SimpleX vs. Cwtch, who is right?

Huh

Which is why I opened a bug to cover IPA in the “overview” if not in the “threat model” section of the overview (but it was closed without much fanfare, except here on PG, I suppose). As @anon6884803 explained above, the “overview” doc on SimpleX’s GitHub already talks about adversaries in a broad sense; except for this one adversary that may own most if not all of SimpleX’s guarantees.

As a user, I just don’t know how or why that might come about. Given that you already have a legal counsel on retainer, you may as well write about IPA like Mullvad does for Swedish laws, for example (1, 2). It isn’t part of the “threat model” as you see it, but it is part of overall OpSec for your users (in this case: me). On the face of it, the “overview” doc seems to make wide ranging claims about “trust”, and so talking about IPA as publicly doesn’t seem out of place, tbh.

I see, but since the entire point of SimpleX is its superior protocol+cryptography, which if it can be backdoored (or whatever IPA allows for, I don’t know), makes it useless to at least a section of your userbase, if not for everyone.

Sounds like an excuse, imo. For example, I’d not use WireGuard clients if it could be backdoored by the French govt (its author, Jason Donenfeld, is based in France), but since Jason has put in the time and effort for reproducible builds of the official clients, I feel confident using those (regardless of how remote the threat may be). Same goes for what Google is doing with tamper-proof hardware in vendor-agnostic Open Titan, just so trusted/secure/verified boot guarantees remain anchored in user’s trusts solely on silicon manufacturer and the silicon owner (the equivalent for SimpleX would be to provide remote attestation for its servers and reproducible builds for its clients, I think?). All that to say, folks in the security/privacy industry are already putting in the work.

Unsure if it means what I think it means (you mean like Linux and Tor?), but it can’t be the only answer? May be you’ve thought about this deeply than I have.

Reasonable. But we have 5% of Mullvad budget I think, and no - it’s not a counsel on retainer - we pay for the advice as and when needed.

Thanks for the links. I will think about some opsec advice page on the site.

On the face of it, the “overview” doc seems to make wide ranging claims about “trust”, and so talking about IPA as publicly doesn’t seem out of place, tbh.

This doc should remain purely technical, what you want belongs elsewhere - probably linked to Transparency page.

Since point of SimpleX is its superior protocol+cryptography, which if it can be backdoored (or whatever IPA allows for, I don’t know), makes it useless to at least a section of your userbase, if not for everyone.

That’s not correct, as compromised servers do not allow establishing who talks to whom, unless it’s coordinated compromise across multiple operators.

The primary focus is on minimizing trust to servers. Making them trustworthy is a secondary focus.

Unsure if it means what I think it means (you mean like Linux and Tor?), but it can’t be the only answer? May be you’ve thought about this deeply than I have.

By jurisdictional decentralization I mean two things:

• having different parts of SimpleX organization established as legal entities in different jurisdictions - it is an ongoing effort.
• having different operators preconfigured in the app also in different jurisdictions - also an ongoing effort.

Reproducible builds are not yet there - but my IP ops unexpectedly tells me that server builds might already be reproducible, which is surprising, but will soon know more.

What I am interested in doing irrespective of reproducibility is “community server audits”. The way it would work with some selected members of community we can trust (can’t be fully anonymous, would require signing some agreement under some known and reputable online identity - we won’t need to know name and address, a recognisable alias is sufficient):

• for all planned (non-urgent) server updates we could livestream terminal session to these community members that would allow you to see how long the server was running, that it has the same digest as when it was started, and the digest of the new version matching digest of GitHub distribution.
• you would then sign (anonymously for others) a statement confirming that we indeed run the code that we publish based on the presented facts (time the server was live based on systemd data, digest of binaries, etc.).

It does seem like a bit of an effort and time commitment from both sides, but we can try to make it manageable.

Would there be an interest to participate?

If the server code is indeed reproducible, and people can verify the initial and changed server hashes, I do think it is the closest to server transparency without costly HSMs.

