Privacy @lemmy.ml Gordon_F @lemmy.ml 11mo ago

Privacy minded `instant messaging` quest.

Hi,

I'm looking for an instant messaging ( IM ) ~~apps~~ software/protocol that run on Android and computer

and meet the following requirements :

Open source !
E2EE
Messages are send in direct ! (not passing by a server)
handle group
Truly private ! ( That's the tricky part )

The closest that I've found is Briar

+can work without internet ! (bluetooth, local wifi, files !)
+ use TOR
- Mutual party have to exchange key (or your can introduce someone)
- sending media suck for now, poor image quality
- no call or voice messaging

I've been looking for alternatives:

~~Session~~
- Sadly it keep ALL the conversation into server !!! so it's a no go.
speek
- I didn't try it yet, any feedback ?
simplex
- it look very promising ! (didn't tried it yet)
- + seem to handle multiple profile in one !
- + do not require that both party send an invitation !
  - and have also a optional long term address
- ~~! I didn't found (yet) if the messages are send in direct or pass by a server..~~
  It's not P2P all the messages pass by servers.. too bad.

All post about alternatives or experience with the one that I cited are welcome.

21 comments

deleted
- The "truly private" req really smells with "I have no threat model and don't know what am I doing"
- If you allow for servers that can't read your messages (Tor nodes and such), "serverless" messaging is quite possible. All the layers of encryption and redirection aren't great for latency, but there's no reason two phones can't be connected over Tor/Veilid.
  
  The problem in practice, I think, is notifications. To receive notifications, you need to be online all the time. To be available on Tor all the time may help deanonimze you so you also need to shake up your connections every now and then, which requires some CPU heavy recalculations and key exchange from the network as connections are reestablished.
  
  deleted
simplex uses relays/servers, but incoming and outgoing messages are configured to pass through separate servers. you can see this in the network settings
Session doesn't store logs on a central server. They are encrypted and stored on lokinet.

Anyway other options are: Jami, Signal or Molly and maybe matrix. Keep in mind Briar will drain battery a bit and doesn't receive notifications offline unless you setup a dedicated device
- https://www.securemessagingapps.com/ if you see closely for session , it says that attachments are centralized in their servers in canada
  
  session tries to promote their oxen cryptocurrency and lokinet which imo crypto currency are used by baiters to bait people into ruining their money
  
  you dont understand what signal /molly is , do you ? they are centralized server and OP specificially asked not centralized server / server for that matter
  
  matrix is good but it still need server , plus matrix.org takes quite a bit of metadata
  
  jami's good but it uses turn server to verify your name
  
  briar's bluetooth functionality can be violated plus no good ui/ux
  
  jami’s good but it uses turn server to verify your name
  
  So is it secure ? does that mean you rely on those server to be able to created an account ?
  
  Session does not have centralized servers in Canada. There are issues with session but centralized servers aren't one of them.
speek sucks in my opinion , i tried it ,

tbh jami is the best app currently in the p2p messenging space

berty sounds good as well , its built on top of ipfs and weshgaurd

tox is good as well

(i have messaged briar and berty team regarding some questions and i havent gotten its answer , i will update you when i get the answer)
Have you looked in to Jami?
- no ! thanks ! look promising too.
  
  I'll try it and give my review... but is it require to make a "jami" account on their server !??
  
  As I understand it, the account is on your machine only. If you delete your profile, it's gone, unless you made backups. But I may be mistaken.
It's been stuck in "coming soon" hell for ages, but VeilidChat may be of interest to you.

TorChat is rather clunky, but any privacy respecting chat app without an intermediate server will be. Is a bit like Tor but with some improvements, so running a chat protocol on top of it should work better.

Note that there is an app called "veilid chat" out there that doesn't seem to have anything to do with the people writing code on the Veilid network.
A little update.

I've just tested simplex on Android.

it's very well thought out ! The features make sense. UNFORTUNATELY it's not P2P ! all the messages pass by their servers :'( with Briar it's P2P.... weirdly they claim their way is better than P2P ! any comment on that ?

In my point of view, if messages are stored somewhere it's mean the can be process[^1] !

Cheers.

edit: lemmy link to their community !simplex@lemmy.ml

[^1]: Copied, analyzed, cracked (Brut force or what ever)
- It sounds like you're assuming that everything you put out there isn't already being stored.
  
  https://www.eff.org/nsa-spying
  
  Thank you very much @jet@hackertalks.com & @Quexotic@beehaw.org
  
  The EFF article is really interesting for everyone. ( I was aware of this )
  
  Indeed no one should assume that his packets are not intercepted along the road. But conceive an software that on top of that, specifically route the traffic trough his server not make it better (on the opposite in my opinion)
  
  Even if the owner of those server do not process the data... ( This is relying on blind trust) those servers might be breached. (in addition to the systemic data recording, like in the EFF article )
  
  Let put it simple, is SimpleX offer on the actual Internet (can't wait the next gen, GNUnet or anything similar) a similar level of Trust & privacy than Briar ?

21 comments

Privacy minded instant messaging quest.

Privacy minded `instant messaging` quest.