SimpleX vs. Cwtch, who is right?

My list of issues with SimpleX has expanded so I’m adding one more post and trying to summarize like @TheDoc asked:

1. The IP-address leakage: SimpleX claims to be an improvement over Cwtch in that the client does not use persistent identity between two users. The CEO admits it’s impossible to deliver the message from A to B with no identifiers, and claims it’s better that the client leaks the user’s IP address to a SimpleX server, than if there was a persistent random contact ID such as 4sci35xrhp2d45gbm3qpta7ogfedonuw2mucmc36jxemucd7fmgzj3ad that hides the user’s IP-address from every contact and third party.

2. The threat-model: Tools are built for purpose, and since no tool is perfect, communicating the limits is important. The more robust security you’re trying to provide, the more important nuance in that communication becomes. Like Bruce Schneier said, “Security is a process, not a product”. Because SimpleX is trying to market itself as more private than Cwtch, it sets itself on nothing short of the ~highest pedestal in the category of metadata resistant messaging. And since that’s a more challenging category than content-private messengers dominated by Signal, that position understandably comes with burden of having to withstand very different level of scrutiny, and people who care deeply about the topic, won’t stand idle if there’s serious issues.

In this top position, having a threat model available is sort of mandatory. Having that threat model be easy to find is a big plus. It shows you care about your users. A major problem here I have, is the SimpleX threat model does not match the marketing material. It again, lies by omission. It is not the case SimpleX has “no identifiers at all”. Sure, it doesn’t add persistent identifiers on application level. But it also doesn’t prevent your router from shipping your IP address to the server inside the TCP headers.

And this is what pisses me off. Nobody who’s looking for metadata-privacy improvement over Cwtch, wants their IP-address to leak. They obviously expect a superset of metadata to be protected. Like added noise packets to hide when communication takes place, and to mask what type of data is being sent. And even if you really, really want to cater to someone who desperately needs fully automated profile-unlinkability, you’re supposed to be extremely open about the trade-off these users are making by using your product over Cwtch, since you’re the one dragging it out for comparison.

So my problem is the lying by omission to the point of active misleading, and the fact they treat the most important security documentation, that tells the users if the tool fits their needs, that they should be presenting proudly, like a cash-grab fine print, as it directly contradicts the front page marketing fluff. When you’re claiming to be on the top, you need to act like you belong there. Or you get called out as snake oil.

So to remedy:

• Have front page link to the threat model that makes a detailed case with warnings to those switching from Tor based messengers, or
• Ensure the front page matches the threat model, or
• Remove Cwtch from the front page comparison.

3. Nonexistent hosting diversity (NEW): The CEO wasn’t being open about the node pool size in this thread, so I did some digging. The documentation says

SimpleX Chat apps have preset servers (for mobile apps these are smp11, smp12 and smp14.simplex.im), but you can easily change app configuration to use other servers.

So if I’m reading this right, the Android app for average Joe who joins the app, has THREE built-in servers to choose from.

No matter if there’s more servers in reality. According to this GitHub issue from seven months ago,

SimpleX Chat currently uses one single hosting provider for all its all servers which is Linode (belongs to Akamai) in its three EMEA datacenter locations: London (15+ virtual servers), Frankfurt (5 virtual servers in the same datacenter) and Stockholm (5 virtual servers in the same datacenter).

Apparently, after that, SimpleX server status page has also listed six Flux XFTP servers, and six Flux SMP servers. Flux is a partnering company.

So unless I’m badly mistaken, there are JUST TWO ACTORS controlling ALL public SimpleX servers: Akamai, and https://runonflux.com/

Two companies that can be issued subpoenas. Two companies that, like VPN companies, will ALWAYS betray their customers rather than go to jail.

The pigeonhole principle states that when there’s three users using the public, non-onion servers, by default, one of the two companies can perform end-to-end correlation attack against two who ended up using their infrastructure.

No wonder I couldn’t get a straight answer about the pool size, and no wonder the damage control comments about pool size not mattering. Sorry guys. No. The metadata privacy of SimpleX can not rely on NSA, FancyBear etc. never gaining access to out-of-band management systems of Akamai and Flux. The SolarWinds Orion breach is a perfect example of single point of failure compromising pretty much every server under the OOB system’s control. And who knows if the data centers have their own instance of a Room 641A.

9229 Tor relays is MUCH better than two massive for-profit third-party companies with their centralized management systems.