But you will need folks who already have excellent reputation. I am sure you can find some prominent names as I know a lot of smart folks are following SimpleX closely. If you can get someone like Nadim Kobeissi, Akc3n (GOS mod), etc. (these are the ones who have explicitly been interested in SimpleX off the top of my head) it will make it very easy to gain trust. A mix of technical experts and privacy advocates should be considered. This is not an operation that will risk their reputation (since they are just verifying hashes match), so I don’t think that will be the issue. But convincing them to do so might be tough. Care should also be taken to take less volatile personalities, so that a bad Server signer does not malign SimpleX reputation. Some server signers can ask to see who else is doing this to understand if they wish to participate or not. Will be a delicate operation

Immediate benefit of course is having to spend less technical resources on hacking together server transparency cheaply, while also having active and continuous endorsement. A side benefit is reducing trust in the other parties that host servers, since the first hop can always be SimpleX servers that are verified. Sounds like a good start to me.

Yes, confirmed, it is reproducible when we build in docker. We already have a GitHub action that builds in docker, so GitHub hashes will be the same as with builds by any users, so we will be able to additionally sign these hashes locally and have independent verifiers to do the same for stable server releases.

We will aim to do it for 6.3 release of the servers this Saturday.

The point was to choose beforehand which you wish to provide:

Privacy by policy means the client does not actively protect the user from all third parties, especially the service provider.

Privacy by design means that it does.

It’s ok to provide different type of protection for metadata and content. E.g. Signal is content-private by design, metadata-private only by policy. Signal chooses not to collect that data, and it has put some mechanisms like remote attestation that allows the client to verify that is the case. And we even have court docs to show this is the case. But still, it’s not impossible to make server collect all metadata if a) there is a secret interpretation of a secret national security law and b) Intel’s SGX is not trustworthy.

Cwtch is metadata-private by design as the service provider isn’t able to collect anything without the client’s code enabling that.

The legal system is important, from the PoV of not having draconian laws, but if the Snowden docs showed something, it was that the public might not have access to the content of law. Whose to say if FISA court might under some fascist regime one day rubber-stamp actions similar to cointelpro.

It’s also the case Snooper’s Charter gives UK LEA permission to hack computer systems, and IIRC, we learned from Snowden papers, that foreign targets do not enjoy constitutional protections, so, nation states can compromise foreign systems, and exchange the information, bypassing said constitutional protections.

With a threat landscape this complex, I would argue the legal system is at its most useful state, when it allows privacy-by-design systems to exist. If not, your options are limited: relocate or fight the system.

As I have said multiple times: the key thing SimpleX is missing, is transparent threat modeling. Basically, tell users what types of adversaries can breach each layer of security, and what types can’t.

Which is why I implored you above to be open about this. “We can’t verify independent parties are running the nodes”. This means you acknowledge node pool sizes play a role in providing resistance against the end-to-end correlation. The only thing the legal entity protects against is domestic for-profit data mining companies, and maybe rogue LEA employees. Criminals and foreign agencies, like batman, have no jurisdiction.

As would I. But that’s not what you brought to the table. I asked you to default to Tor, and you wanted to make it an optional step with complex setup instructions of several pages. You deployed an inferior system compared to Tor, and you marketed it on the front page as an improvement over Cwtch that defaulted to Tor.

And this is also OK. When someone starts writing a brand new messenger directly into GitHub, by the time the application has an MVP that allows communication over the network, the standard disclaimer of “No encryption whatsoever has yet been implemented, do not use this application in production” should be in the project README (read: on the front page with big letters).

If the client-server encryption is implemented first, then updating the threat-model to reflect it: “The system uses basic TLS, but not end-to-end encryption. This means or server gets access to your messages, know this before using it.”

Transparency shows you’re making progress, and that you’re taking security seriously. It’s your job to know your job. If this costs a few early adopters who misunderstand this to mean the application is insecure or struggling, let me be clear: FUCK. THEM.

Your duty is to your users. SimpleX doesn’t look like it’s the next Telegram, it actually seems to try instead of just appearing to try. Everything is E2EE and I respect that. A lot. That’s why I want to believe I’m not wasting my breath writing this. A lot of the security of the product comes from the privacy by design. But like you said, it’s also the matter of policy. And that policy must include the transparency of threat model to users, if for no other reason, because no security architecture will stop all adversaries, and the only way you protect the users, is by letting them make informed decisions. Some things are best said face-to-face. It doesn’t have to be illegal stuff. Some users would probably not use SimpleX to exchange nudes, if they knew state mass surveillance employees automating endpoint hacking might use them like trading cards.

