this post was submitted on 23 Sep 2023
74 points (91.1% liked)

Privacy

31871 readers
417 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

The table is quite big (190+ lines of hand-written HTML) and it doesn't fit on mobile phone screens unless you zoom out. It should be fine on desktop. It also specifies the criteria followed and has analysis of some of the IMs in the table (not close to all of them, I hope to add more analysis in the future).

Counter-arguments are always welcome. Sources and additional information too. Note that the typical privacy recommendation (Signal) is not recommended here. It does not meet our criteria, being centralized and requiring a phone number. I don't want to hate on Signal since it's doing a decent job spreading the importance of E2EE, however we can not recommend it for the given reasons.

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 1 year ago* (last edited 1 year ago) (1 children)

Didn't expected an actual valid comparison, good work!

SimpleX rules!

[–] [email protected] 12 points 1 year ago

yeah, I agree. I hope the project lasts, because it's by far the best option. I hope they manage to implement having the same "account" in both desktop and mobile, it's the only feature I miss.

[–] [email protected] 11 points 1 year ago (1 children)

There's a million of these lists, all chosen critera's chosen carefully or outright false to fit their bias. Like why the hell is electron mentioned in a privacy comparison? XMPP is a protocol too, not a client, which makes comparison to Element make no sense, why would they not compare it to Matrix and ignore all of their other features? This list is complete shit.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

electron is mentioned in the OS supported section as a platform. Not taken into account for the privacy part, as you can see it is neither red or green. Also, there's not a single mention of Element, because it's just one client, yes.

I encourage you to read our criteria, I think you'll find it quite reasonable.

[–] [email protected] 1 points 1 year ago (2 children)

You literally put Electron under the Matrix protocol. If you're going to judge it by its official client, you should do so with XMPP, whom doesn't even have an official client.

[–] [email protected] 3 points 1 year ago

I just did a text search on the page and There's no mention of electron outside the Operating System support in the table, which is not taken into account for the rating.

And yes, I like that There's no official client for XMPP which helps it's independence from any entity or corporation, potential bad actors trying to push malicious features. But that's beyond my point.

I don't judge Element instead of Matrix. I just mention the OS support which is not rated and I make clear that there are other clients.

[–] [email protected] 1 points 1 year ago

can you even read? It's under supported OSs, and it says that it also has other clients in the same box.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)
[–] [email protected] 4 points 1 year ago

thanks, I didn't know this one

[–] [email protected] 6 points 1 year ago (1 children)

SimpleX being a hybrid p2p model means that it leaks more metadata to 3rd parties than XMPP for example.

They explicitly recommend using Tor with Simplex for that reason.

I would suggest you change the "meta data" field for it to "probably ok", but the design of the system makes it a risk factor, so without Tor it is probably more of a "barely ok".

[–] [email protected] 4 points 1 year ago (1 children)

What metadata is leaked? AFAIK, the relays you connect to don't even know who you are because there's no single identifier tied to you.

[–] [email protected] 2 points 1 year ago (1 children)

IP addresses mainly, which is the worst kind of meta-data as it can be linked to your real location and name relatively easily.

[–] [email protected] 6 points 1 year ago (1 children)

I mean, XMPP also leaks your IP to the server if you don't use Tor or a VPN. If you don't trust the server, it's a must to hide your IP.

I don't think that changes anything in the comparison. Except Briar, which uses Tor by default, I think that every other messenger reveals your IP to the server if you aren't actively hiding it. That's just how it works. At least SimpleX and XMPP can be used through onion services, something that others don't offer.

[–] [email protected] 2 points 1 year ago (1 children)

The vital difference is that with XMPP you consciously choose a server host (or self-host) that is acting like a proxy for you and thus protects your privacy, even if you don't use Tor.

With SimpleX there is basically a random list of relays that you know next to nothing about, and which could in fact be mostly honey-pots, and you are connecting directly to them, which makes Tor almost mandatory.

For me it boils down to the fact that there is no such thing as trust-less communication, so you should choose carefully whom to trust and minimize the number of people you need to trust. XMPP is IMHO the clear winner on that, because it's basically only your home-server you need to trust.

[–] [email protected] 4 points 1 year ago

yeah I agree that XMPP is currently the best option.

But SimpleX is also self-hostable, you can configure it to only connect to your own relay server. Or just use .onion servers. So SimpleX is a close second IMO.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

The latest specifications for OMEMO (XMPP) do some meta-data protection similar to Signal, but admittably few clients (Moxxy & Kaidan) support it so far and roll-out has been very slow.

I would suggest to change it to "bad" and write "work in progress" or so.

[–] [email protected] 3 points 1 year ago

oh I didn't know what changes OMEMO 2 introduced. Thanks, I'll add a note.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

I want to like SimpleX, but (a) notifications on Android are iffy, and (b) there's no multi-device support. (A) I could live with, but (b) makes it a non-starter. I did try "make a group and add every device as a different user," but it's hard, confusing, and I simply can not ask my friends and family go through that shit just to IM. There's a ticket for multi-device sync and a comment that it's on the roadmap, but low priority. If that gets implemented, I'm on board. Until then, it isn't feasible to ask a bunch of non-tech people top switch.

As a side note, who only ever uses one device? How can multiple device sync not be a core feature of every chat design? I find this baffling.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

That's why I recommend XMPP.

As of why multi-device sync isn't a core feature is due to the inherent nature of the SimpleX protocol that everything is stored locally, servers are only relays and do not store nothing more than heavily encrypted packages that only contains messages and once they are delivered, they are immediately removed. Servers do not store any information, they don't have your contacts, nor any form of unique identification for your account. You might even change the relay you're using every 5 minutes, because you aren't tied to them.

Compare that with XMPP where you're hosted in one server and all your messages and conversations go to that single server. Your server also stores your contact list for multi-device sync and because you're always using the same server for that account, it will work seamlessly. In SimpleX, your account information never leaves your device.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Syncing between clients is still possible, although it may not be implemented. There's no reason why a P2P client that's part of a conversation can't request past messages from any other client that's part of that conversation. All P2P does is move the data handling to the edge.

This is what I was implying: if a chat design doesn't account for this, it's IMHO not a good useful design - especially in the case that the design also leaks some metadata, and so isn't 100% targetted at dissidents.

P.s. I'm going to write my own chat application, with blackjack, and hookers.

[–] [email protected] 2 points 1 year ago