But wait, perhaps the community can come to the rescue here? Probably not. The documentation states

not having a single register of such relays is important for true decentralization

So if I’m reading the documentation correctly, the “over 1000 self-hosted messaging relays” are not even listed. They form their own private ciphertext routing networks without contributing to the collective security. Thus, I’m left with three options if I don’t trust Flux or Akamai. I can

A) Install Tor, and use a public SimpleX Onion Server,

B) Self-host my server at home, still leak my IP which my ISP ties to my credit card, or, configure it to be a Tor-only server, or,

C) I can rent a server and yield control to some corporation like Hetzner, that I again, pay with my credit card information, and unless everyone connects to me via Tor, the payment information between personal relays can be cross-correlated by state actors. Again, Tor is needed to hide the metadata of to whom I’m talking to.

So, the solution was, Tor. Which is what Cwtch defaults to.

When I started poking around, I expected to find between 20 and 50 independent volunteers, excitedly hosting their own servers and that SimpleX has a directory from which it picks the server at random from. I sure as hell wasn’t expecting to find “two VPS companies hosting the entire public server infrastructure” lol.

So it’s either A, B, or C. B/C don’t really add anything to the mix unless you just want control over ciphertext caching server.

A is the logical choice, that most users will choose, so I’ll focus on that below.

4. SimpleX could make using Tor trivial if it wanted

The desktop application already seems to have a decent Tor proxy support.

1. From the looks of it, it doesn’t phone home before the user can change proxy settings.
2. It automatically swaps the connections to Akamai’s servers via Onion URLs when Tor is used. This shows steps have been taken to make Onion Servers a breeze to use. But no steps have been taken to make Tor proxy trivial to setup.

@epoberezkin

Why not just have a “Use Tor to hide your IP-address from the server” toggle button in the screen where you opt-in into SimpleX or Flux servers?

You could list the pros and cons for each option, “faster, reveals your IP to us”, “slower, hides your IP from us”

If Tor proxy is not detected, (check with something like $ systemctl is-active --quiet tor && echo 0 || echo 1, or, see if you can ping an onion server server through localhost:9050) you can grey it out and show something like
“Tor is not detected. Is it installed and running?”

Desktop client has to just pick the distro and give a copy-pasteable string like “$ sudo apt install tor -y && sudo service tor start” Android client can just link to Orbot in F-droid and Play-store, and to a simple instructions page.

If and when the user manages to get Tor running and they flip the toggle, it’s safe to store the mere two settings it requires

1. Use SOCKS5 proxy “yes”
2. Use .onion hosts “required”

It really puzzles me you’ve made switching to Onion Servers this easy, then you trip on the finish line.

Hell, you could even just list Tor as a dependency in the .deb file and bundle its installation with SimpleX. Then switching to Tor on desktop would be just that one toggle button away.

The other problem is the client swaps the server so seamlessly it doesn’t even notify you about onion server usage. From what I looked, there’s no way to check if Tor is being used without correlating IPs captured with WireShark. That’s a serious issue when the client doesn’t by design force connections through Tor, like Cwtch does.

It’s nice to get feedback about unidirectional servers with the “Receiving via”, and “Sending via”. But that section should also have something that says

“Connection: No Proxy detected” (red) with info-button stating the IP-address is leaking to the server, and telling to setup Tor or VPN to remedy it.

“Connection: VPN/Proxy” (yellow) when other than localhost:9050 is used.

“Connection: Tor” (green) when localhost:9050 is used.

Also, that segment should show the active Tor proxy setting values:

• Use onion hosts: No/When available/Required (again, red, yellow, green)
• Use random credentials: Yes/No (green, red)

Also, in settings, ensure the user knows proxy settings are an integral part of the security and privacy settings.

If you’d make Tor a first class citizen in the application, it would make writing a threat model that caters to more needs, and that doesn’t have awkward caveats.

But unless you make that “Use Onion Servers” toggle button enabled by default in the Akamai/Flux server selection setup screen, you’re still going to have to fix the front page claim about having no persistent identifiers.

“SimpleX adapts to multiple threat models” is a better selling point than the current caveat ridden hyperbole.

Just to echo @maqp’s point about metadata-resistant systems being a realm where strong claims are scrutinised, I wanted to highlight what SJL said in the Mastodon thread since it doesn’t seem like it was reiterated:

• Advertise Real time Audio / Video.
• Have Offline messaging on mobile / without self hosting some kind of server
• Have “No Identities”
• Rolled their own onion-routing
• Rolled their own mixnet
• Implement offline storage with 3rd party servers that is somehow efficient.

Sarah’s main point was always that a lot of these are hard or unsolved problems for metadata-resistant systems. Video and Audio at the very least to my understanding are very difficult to handle. If the project is going to call itself radically private or protective of metadata then it needs to be held accountable for making sure every single aspect of the service or system can stand up to scrutiny. There is no shame in not targeting that level of privacy, Signal does not.