No technical or design solution can solve for social problems. In the end every technology depends on some privacy policy, some social contract being adhered to.

Cwtch is also not usable. Trust me I tried.

Their published threat model seems fine, is there anything specific they seem to be missing?

Nobody can. Not even Tor. I agree I would like to see something like tor threat model in simplex threat model document.

I don’t understand this. Isn’t Tor massively compromised due to the network having large number of nodes controlled by nation states, concentration of servers in specific countries, etc. Isn’t SimpleX network a chance for a clean slate with public providers who have their reputation tied to not being malicious (cloudflare and the like). Isn’t a corporate run network more sybil resistant than anonymous volunteer network.

But SimpleX is not in that state. It is perfectly usable except in very specific sophisticated attacks, which I agree they should add to their threat model. I do not think it is fair to ask a new project to plaster their deficiencies on the front page, especially when more established and more critical projects also start with their sales pitch and more details in threat models.

They were talking about legacy systems like sms. Any E2EE app worth the name stops this kind of attack. Could have chosen a better example, since this example subtly paints it in a particularly bad light.

Are you attached to cwtch per chance?

Like I said, it needs a law that allows privacy-by-design systems to exist. The rest of the social contract is between the people doing the communication, and that’s outside the domain of what an app can do.

No I do not trust you and no-one should either take your word for it. The way I see it, tools are made to serve a purpose. Technology has not perfect solution for every task. You want end-to-end encryption? Now you lose centralized monitoring in say a company wide chat. Slack is for that purpose. You need strong metadata-privacy? Signal no longer does it for you, but with Cwtch you lose offline-messaging. You want security against state actors hacking your endpoint, you use TFC, but you lose message forwarding.

In Saudi-Arabia you get 5 years of prison time and 500 lashes, for homosexuality. In Iran you’re executed. Thus, some people will place metadata security and/or endpoint security, and the risks if their security fails, on the scale. To them any inconvenience in more secure tools is a matter of life an death.

So you saying “it’s not usable” comes from very privileged position, and failure to see beyond it. You’re of course welcome to develop a more usable system with equal level of security. E.g. Briar has been working on some sort of proxied cache to allow offline-messages in Onion routed p2p messengers.

Searching “Threat model” on front page returns 0 results.

The Threat model article needs to be linked on the front page, like this

1002×730 101 KB

^ Doing this will shut me up for good @epoberezkin. If you think it’s not very presentable as as a front-page item as a GitHub markdown document, maybe it’s time to polish it into a nice article.

Tor doesn’t make it a selling point either. There’s only so much tech can do, and Tor is doing all of it, without misrepresenting it. Tor is also considered by the NSA to be the king of anonymity systems with no contenders waiting.

This. I would also like Tor Project to link to that document on the front page. In fact, I’m curious how to even navigate to that article without googling.

The nodes are picked at random. The entities that can control massive portions of the nodes are basically FVEY. And they don’t need to compromise Tor, they have access to more or less the entire backbone and they can do end-to-end correlation anyway. Russia, China, and smaller authoritarian nations can’t do any of that, except very rarely.

The Snowden documents sad even the NSA will “never be able to deanonymize all Tor users”, it basically said they sometimes get lucky, but that they can’t deanonymize users on demand.

Isn’t SimpleX network a chance for a clean slate with public providers who have their reputation tied to not being malicious

Public providers doesn’t mean shit, governments have forged ID cards as long as there has been ID cards. With anonymity networks, it boils down to node pool size and chances.

And remember, SimpleX’s solution has nothing to do with onion routing, it’s just a decentralized server network, just like email. You send messages to one server, your peer sends it to another. Your IP address leaks to your server. On fundamental level, it’s not that different different from you using Gmail and peer Office 365, with content encrypted PGP. Content is not readable, but now there’s two parties that could collect metadata, and if its collected, it can be requested with subpoenas.

[quote=“anon6884803, post:98, topic:19256”]
Isn’t a corporate run network more sybil resistant than anonymous volunteer network.[/quote]

We don’t even have current or planned SimpleX server pool size available to make that assessment. Let’s talk more when SimpleX server pool exceeds 7,500.

