cross-posted from: https://monero.town/post/934733
SimpleX Chat
Private and Secure messaging platform without user IDs
Will this new messenger replace Signal?
by Evgeny Poberezkin
You must log in or register to comment.
It’s worth noting that the use of relays instead of a centralized server actually mimics the cryptocurrency obsessed Nostr platform, which might explain why the original post is from montero.town. Of course, there’s nothing inherently evil or even Crypto Bro about that architecture, and I think it would work better for E2EE messaging than a public-facing concept (because Nostr servers should, in theory, just retain everything that gets vomited onto it forever, while E2EE messaging can simply self-destruct if messages aren’t sent within a period of time).
This architecture shares several things in common with Session, but with several notable improvements:
- Forward secrecy exists, so an attacker can’t grab one key of yours and decrypt two weeks worth of messages
- Backup and restore exists, so you can actually migrate your content database from one device to another
- Your messages are not all tied to a single identity, especially if you decide to use different identities in different groups
And of course, compared to something like Signal:
- You don’t need to identify yourself with a phone number, or anything really
Of course, there are still some downsides:
- Despite being decentralized, all relays are currently run by the same group, so if you’re worried about them grabbing your IP address it could still happen
- Identity management is still really confusing and convoluted, it seems trivially easy to impersonate someone. (Please correct me if I’m wrong here, but I don’t think you can tell if a person in your DMs is the same as a person in a group, even if they are trying to use the same profile)
- In theory, lack of identity could also open pathways for excessive abuse… This is something that developers will probably have to figure out, to prevent things as harmless as annoying spammers
If I recall correctly, SimpleX came out of the development of a file-transfer protocol, similar to torrenting.
It’s been probably a year since I read up on what they were doing, and I’ve been running it on a couple devices.
I keep it around as a backup chat tool. Sadly I can’t get people away from SMS, but I also use Signal and Telegram. Each has its pros and cons.
Interesting. They appear to be developing chat and file transfer functionality simultaneously, but separately… I think you can use one without the other. If you like command line tools, they have you covered… Outside of the surprisingly polished (if incomplete) mobile and desktop apps, it sure does look fun to play with.
deleted by creator
People can still join public groups with new, regularly created profiles and spam them from there. I’m not sure how to prevent that, because AFAIK a group join message is indistinguishable from pretty much all other traffic on the network.
Spamming you directly, that’s not really much of a concern.
And yeah, Telegram has been a joke in terms of both privacy and security since its inception
Oof, bad timing for that name selection. Especially with payment processing.
The invitation method is interesting, but will likely be its limiting factor vs its draw. Regular Jane/Joe wants to share their username, just not their number or email. Not being able to share verbally is tough.
Simplex has been out for a year or so.
It’s tough getting people used to systems that respect privacy, since Out-of-band ID sharing is part of that.
I’ve found it easier to get contacts though the QR code
i like the whole concept but it seamed to good to be true and not some type of backdoored honeypot, ill guess ill check it out when enough people reviewed the sourcecode
Well, since it was audited quite awhile ago you could probably check it out now.
simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html
back when I was using reddit, whenever it would be posted in /r/privacy or /r/privacyguides it would get like 30 or 40 upvotes in a matter of minutes. for a service that came seemingly out of nowhere, it really felt suspicious to me.
But then, the biggest criticisms for it would come from a dude or two who insists it has been corrupted by the Russian developers, whose bloodline runs as red as communism itself… Just the dumbest criticism imaginable.
I’m open to criticism, and I posted a couple here. Heck, here’s one more:
Because a single entity runs all the relays, it could in theory hold on to all the messages based on sender IP address, while appearing to not be a honeypot.
(This could also hold true for Signal, BTW.)
I thought you could run your own relay?
It’s been probably a year since I chatted with the devs (did some testing with a few devices I have sitting around). Biggest issue I had was it required a current version of Android, as I thought it would great to be able to run it on older devices.
You can, but I’m not aware of any official implementation of third party relays, or any third-party relays in general.
I’d be happy to get proven wrong, though… and considering what they have implemented: decent encryption, anonymity, etc, they’re doing pretty well regardless.
I think that’s because it’s the content for privacy subs. Now that it had been audited and privacyguides recommends it I put my trust into SimpleX
TLDR via notegpt
- 🚀 Simplex Chat: A private and secure messaging platform without user identifiers.
- 💡 Founder’s story: The startup was founded in 2021, with ideas dating back to late 2019.
- 🌐 Join the group: Interested viewers can join the conference group to ask questions and try out the platform.
- 💰 Privacy and cost: Lack of privacy in messaging platforms can cost users real money.
