Which private messaging / communication app is best?

Signal being based on a phone number (a clear identifier) is a non-starter. Signal is also a centralized model, using Big Tech servers (https://www.messenger-matrix.de/messenger-matrix-en.html), with a clearly identifiable contacts graph (https://youtu.be/LrLsS7-woN0?t=3600) and Signal’s multi device cloning capability bypasses the protections of the Signal protocol (https://youtu.be/PIi9jkWdJL0?t=1624). If the software only hides the content and not your contact network, it is not private, PERIOD. Moving on…

Cyph and Threema cost money to use and people expect messenger apps to be free so those apps will probably never get much traction.

I understand that XMPP and Matrix store lots of user metadata on the servers: contacts, IP addresses, accounts directory, time of sent messages, etc. I also understand that Matrix is fairly centralized. So the federation models are not currently interesting options.

Synchronous apps that require both users to be online simultaneously are also a non-starter. So Cwtch, Ricochet Refresh, Briar and Quiet are for very limited use cases and will never likely have much of a user base. Plus, in a crisis with these apps, where you need to get a message out in an emergency and the other party is not available, you may be out of luck. (No, the Briar and Quiet mailbox ideas are not very practical for most people.)

I consider Tox, Status, Retroshare, Berty and many others to be too complicated (Retroshare), too buggy, not mature enough (Status/Berty), not well maintained (Tox), or lacking basic functionality (group chats, audio/video calls, file share–all e2e encrypted).

Jami has been inconsistent in my experience.

Then there’s Telegram and Wire that often end up on privacy app lists but have little to do with privacy.

I looked for easy to use apps for I2P, Freenet, Hyphanet and GNUnet with the idea that Darknet hidden networks might offer greater privacy. I found no app that was ready for prime time. Nothing even close.

Without getting into too much detail about the design flaws of these aforementioned apps (many with poor metadata protection, email requirements when signing up, etc.) the reasons stated are enough to disqualify them from my list.

Up until Simple X Chat (https://simplex.chat/) came to my attention, I considered Session (https://getsession.org/) the obvious choice. These two apps are the only ones that are worth considering in my opinion.

Some Comparisons: Session vs. Simple X Chat

Though Simple X has made some important design improvements over Session I still feel that the user interface is much cleaner and easier with Session. If Session adopted the Simple X method of creating social links via “temporary anonymous pairwise identifiers of message queues, separate for each of your connections” and abandoned the persistent Session ID I would say that Session could still stay in the race. Otherwise I expect that Simple X will over take Session. The no user ID of Simple X is the primary reason for why I am interested in Simple X.

Session uses the onion routing network Lokinet (being re-branded as the Session Network) to hide metadata. Simple X uses a proxied P2P architecture. Session’s solution to the latency and reliability issues of the Tor network was to build a faster onion routing network. [I have heard Rob Braxman state that the Session Network is faster (less latency than Tor) but does anyone have any data on this?]. Simple X’s solution to the latency issue with the Tor network was to use a 2-relay system (as opposed to 3), to cut out a node and improve the speed of data transfer by reducing the number of hops. I prefer the onion routing (Session Network) approach as I prioritize the stronger anonymity and I don’t care about latency for chat messages as long as the transfer time is within 10 seconds or so. Simple X allows me to select my servers but I do not know who these server operators are and there is no tangible difference to me between Simple X/Flux servers, Session Network servers, or Tor network servers–except that I suspect that there are more malicious nodes in the Tor network.

I don’t use voice messages so this feature is of no real importance to me. Voice messages do work on Session. Voice messages are still in the works for Simple X.

File sharing works well in Session. In Simple X they use a less intuitive file management tool.

Both Session and Simple X use the same calling design as far as I can tell. P2P e2e encrypted WebRTC.
1-on-1 calls in both apps work fine. I prefer that the call in Session takes place within the app as opposed to pulling up my default browser unexpectedly (without my permission), as occurs with Simple X. Session claims to have onion routed calls soon on the way. If they can pull this off without much latency I will be impressed. This would make the calling feature significantly more secure in Session compared to the Simple X model.