The point was, an application must ALWAYS explain its limitations, even when its 100% production ready.

My point exactly. I want the limitations communicated. As long as SimpleX does not default to Tor, it’s inferior in security compared to apps that default to Tor.

They deserve flak, they get flak, and my critique is just one of the instances of said flak. E.g. Telegram could not give a shit about users’ actual security. In fact, they have weaponized their cult following to do damage control. There’s very little point in criticizing them. But the nice part is, they’re not a recommendation on PG anyway.

Signal and Tor are harder to persuade, I’ll give you that. But the way I see it, the smaller projects must be the first ones to compete by setting the example. This creates pressure to bigger players to participate.

It stops collecting said content sent over MMS which is more or less dead these days. But endpoint exploitation is something people seem to have entirely forgotten. Here’s Snowden 10 years ago: https://www.youtube.com/watch?v=743u0pdikbM

The issue was swept under the rug because the industry did not have a solution for it.

Nope. I’ve done free UX testing for them in the past because I like the project. I got two sheets of Cwtch stickers as a thank you. That’s it. I’ve also made small contributions / bug reports to other projects like Tor/stem, OnionShare, Tails, and possibly Signal. TFC is my body of work in secure messaging space, and I try to practice what I preach there.

But you are moving goalposts now. You said SimpleX has to choose, that it is an either or question. Now you say it is not as black and white as you painted it. I find that very irritating, since both cannot be true. The social contract required is not just allowing existence of privacy by design systems, it is also not having conventions that force you to disclose private info to family/friends/strangers, not having laws that force you to be truthful irrespective of the cost, etc. I find your definition to be self contradicting.

Please do not present the “think of the children” argument here. That was not at all my point. It was simply cwtch is not usable for the public that needs secure communication (journalists, activists, etc.). They acknowledge it themselves that unusable tech makes useless tech:

This made adoption of Ricochet a difficult proposition; with even those in environments that would be served best by metadata resistance unaware that it exists [ermoshina2017can] [renaud2014doesn].

I would also request you to not descend into personal attacks like “privileged position” when you know nothing about me. Me criticizing your pet project does not mean you can turn into a name calling white knight for the project. (Notice the ad hominem, others can do it too).

How do you know I am not? Your response reeks on privilege and maybe a personal vendetta against the SimpleX chat project. I advise you to maybe reflect a bit before interacting on the online space.

I agree, I would also like to see it on their website landing page.

Tor is less confident about their abilities than you are. I would also like to have the source for the quote, or are you an NSA insider?

You keep making claims, sources please.

So government can forge identity but not devote resources for forging anonymous networks? Show me one instance of malicious cloudflare with sources. I can share malicious tor nodes for days. Again, lots of bluster not enough sources.

Do you really think network size is the only metric? You must be more knowledgable than most of my professors, they seem to think sybil resistance is not just a direct property of network size. For example, a network that can only be run by national governments and has the ability to exclude anyone else (like the SWIFT system) with only 2 nodes even has more sybil resistance than Tor. I recommend reading on lots of extensive literature written on sybil resistance, rather than just pointing at random numbers.

I agree.

No. Smaller projects that are not able to generate enough marketing or self sabotage themselves for getting a higher moral ground die in oblivion.

Nobody except you has forgotten it. Or do you not keep you with the endpoint hardening happening across entire internet with android iOS becoming more hardened, linux windows macos trying to create secure systems, etc. I would recommend again reading up on the cutting edge rather than using grandmother tales from 20 years ago as proof.

Thanks for clarifying.

More proofs, less hostility is a better approach when you respond again. Thanks for taking the time.

Metadata and content are protected either by the company policy, or by technology itself. Yes you’re right, privacy by design exists at the grace of policy and politics. SimpleX doesn’t get to dictate the UK law, but it can make the decision whether user data is a subpoena, or national security request to add a backdoor, away.

I’m not moving goal posts. I’m fine with either. Like I said above, I’m fine with app having no security, if it’s communicated clearly.

My point about tech having no perfect solution for every task was about fundamental limitations of the architecture. SimpleX gets to choose that one too. And its limitations have to be communicated clearly too.