This thread should not have been about SimpleX specifically. Session more than qualifies as a topic of discussion due to their implementation of video and voice calling, messaging and file sharing over Lokinet etc. The point is that the privacy community should be more resistant to projects marketing themselves or making grand/misleading claims on the basis of privacy and metadata-privacy without putting appropriate care to be worthy of those claims. In these situations it is the most dangerous threat actors being considered.

Oh
TFC has alot of bells and whistles but looks alot like distractions to the fact that they havent tackled the hard problems such as key management. there’s 2 computers that handle private keys, nothing in this system is protecting them
" The symmetric keys are either pre-shared, or exchanged using X448, the base-10 fingerprints of which are verified via an out-of-band channel. T"
so to use this i also need to be able to meet in person with the people i talk to
Great.
also the data diode non-sense is very hot in some scenes but i always discount it as military hokum
Have you heard about side channels? Are these people in a SCIF?

Wait what : D The literal point of the Source/Destination computer together with the data diode is to protect them from remote exfiltration. Also, all persistent data, including the keys is protected with pwd+salt and argon2id. Like, how are you expecting the keys to be further protected?

X448 is a public key exchange you can do over the network. Verifying keys can be done over an authenticated channel, i.e. a phone call if you recognize your contact’s voice. But yeah, the verification prompt is part of every key exchange, but that step can be skipped if you can’t verify it, or if you just need TOFU security. The application will remember the verification level for you and you can handle it later.

The data diode is just indeed something used in high assurance systems. It hits the mid point of strong endpoint security, but without the need to spend four to five digit sum per EAL7+ diode.

Yeah, did I miss any in the list? : )

The hope is the Onion Service manages to hide your geolocation so you don’t have to deal with close access operations. But that’s where I like to draw the line between mass surveillance and targeted surveillance.

Remote exploitation can be cheap enough to constitute as mass surveillance, and as Soghoian said in 2016 CCC, hacking endpoints to exfiltrate comms can become a tool of first resort for the LEA. That’s the threat TFC was created to handle.

So if you’ve reached the point where there’s a flower van across the street catching your keyboard cable’s RF emissions, TFC isn’t going to stop that targeted surveillance. All I can do, is hope there’s a legitimate reason and a court approval for that surveillance.

But yeah this thread is probably no the ideal place for deeper discussion into TFC. The topic is Cwtch vs SimpleX. If you want to talk about TFC and its design, feel free to DM me or open a separate thread.

Looks like PG should add caveat to this sentence Additionally, SimpleX Chat provides metadata protection by using unidirectional "simplex queues" to deliver messages.

Let’s ping the authors of the page (@jonah, @dngray … unsure who redoomed1 is), to see what they think.

@redoomed1

Hey @maqp I’d like to let you know that I think this post has been articulated very well. I’ve read this topic from time to time, and it wasn’t always like this. This is precise, facts are reliable (from my knowledge of the tool from extensible reading), and your opinions and questions are interesting and of great value. Indeed, perhaps the tool is not metadata level resistant. For me it still relevant as a privacy tool, and user friendly option for common folks.

Why did you pick Hetzner over all other options available where you can even pay anonymously with Monero?

Idk why you keep shilling Cwtch? does it even support bridges so people in actually censored countries can use it? Have it received any security audits? Also, looking at their git repos, there is barely any development, how can users be sure of long term maintainability of an app that they may or may not have their lives depend on?

Thanks for your input, appreciate giving your opinion here.

Good luck obtaining Monero from an exchange that doesn’t abide by KYC.

It’s the most usable Onion Service based messenger, plain and simple.

It apparently doesn’t support bridges at the moment. Shame. But that doesn’t mean it won’t in the future. I’m mostly concerned about the app’s security to those its available. Some countries will of course block Tor and there’s not much one can do about that. Bridges will help but just because they’re not there now, doesn’t make Cwtch useless. (You could make the same argument about iPhones not supporting process forking for apps, so Cwtch will never be available for people who only own an iPhone. That also doesn’t make the app useless. iPhone only users looking for metadata privacy are left with less safe onion routing messengers like Session.)

Well SimpleX is audited and here we are, pointing out issues in the design which the audit did not mention. It’s not the place of Trail of Bits to point out poor marketing material. They do what they’re told. But every time an audit finds something to fix, having it was needed. And they did find plenty with SimpleX. So I’m not saying they’re useless.

Open source projects can only do what it can afford to do, so if you want to see Cwtch audited, throw them some dough.

Again, more funding, more developers, more features. Open source is not free to develop. It dies without people who pay for it voluntarily because people need money to buy pizza so they won’t starve to death.

