Do you use Signal for chatting securely with friends and loved ones? Us too! We endorse it wholeheartedly, and rely on it for nearly all our communication.
But the vibes are deteriorating here in the US, and we should have a communications contingency plan for if Signal goes down.
OpenPGP for encryption through autocrypt is a BIG NO for me. OpenPGP is inherently flawed, read any reasonable cryptographer’s opinions on it. DeltaChat is a significant security downgrade from Signal. I would much rather use SimpleX or Briar.
deleted by creator
Strikeout might have to not have the spaces between the tilde and the words?
test test testEdit: yeah just remove those spaces between the tildes and the contents
Didnt threema just get bought up by VC?
deleted by creator
How well does matrix hold up in comparison to Session or SimpleX? Maybe i have been living under a rock, but i did not hear much about them.
I moved away from it because:
- Too hard for normals (I know, but they won’t use it and what good is a chat app without contacts)
- Pisses metadata to any server you federate with
- Including matrix [.] org which as the “main instance” you almost have yo federate with, which is owned by The Matrix Foundation, which started as a project at Amdocs before breaking off, which is a Mossad affiliated company that infiltrated American telcom networks long ago, which I don’t find particularly trustworthy to have had any involvement with a secure messaging app that pisses metadata that Mossad “totally isn’t” spying on (I have no proof but you don’t either). They may not be, but it’s too close for comfort.
- In the public rooms there’s a CP problem. Can’t recommend that shit to friends/family I’ll look like a goddamn pedo if they see someone post that before it gets removed/banned. Not fair but it is what it is.
It’s a fine alternative. While not super secure it is decentralized which is nice.
The biggest problem I think is that it isn’t very easy to use, I think it’s a better replacement for discord rather than instant messages.
No spaces,
seedeleted by creator
deltachat will leak metadata everywhere
Got a citation for that? Genuinely curious
deleted by creator
deleted by creator
I thought Delta Chat encrypts all messages. Don’t even know how to send unencrypted ones.
https://delta.chat/en/2024-03-25-crypto-analysis-securejoin
I can’t say about the header stuff, but please check your statements. As far as usability (for regular people) goes, Delta Chat beats the other options by far.
If you’re in a country that is shutting down servers, then your contingency plan should involve serverless p2p apps like Quiet or Keet.
This is the second time I stumble across Keet this week. It sounds interesting, and yet it appears not to be open source. All I could find is a Github page where they publish their APKs, but no source whatsoever. Is it really closed source? Because I don’t to “trust me, bruh” crypto.
Worse, it fails to include a libre software license text file. We do not control it, anti-libre software.
Well, there’s no license because there is no code on their Github. They claim their P2P framework is open source. Yet, that is just the part that allows clients to connect. But I also need to check that what is transferred through that connection is truly encrypted. And if there’s no code, there’s no basis to even develop trust.
‘Open source’ misses the point of libre software.
The reticulum project with the Sideband client is probably a lot more censorship resistant than DeltaChat or Meshtastic.
If the vibes keep on deteriorating and there would be a crackdown on messengers and signaling infrastructure a messenger is the last of your worries.
And if Signal gets specifically targeted, there will be warning signs and time to shift away.
Nope. That’s not how Signal and E2E encrypted messaging works.
If a government asks Signal for user data they get an almost empty sheet of paper. Search for " what data does signal collect" to confirm that.
If - on the other side - your smartphone is compromised or unlocked there is almost nothing Signal can do to prevent governments from looking into your data. Also it reads like some agents simply joined a group chat. Again: nothing Signal could prevent.
I was not suggesting that the encryption was compromised. I was suggesting that signal is being targeted.
Likely, they are infiltrating Signal groups specifically. Not through breaking encryption, but still joining these groups BECAUSE of the encryption.
The fact that these groups are using private encrypted messages are what piques the interest of the FBI in the first place. Signal is just the most popular and thus the most likely target.
Still, adding feds to a group chat is a management issue, same as inviting people to your home
Any software used by enough people will be targeted.
https://eylenburg.github.io/im_comparison.htm
Falling back to email isn’t a most preferred backup, I’d rather do simplex
If Signal gets blocked, why not use a Signal Proxy?
You can use all the proxies you want, it won’t matter if the servers are shut down.
matrix.org is my new favorite
You can move to any other service, but once it becomes popular enough to draw attention they might also get blocked as well. If it’s centralized, then the central servers can be blocked and it’s not longer working. If it’s decentralized and peer to peer, then the bootstrap nodes can be blocked and it’s no longer working.
Even if it’s self hosted and not advertised, the adversary can run active probes to detect banned services and block it if it detects any.
The only thing that can work reliably is something that can be concealed and can’t easily be detected.
A simple HTTPS website that runs a small blog, forum or an image board, can have a lot of bot traffic, and human traffic that makes the traffic analysis hard, it also provides plausible deniability if someone asks why you visit that site often, you can say that you are playing games or browse images there. Such website can have a secret interface that can be used as an interaction point for secure chatting (in a store and forward manner), which responds only if the requests are cryptographically signed by the participants, otherwise the server can play dumb and show a 404 error. Therefore an active prober can’t easily detect that the website hosts that interface the first place, because they cannot produce a signed request unless they manage to compromise one of the participants.
Threat analysis:
- Obviously if the endpoints are compromised, all bets are off.
- The certificate authority (CA) that issued the certificate for the website can be compelled to issue certificates for man-in-the-middle (MITM) observation and then the MITM-er can detect the secret interface. But nowadays this is difficult to pull off due to certificate transparency (CT), TLS clients can be configured to not accept the cert if it’s not logged by a CT provider, and domain owners can get an immediate alert if someone else issues a fraudulent and logged cert for their domains.
Someone should make an app that works this way. Only one tech savvy person of the given group need to set this up (preferably someone who alredy have a website), then others in the group can be invited into it and can use it without much friction.
Does Signal host its user’s data?
Not sure why privacy-conscious people would be recommending it over something like Matrix. Unless they’re paid off or stupid.
it does not. and the reason is, matrix clients and servers are fucking unstable, and spam is still an unsolved thing.
I’ve never experienced either of these issues.
I’m still a user, I experience it frequently with element x, but old element was no different in regards to that.
I like matrix as well.
take a look at Jami.