I’m sorry if you come from toxic environment that lacks boundaries wrt individual privacy. I feel those are very much out of domain of secure messengers. Of course, a screen lock would be a welcome addition. You’ll be pleased to know Cwtch has decent plausible deniability of separately unlocked accounts when correct password is entered.

I’m not sure if I believe my eyes. Think of the children is basically pro-backdoor argument for CSAM scanning etc. Having a secure messaging app actually walk the talk, is hardly the same thing.

The ermoshina2017can link is broken, and the latter is more general, and doesn’t even mention Cwtch, Ricochet, or even Tor. Hardly an argument against UX of Cwtch.

Well the alternative is you fail to see things from the point of view of people in authoritarian countries. Not sure if that’s any less personal. If your life doesn’t depend on the choice of your messaging app, you’re in a privileged position. As am I, Finland tends to be on top of lists wrt human rights. I don’t have to worry about my privacy too much, but I wouldn’t dream of thinking that applies to others.

Again, TFC is my pet project. Cwtch is the best UX of all the onion routed systems (Briar, Ricochet, OnionShare chats, TFC), so I recommend it when protecting metadata is part of someone’s threat model.

Oh I didn’t know you had an affiliation with a messaging app, by all means do share, I like to see others’ work.

I live in a rechtsstaat, but I’ve also spent more than a decade with TFC to empower people who have to deal with state hackers. I haven’t taken a dime for it. Sorry if that’s not enough.

I’ve criticized more projects than I can remember. Cryptviser, iMessage, Telegram, FooCrypt, TIME AI (lol), SimpleX, DataGateKeeper come to mind. It’s funny you try to label it as a crusade.

My mistake for assuming you had actually read the thread you’re replying to. From above:

Yeah I can’t prove a negative. Of course, if you have a document available China has the geolocation advantage and infrastructure for their own instance of Upstream program

616×462 73.2 KB

I will happily update my knowledge. As the image shows, US sits in the middle of international fibers. Not all data flows through the US of course, but a lot does. But data doesn’t really flow through Russia or China like it does through FVEY, especially US.

Like I said, FVEY doesn’t need to. They can do end-to-end correlation from net backbone. If you have source stating China or Russia runs a sybil attack against Tor, I’m all ears.

Yeah that’s not the same thing as compromising an anonymity network. I don’t know why you’d even make this argument unless you wanted to just spread FUD. Also, people running malicious nodes are scanning traffic by running exit nodes. Three guesses if Onion service based messengers use exit nodes.

No, but it’s the biggest.

I do not pretend to be an expert on financial systems. I’m concerned with other attacks with SimpleX. There seems to be 85 servers Unofficial SimpleX Directory - Discover Community-Run Servers of which 38 are onion routed. So that leaves us with 47 non-torified servers that have access to users’ IP-address. Just over 2% probability that me and my contact use the same server, which means that server can perform a timing attack to determine which two contacts communicate. Or, if there’s no traffic masking (which I HIGHLY doubt), the chances of multiple users sending an attachment the size of which is 42069 bytes at the same time is quite unlikely. So yeah, I do not like the odds. With Cwtch, there’s no decentralized servers that can do this type of scanning.

Are you seriously suggesting SimpleX would be self-sabotaging themselves for disclosing their true level of security? Sounds like the project would be getting what’s coming for it, if it’s current limitations can’t stand the light of day.

The thing is, communicating your threat model openly is a massive boost for one’s image. You’re open that your system may not be for everyone. And you help everyone to know if the project is for you. SimpleX is a mass-market tool, and the userbase two whom its enough, accounts for a larger portion than its current servers could probably even handle.

My problem is the misleading threat model that lies by omission.

In this post Poberezkin said

We never said [SimpleX has no identifiers], no tech can work without identifiers. What is important though, and it’s a unique quality of SimpleX network, is that SimpleX user profiles are not assigned any distinct identifiers in the network, unlike all other networks do.

So they’re not assigning additional identifiers. They don’t care that your router glues the source IP address field to the TCP header, which is WAY worse than Cwtch’s Onion Address that allows removing the source IP.

Yes that’s why TFC was only entirely designed around the problem.