Simple X does a much better job than Session with the communities part. Session does not encrypt it’s community channels and requires self hosting (https://getsession.org/faq). Is has a directory online: https://sessioncommunities.online/ but this directory is not accessible within the app. There are 3 official channels available within the app and these are just one way Session announcement channels for Session, Oxen crypto, and Lokinet). Due to not providing any e2e encryption privacy in Session communities and a higher barrier for setting up and finding communities it’s not a surprise that Session groups have lower participation. This failure of Session might be fine for someone who is just using Session as a private messenger for known contacts but not for someone who wishes to connect to a larger population. Session’s communities part is not worth using until they overhaul their system.

I should say that if there is going to be any chance that I will be able to convince some of my friends to ditch Telegram (etc.) for a private messenger app, the app will need to have a good community directory for news, etc.

Simple X communities are easy to find in the app and I understand that all communications are e2e encrypted. (Awesome!) Though there are stricter limitations on content for those who want to be listed in the directory compared to Session. Overall though they have done a good job with the communities part.

Session abandoned Australia for Switzerland because of draconian laws in Australia and increased oppression by the Australian government. Simple X is based in the UK which is a lousy privacy jurisdiction. As Simple X grows in popularity their strategy is to comply with the legal due process but design a system that limits network liability and offers no meaningful data to be available to the police. In the short run this strategy may be fine. I have my doubts that Simple X’s legal strategy will be effective long term because I expect that any truly effective tools that thwart the Technocrat’s agenda will be targeted if these tools gain sufficient enough popularity. I wonder if the Simple X team are willing to relocate, if necessary, in order to protect the privacy of their users? Session has shown their commitment to privacy already. Both projects should prepare for their respective projects to continue to function in a decentralized manner even if the founders are no longer able to continue participating.

For me, in addition to e2e encrypted 1-to-1 chats, group chats, file sharing, and 1-to-1 calling, I am REALLY looking for a secure group video conference call option for up 15-20 people.

I have been looking hard for the most private group video calling solution and the options are not great. With more than 4 people it seems a SFU server is generally required for reliable calling and the P2P options start losing performance/reliability. The best I have found is using a VPN with the Brave browser on a public Jitsi instance with e2e encryption enabled in the Jitsi settings. I am not sure what device/browser metadata is available to a malicious Jitsi server that keeps logs?

Group video calling options are typically either: proprietary, don’t work well consistently, don’t scale well beyond a few people, few offer e2e encryption by default, most are not clear about what privacy protections they provide by design (privacy policies do not carry much weight), very few have a 3rd party security audit, most are not clear about what metadata they collect, most are not clear about which servers are hosting the calls, very few are responsive to questions (if there even is a way to contact the service).

So for me if either Session or Simple X is able to offer group calling for 15 or so people while maintaining the highest standards for privacy available and create a consistent/reliable calling experience, that would be a major win. A highly private open source group calling app would be reason enough to use the app, even if there were no other functions.

I know that Evgeny of Simple X visits the forums of Privacy Guides and has a more extensive critique of Session including:

-security problems with unlimited cloning of Session accounts for device portability
-the crypto business model for the Session Network
-how Session abandoned parts of the Signal protocol, sacrificing the double ratchet algorithm (including break-in recovery, perfect forward secrecy and non-repudiation). Maybe he can unpack all of that and explain what it means in terms of privacy compromises?
-not post-quantum resistant
-the persistent Session ID making it possible to identify users

Perhaps Evgeny would be willing to write up a comprehensive comparison, critique and analysis of how Simple X and Session stack up to each other from his perspective?

That might help me better understand which app to go with.

1 Like

Use a text verification service (e.g. textverified) where you receive a text with the code in it. Or use jmp.chat to get a voip number and you continue to use the number.

I use Element (Matrix).

Pros:

  1. It’s able to log in simultaneously on many of my devices.
  2. Do not require a phone number or an email address for registration.
  3. The account verification and recovery process are the easiest to use among E2EE services. This is very important for my mom, grandmom, etc. who’s not so good with technical staff.
  4. The closest to Discord in terms of features.
  5. Work great on all platforms, including Linux.
  6. Not perfect, but still a very secure option.