Even if the project isn’t receiving full time attention right now, if someone would point out a vulnerability in the code, I’m pretty sure Sarah wouldn’t even hit the bunk before the patch would be deployed. Just like I wouldn’t with TFC. So just because it’s not in active development eight hours a day, doesn’t mean someone isn’t ready to patch vulnerabilities. Also, majority of Cwtch’s security comes from Tor, and Tor Project handles that part.

Breaks in development do not make apps insecure. Vulnerabilities aren’t weeds that grow into the code unless you prune it constantly by developing and eye-balling the code. Sure, if you stop doing that all together, no vulnerability that remains gets spotted and fixed. But that’s also called ending the software support lifecycle. Open Privacy would obviously announce if Cwtch’s support would end.

Whether that happens depends on people like you. So donate.

https://haveno.exchange/ There’s even more guides here

So you agree that Cwtch is not ready for general use and needs a lot of donation and development to be usable. While we have a working messenger that received multiple audits and will continue on doing so hopefully (SimpleX Chat). I believe SimpleX Chat team is capable of resolving all issues you shared, even though there are few nitpicks like threat modeling and removing Cwtch from comparison chart, however I’m not sure about first point raised.

No I absolutely think it’s ready for anyone whose threat model it fits. General use does not mean Iranians or iPhone users. It means its safe to use by anyone who can use it and who won’t get into trouble for using Tor.

Everything runs on money. Just because it’s not feature complete doesn’t mean what’s there isn’t good enough.

Let’s not get ahead of ourselves. SimpleX still by default leaks the IP-address to the server. Cwtch doesn’t. The audits didn’t help fix this main issue.

I agree. The changes I proposed are not hard to implement at all. But that doesn’t make the issues any less serious until they’re addressed.

Way to frame me pointing out SimpleX is misleading their customers with the marketing material lol.

Telegram said “Server-side keys are distributed so we can not access user data”, when the reality was “we can access user data.” But hey, it’s just nitpicking to point out they should not have included that tiny three letter word “not” in their sentence? It’s just four backspaces and it’s fixed! No big deal they lied to their customers for a ~decade.

Too real.

I think the misconception that “if audited (regularly), everything must be golden” stems from folks reading too much in to PG’s requirement/reliance(?) for/on security audits? Sharp orgs paying attention then know how to exploit Goodhart’s to market their software.

Some friends and I use SimplexChat on the Windows 10 platform and we are faced with the situation where the application doesn’t notify us when an update is released, even if we select an update channel after installing it. This has been happening for several months, with several updates, and we are forced to go to the website to be informed of a new release.

If anyone can confirm this problem, please mention it on the Real-Time Communication recommendation page, until it is resolved, for the benefit of those who came to the app via this site.

If this is not confirmed, please remove my post.
Thanks!

@an9 weird. When new versions are released, I receive a message in my chat session with SimpleX chat team. I not sure if its added by default if it was added when I wanted to suggest improvement.

I agree that turning on preset servers hosted by Flux doesn’t add any privacy, as both companies are publicly partnered with each other. It is like using iCloud Private Relay. But is is not all SimpleX servers, see https://simplex-directory.asriyan.me. They don’t warn about the possibility of both companies colluding sharing IP addresses and metadata of users connecting to their servers, they even say that it improves metadata privacy. PG warn about it here How Do VPNs Protect Your Privacy? Our VPN Overview - Privacy Guides at the end.

Private Relay uses multiple companies and randomly switches between them, giving you a different route for each connection. These companies offer the same relay service to other companies that pay for it to implement OHTTP, so it’s more of a customer/service provider relationship.

Private message routing is, effectively, a 2-hop onion routing protocol inspired by Tor design, but with one important difference - the first (forwarding) relay is always chosen by message sender and the second (destination) - by the message recipient. In this way, neither side of the conversation can observe IP address or transport session of another.

There are only two providers built into the app as presets for now, SimpleX and Flux, but servers can be self-hosted by the user if desired. Hopefully we’ll see some more providers added as presets so we can have the same sort of random switching between providers that you get with Private Relay (I believe it already does this I just don’t trust most of the community servers to be reliable).

What’s the level of partnership and do you happen to have a source?

Yeah I saw that. It’s sort of what I was expercting to find, that SimpleX would be hosting such a listing of federated servers but nope But I’m hopeful that SimpleX devs will see the reason and make the last tweaks to make connections to servers Tor trivial, and communicate the threat model to users from inside the app.

Check their X tweets. They do everything in parallel.

https://xcancel.com/SimpleXChat/status/1912229316282245354#m

https://xcancel.com/SimpleXChat/search?f=tweets&q=Flux&since=&until=&near=

Oh ok, so this wasn’t about Akamai and Flux being under same administration? Looks like I got the wrong impression.

I was talking about Flux, their infrastructure is provided free of cost by Akamai/Linode tho.