I fully agree endpoint security is not in the domain of mass market messengers. I also think threat model should communicate the limitation with something like “To journalists, activists, dissidents and whistleblowers: Some nation state hackers can compromise your device, and bypass the end-to-end encryption. Unfortunately, there’s not much we can do about that. If this is a concern, strongly consider using hardened endpoint, setting the self-destruct timer, or leaving the most sensitive discussions to face-to-face meetings if possible.”

It is from the Cwtch website, I thought you had read it.

I have no affiliation with any messenger app. I work on less flashy, run of the mill stuff.

You said:

I asked if you had proof. You responded by citing something which says “Tor is difficult”. You are claiming Tor as best among alternative solutions, your source says it is among the best. Are you seeing the difference?

So your threat analysis is based on hunches?

It is the same for the adversary threat you cite.

No. Maybe you have unfamiliarity with English? I apologize in that case. I was suggesting you keep asking of SimpleX which no other project does. It is self sabotaging to frighten the user away with impossible attacks on the front page. Come back when Signal and Tor do it.

I agree. Did Signal not catch flak for not being clear on that before on social media? Again, you keep holding simpleX marketing and website to higher standards than the ones you cite.

I already agree that they should be more clear with the threat model document.

But Tor project itself says this:

Tor can’t protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

So if they know you are sending something right now (which they can since cwtch requires both ends to be online last I checked), does it just not make it easier? I am not very clear on what the issue is?

Again, you’re the one who didn’t read the thread.

In the absence of hard data what we have is educated guesses. https://www.submarinecablemap.com/ shows China isn’t in a place to run Upstream-like drag-collection Largest part of cables terminate at Hong Kong.

SimpleX is the one lying by omission in their front page. They don’t consider IP-addresses a unique identifier. You seem to ignore that part of my critique consistently. Why?

Risk Model | Cwtch doesn’t have inaccuracies, and the front page isn’t misleading about what the threat model (or risk model in their lingo) states.

Putting the threat model on front page is good practice, and SimpleX won’t be the only one I will ask. Why I’m asking SimpleX to do that, is the threat model clearly states

[The server can] perform the correlation of the queue used to receive messages (matching multiple queues to a single user) via either a re-used transport connection, user’s IP Address, or connection timing regularities.

Which is quite different from what the front page says

SimpleX protects the privacy of your profile, contacts and metadata, hiding it from SimpleX platform servers and any observers. Unlike any other existing messaging platform, SimpleX has no identifiers assigned to the users — not even random numbers.

It’s also not better than what Cwtch offers. Surely you agree SimpleX client isn’t improving over Cwtch’s elimination of user deanonymizing identifiers?

Non-onion SimpleX server serving two conversing users will also always know the queue IDs, it doesn’t actually even need to know scan packet sizes. And queue IDs can’t be changed without you remaining authenticated to the server, so the IP address can be determined even later if the user forgets Tor/VPN.

Doing that for Tor connections require a government doing end-to-end correlation on all Tor traffic inside the country. It’s the limit of what proxy chains alone can offer. Protection from it requires traffic flow confidentiality, which very few messaging apps provide. Corporate VPN with IPSEC is the most common place you might see it. TFC has it as optional mechanism. It’s not impossible to deliver files as smaller chunks that fit the Tor cell size, whenever client polls the server of peer for new messages, but AFAIK Cwtch doesn’t do that.

SimpleX needs to communicate clearly its threat model, and not make claims it’s eliminating user identifiers better than Cwtch on its front page. Hiding the fact the server has access to users’ IP address on separate domain, behind four clicks is too much, when the front page implies there’s “no* identifiers”, where the asterisk is doing ALL of the lifting by meaning “no added identifiers”. Yeah sure you’re technically correct, the best kind of correct. IP address isn’t being added by SimpleX, it’s added by your router but ask anyone who thought it had no identifiers, if they care about that nuance.

