is for now, nothing better.
I do take issue when security and technology experts take such stance. For example, the stance “there is nothing better than Signal, so we should not criticise it” led to years of complacency, ignoring security issues, misleading marketing and over-inflated budget. Read this.
Likewise, the statement “there is nothing better than Tor” is misleading, as it ignores the fact that it very much depends on who is the user, what do they do, which country they in, how they configure it, and who is the user trying to be secure against. I can’t repeat enough that “security” is always about protecting against some attackers, and there is no such thing as security in the absence of attacker - so saying that something has the best security against all attackers is just wrong, in general. Specifically about Tor, it fails to protect anonymity of the users against attackers who run many Tor nodes, it also does not protect agains global passive adversaries, so while it provides a much better anonymity for web access than alternatives, the protection of a given Tor address is becoming worse the longer it is used.
SimpleX solved the non-issue of usernames and offered the same IP-address protection as every bog-standard messaging app: None.
-
For majority of users who don’t break laws (and yes, we believe that absolute majority of SimpleX users fall in this category) usernames are a much bigger issue than IP addresses, as they enable long term mass surveillance for the commercial reasons at low cost, while using IP addresses for the same reason would be both against the privacy policy and also much more expensive. Given the economics of mass surveillance, it’s not necessary to make building connection graph impossible - it’s enough to make it more expensive.
-
I am also of the opinion that given a high budget any security solution can be compromised. I think that compromising Tor security model for most users would require running 100-200 Tor nodes - you can estimate the budget. So we as an organisation are much more interested in raising the baseline security for ordinary users than protecting from high budget attacks.
-
See above comments on private message routing - it solves the problem of IP address protection much better than most, as it also solves the problem of session protection by using per-packet anonymity (unlike Tor), that only does it per-circuit, so all activity that happens within the circuit can still be used for correlation.
First HN. Now PrivacyGuides. You’re running out of hills to run with your snake oil. Please stop running and address these issues.
I am not sure what causes your inappropriate and bitter tone, but if you want to suggest some improvements we are very open to change. But please stop selling solutions that have known limitations as perfect or as the best - it would put lives at risk.
Some of your criticism about IP addresses was correct with the old network design, and we improved the network design based on your and other users’ criticism and suggestions. But this doesn’t justify your absolutist stance about SimpleX threat model being bad for all users, which is what you say, literally, and Cwtch threat model being good for all users. Both views are incorrect, and it is not the objective fact-based stance a professional/expert should be taking.
What we do is hard work, and we are not interested to improve on what we think is a bad solution for most users. We will continue building and improving what we think is better for most users. The time and the userbase will be the ultimate judge on who is right.