Cons:

  1. Very slow mobile app. Element X is planned to replace the current app. it’s up to 6000x faster than any other Matrix client. But the features it provides are not comparable to the current app yet.
  2. I wouldn’t consider voice and video calling usable. Hopefully, this will be improved with native calling.

I don’t consider Signal at all. While Matrix is not so much of decentralized in reality (since most people and spaces are on matrix.org server), but Signal is fully centralized. Signal app is also only officially available on Debian based Linux. I believe the app would work inside a container, but it shows that they don’t take Linux seriously. And most important of all, it requires the users’ phone number. Sure, all of those issues have workarounds. But I’m not a fan of workarounds, especially when a similar service doesn’t require one.

For normal folks, just use signal.

10 Likes

I know right? When someone’s makes such a long post debating with themselves about which encrypted messenger to use with such detail while discounting Signal up front - I just turn away from it. If their threat model is really this high, I don’t think posting about it here is going to get them an answer that would satisfy them.

7 Likes

Yeah they hate that we are special snowflakes that needs our own app just to talk with. If we make them use a, god forbid, complex app, we’ll cause them to burst a vessel in their head and completely nope out of our “non-sense”.

Sadly this is the state of the world.

3 Likes

Yeah, Signal just works like the ones people expect. I’ve had no problem getting people on Signal (aside from them not wanting to install another messenging app, but ehhh not really a thing you can fix).

1 Like

Insanely insecure and arguably insecure.

Absurdly insecure and insecure by design.

All copycat programs no one would download and use. Also ricochet refresh isn’t open source (see their license).

Unbelievably unstable development, no audit, and they themselves don’t recommend it. Here is a quote:

Neither the Tox protocol nor the implementation have undergone peer review, and its exact security properties and network behaviour are not well-understood, yet. We are actively working on improving that situation. Until said peer review, Tox is not recommended for use cases that require proven, high-assurance security. If you find any potential security issues, don’t hesitate to report them on the bug tracker.

Worse stability than any other major tool mentioned.

Yes, darknets/deepnets with interesting users provide more privacy than hiding in the crowd of typical users. Totally not full of honeypot services that get revealed every month.

Finally a sane choice. Use this or Signal, and listen less to Braxman and more to actual experts if you value getting actual knowledge and/or recommendations.

5 Likes

Which private messaging / communication app is best?

Best in terms of privacy and security:

Simple X is based in the UK which is a lousy privacy jurisdiction.

Unlike any other messenger, SimpleX Chat is truly decentralized, anyone can host servers and you can choose what servers you want connect to in the settings.

If you want their opinion about their company jurisdiction see this.

3 Likes

I’m sorry can we have a TL;DR
It sounds like you’re hating on signal for almost no reason.
This thread is a mess my goodness.
Look being centralized doesn’t always mean bad, it always depends on how someone like signal operates it which they do just fine (However the disadvantage of centralized is that if they shut down, it’s gone basically unless the signal proxy could allow it to be alive but not that we know of) and while the phone number is an understandable frustration there’s already ways you can workaround it like using Non-KYC Sim/e-Sim/VoIP. That’s what I’m doing for my signal personally.

Also if we do keep call out signal to make changes especially for the desktop app, This is how they can listen which isn’t good but if we can hold them accountable then we surely can do it. Which has happened and les the decision to encrypt the keys on your PC now. so it is secure from there.

It feels like a Rant to just god forbid people shouldn’t use something that’s more private than say Whatsapp and easy to use.
I know this is the internet but the level of hypocrisy here is crazy.

However It can be understandably which is why I have both SimpleX and Signal so. But still

1 Like

The comment about Cyph is from 2014, there have been some changes done and got an audit (a lot of security vulnerabilities were found, critical and high). But still not far from great compared to today’s options. Also it is still web based even if they got “Websign” which is interesting tbh and they offer it as a service?, but I didn’t check out yet. You can’t pay with Monero.

Their code is non-free, Source Code Licenses — Cyph “this means that third parties can’t fork and modify our code or deploy their own instances of Cyph without our permission.”.