The server builds are now reproducible, so server releases are signed:

The key to verify: keys.openpgp.org

No, this is not correct:

• SimpleX automatically creates a unique anonymous connection with unique identifiers and set of keys for each contact or group connection, while organising all these connections under the same profile. While you can use individual profiles for each contact in Cwtch, it requires user action and this is not something that most users do. And if most users don’t do it, it undermines efforts of those who do it.
• SimpleX allows to rotate these connections (and all identifiers) by moving connection to another server, without losing continuity of the conversation. Currently it is manual, and will be automated in the near future. Cwtch does not allow move conversation to another Tor address without losing its continuity, and it requires more user actions.
• Further, Tor’s threat model on which Cwtch depends is compromised by the fact that the underlying assumption of Tor’s model (that independent parties run nodes) is neither correct anymore, nor can be verified. SimpleX clients automatically choose different operators in message delivery path - not just different servers. We did have a debate about it with Sarah on Mastodon quire recently, and I think she ran out of arguments defending Tor’s failure to act to provide this guarantee. I think you would create more value to privacy and anonymity by challenging Tor than by challenging SimpleX (I am not saying that you should stop challenging SimpleX, as a major protocol improvement - 2-hop onion routing - was made partially because of your criticism - I am just saying that a real impact of your criticism will be bigger when you make Tor also its target)
• Further, while addition of guards increased the time required to attack anonymity hidden services from minutes to months, it’s generally a bad idea to use long-term Tor addresses as user identifiers - they must be rotated monthly. Cwtch neither automates nor discloses this problem: Announcing the Vanguards Add-On for Onion Services | The Tor Project :

In particular, the addition of second layer guard nodes means that the adversary goes from being able to discover your guard in minutes by running just one middle node, to requiring them to sustain the attack for weeks or even months, even if they run 5% of the network.

While this is ok for most users, it is not ok for some users.

Non-onion SimpleX server serving two conversing users will also always know the queue IDs

while server can indeed record all queue IDs used to receive messages from a given IP address, and the only way to mitigate it now is an additional overlay layer and per-queue transport isolation (which is supported in the client), it does not allow servers establishing which IP address connects with which IP address, provided two independent operators are used.

We are considering adding a third layer in message routing, proxying the recipient connections too, so that it will make not only IP correlation impossible but also session correlation (so again, closer to mixnets than to Tor’s circuit routing).

SimpleX needs to communicate clearly its threat model, and not make claims it’s eliminating user identifiers better than Cwtch on its front page.

But it 1) does eliminate protocol level user identities, in a way that no other app does 2) it indeed does it better than Cwtch given the above - per connection, and not per profile.

So I am not sure why we should not claim what is factually correct.

IP address isn’t being added by SimpleX, it’s added by your router but ask anyone who thought it had no identifiers, if they care about that nuance.

I think that everybody who cares about the level of anonymity we discuss, does understand that nuance very well. I find it strange that privacy experts think that people are idiots. We don’t think so.

Tor, in comparison, should certainly be avoided by users don’t understand intricacies of its configuration, which nodes and countries to avoid, etc., and none of that is advertised on Tor website. So their position and comms are much more risky and potentially damaging, given a much wider range of users, and that the main assumption of Tor’s threat model - node independence - simply doesn’t hold any more.

Get maqp post back please, it can’t be TOO bad

Mind explaining why it appears twelve of Simplex’s 83 community servers seem to be under single host URI?

There is no server register, and this is not our site. This has been an ongoing experiment with voluntary server listing somebody did, but it wasn’t too popular. The servers you can see there are now are servers run by Flux that are preconfigured in the app.

Which if you bothered to read the thread, isn’t that unlikely. There’s apparently 47 non-torified servers meaning 2% of my contacts will use same server on average at any given moment.

It is unlikely because the client takes the information about the operator into account.

Yep. And it is a bit convenient to remove the ultimate adversary, government letters (laws/regulations), from the threat model, too. Xie, a devops/sec blogger I follow, makes the same point you do, but from an end-user pov:

Now let’s take a look at the things Sleve can’t control. Generally, Sleve can control the things he does, but he can’t control what other people do in response to them. He can’t control what other people do, and he has even less control over what the government does. Sure, he votes, but I vote too.

(source / mirror)

Would anyone have a link to the Mastodon thread? There must’ve been a formatting issue here as it doesn’t include a link.

I know your back and fourth with Evgeny is over but would you mind summarizing the disagreement from your perspective for others (like myself) who either don’t quite understand the issue at hand or don’t have time to read the full thread? I’d really appreciate it so I could better decide between SimpleX and alternatives like Cwtch.