- 🔒 Designing for privacy: Simplex Chat’s design removes the need for user identities, providing a high level of application-level anonymity.
- ⚙️ Usability and future plans: Simplex Chat aims to be as usable as popular messengers while addressing the challenges of establishing connections and transfer anonymity.
- 🌐 Future evolution: The network is evolving into a two-hop mix network to further protect IP addresses and enhance session isolation.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Is it a simple chat app or something like Telegram with channels and groups support?
It doesn’t have channels, only groups. It’s more like Signal with no phone number req but with worse UX as a trade off
But https://briarproject.org can be used on Gaza right now, works without internet.
EDIT: And has forums posts for important notices around you, which is super useful on war/censorship times.
I think they serve different (though related or overlapping) purposes.
Briar started (IIRC) as a Bluetooth-only comm tool, and they’ve done a great job expanding what it can do (think it does Tor now?). Briar is not battery friendly, and the devs will tell you so. I don’t consider it a daily driver, but rather for specific circumstances. I keep it around just-in-case.
SimpleX is more of a daily driver since it’s a more conventional IP networking app, though it’s a little battery hungry too.
My main concern wit Briar is that it would be of not much use without a smartphone (I meant the internet-less features in particular). I would not trust sensitive things to a smartphone. I wonder if soemthing like that could be doable with an Android VM or Waydroid with a laptop’s bluetooth…
Maybe. Check out Android Subsystem for Windows. It’s essentially an Android VM though you don’t have a launcher/home screen. You just see the apps in your task bar like any windows app. I run it on an older laptop, it’s a touch slow but works well enough.
Windows is as much of a spyware as an average smartphone though, so not much of a point.
Edit: I should try it in Waydroid then.
Lol, true. I just assume most people are using it.
I’m working on getting away from it, been stuck on fining a OneNote replacement.
Yeah, you are right, I just think SimpleX is not for me as I already use many Matrix chat even for work stuff and collaborations (group chats), and I’m not sure if I can do the same or chat daily with my team as I do on Matrix. And I just hope and have faith that they will fix those metadata issues:
https://github.com/matrix-org/matrix-spec/issues/660
https://github.com/matrix-org/matrix-spec/issues/549But can take long, for now I am not worried at all.
Yea, it’s a different tool. And it’s still early days.
I don’t use SimpleX as a daily driver, yet. But it has a lot potential. Just glad to see another tool out there, and the devs seem really earnest (I worked with them a year ago while testing the app).
I should give it a try, but not sure if I will be able to talk with anyone… I don’t really have friends that care about privacy… 😢
Lol, welcome to the club!
God how I despise SMS, and I can’t get anyone off it, even if other options are easier to use than SMS, much more robust, faster, more flexible, etc.
There are a couple messaging apps that are self-hostable (like I believe SimpleX is). Litewire is one. At some point I plan on hosting one myself, and preconfigure accounts for friends/family to make it even easier for them. Maybe that will get them on board.
deleted by creator
Signal only ask for a phone number to verify your identity… its far from private
It’s more or less truly anonymous chat. Like you meet someone on the street and need to chat with them, but don’t want to give them any personally identifiable info. It’s really cool in concert, but good luck getting anyone to use it. Signal is good enough if you’re paranoid. TBH Telegram secret chats are just as good for sensitive stuff and way easier to get folks to use.
…so, Briar, but new?
Briar had a lot of extra features where it could connect without an internet connection, but it also had a lot of downsides… For example, if you use their “forums” feature, it becomes harder to navigate the more people use it (every reply makes it harder to scroll to where the reply is from, and there is no way to easily navigate top level things).
I’ve never used their forums. Only used it as 1:1 messaging. Worked great.
No link to a repo? I’m not going to watch a video to know what a project does or how it does it. No thanks.
Thanks.
So it has a new ID for each tunnel/channel/whatever. As usual, that comes with the downside of discoverability: how do you find all your contacts when installing the app? You always need an out of band transfer of the user ID - be it email, username, or a transient one like this.
I’m not sure how much better that is than existing chat apps that don’t have discoverability.
It doesn’t have any discoverability, but it does have backup and restore, something that other apps without discoverability tend to not have.
Unless you have other apps in mind that I’m not aware of.
Signal has backup 🤔
But Signal already has discoverability via phone number ID.
(I was thinking of Session, which ripped off Signal and lost basically everything good about it in the process)
OOB is arguably better for privacy.
How?
If the OOB is not encrypted --> hello MITM attack or impersonation (unless of course you’re physically in the same place, which is quite limiting)
If it’s encrypted, why not just keep using encrypted channel? I have to find an encrypted channel to initiate an encrypted chat?
I’m not seeing the benefit
I can give someone my ID in person. I control how it’s delivered.