Tox

You forgot Tox Handshake Vulnerable to KCI · Issue #426 · TokTok/c-toxcore · GitHub, there have been efforts into fixing this issue, but isn’t implemented yet

Idk about Hyphanet (previously Freenet), but there’s a separate project based on its design also called Freenet, they are getting consistent updates and funded by FUTO.

1 Like

Lol, how does this even happen? This is such a foundational crypto error. Thanks for sharing.

Makes sense, the service never made sense to me. JS based crypto in critical apps? Lmao.

1 Like
  1. All the vulnerabilities in this link requires a malicious home server to perform the attacks. But most people are using matrix.org server anyway. Nonetheless, with these vulnerabilities, it means that the users need to trust the server that’s supposedly to be trustless which is crucial in decentralized environment.
  2. Many of the vulnerabilities had been fixed since 2022.
  3. Element X is using a new matrix-rust-sdk that’s not the same SDKs that are reported to be vulnerable in the link. Hopefully, it will be ready for my needs soon.

Basically, the insecurities proof of concept that derived from the insecure by design had been fixed, and had never been affected people who are on matrix.org server. Sure, the overwhelming usage of the matrix.org server is contrary to the supposedly decentralized intent. But that’s still better than using a centralized service where hosting your own server is not possible.

I thought the whole point of choosing Matrix over something like Signal is to be federated, and run your own third-party clients?

If we’re going to insist that everyone should be using Element if they want to be secure, that defeats the entire marketing point about third-party clients that Matrix evangelists cite when they decry Signal’s centralization

If everyone needs to be on matrix(.)org and use element to be secure (ignoring matrix e2ee is still buggy ux), how is it different from centralized signal?

It’s not like everyone has to be on matrix.org, it just happens to be the most developed, so people use it the most. The same goes with Element vs the rest of other Matrix clients.

Even then, there are other reasons for me using Element over Signal. The main one is the web client that works great on every desktop OS. Otherwise, I wouldn’t bother moving away from LINE, WhatsApp, Facebook Messenger, etc. that everyone of my friends are using.

I just don’t see the point of moving away from the like of LINE or WhatsApp to Signal. They’re centralized services that regardless of their source availability, no one is able to prove what’s actually running on their servers at the moment. At least, with Matrix, there’s an option to host my server, and those vulnerabilities would never affect me. The moment I host my own server, it has become trustless that none of the centralized options could’ve been.

Lets be clear, matrix is insecure compared to Signal. With that out of the way, do you host your own server right now? I already know the answer :slight_smile:

Anyway, idk why these threads pop up. PG has its recommendations page, use that. Unless anyone has a technical reason on why the recommendations are bad outside of “my YouTuber said so”, we don’t need these threads which inevitably become a flame war between projects that are not even in the same level. PG has cited the resources in its recommendations page, use that for doubt clarification.

IMO the options are limited to SimpleX, Cwtch, Matrix, and XMPP, if anonymity is desired. Session probably shouldn’t be considered as a long-term solution because Lokinet is built around a lie.

SimpleX and Cwtch are probably too new to be seriously considered as of now, which leaves XMPP and Matrix. Personally I believe XMPP to be the better option as it has less issues than matrix.

A lot of what is stated there is merely opinion based on what the author considers to be good practice, rather than fact. Point 1 is a non-issue, point 2 is subjective and may or may not be a problem, and point 3 is really a non-issue. The OMEMO author has responded to this blogpost.

Also relevant: moparisthebest.com - Against Silos+Signal

EDIT to avoid doublepost:

When I last checked the official Signal app also doesn’t even work natively under Wayland, only Signal Beta does.

1 Like

Also, do you compile every app you’re using on your desktop and mobile providing if it’s open source/source available? I already know the answer :grin:

Does that mean opening the source has no merit as an option or transparency of the app? Nope. Same goes for the decentralized nature of Matrix.

Not necessary. If you host your own server and use it only among your family members. So, it depends.

That doesn’t solve the metadata or perfect forward secrecy issues with Matrix/Element. Securing the server is also very important given the trust Matrix places in the server.

Metadata is not an issue if you’re running it in your server.