4mo ago

Is there any good private messenger at all?

I've been inspecting this topic quite a lot and I'm a little confused now. So, we have reasons not to use Signal, reasons not to use Matrix, there were also some claims about Session being a fraught. Briar is mostly activists related (not very suitable for daily use), XMPP lacks good clients and suffers from fragmentation of protocol standards implementation, SimpleX is too feature-incomplete (no UnifiedPush support, big battery drain on Android, very decent desktop client without any message sync). I can't say a lot about Threema or Wire, as I'm not very familiar with them.

So, my question is — is there any good private messenger at all? What do you think is the most acceptable option?

EDIT: In addition to my post:

All messengers have their flaws, I'm well aware of that. I was interested in hearing users' opinions regarding these shortcomings, not in finding the perfect messenger. I may have worded my thoughts incorrectly, sorry for that.

100 comments

That article in Signal is bogus. It is entirely based on speculation from how funding comes in, and also either ignores, or misunderstands how Signal fundamentally works.
The EFF recommends Signal, and it's one of the most secure ways to communicate.
https://ssd.eff.org/module/how-to-use-signal
You can make your own decisions, but if you just grab any random arguments, you'll find a reason to doubt everything.
- Lemmy has some sort of slander campaign going against Signal. Can't tell if it's just misinformed idiots or a paid shill smear campaign being run here (likely the former, Lemmy is too small for companies to give a shit about.) It's really annoying. Same with Mozilla and Firefox. Not sure Lemmy likes anything?
  
  Give me your phone number so I can chat with you on signal about this.
- The US-state-department funding is important sure, but you also ignored every other point in that article.
  
  Do you make the same criticism of TOR?
- You can make your own decisions, but if you just grab any random arguments, you'll find a reason to doubt everything.
  Agreed. Especially if your source is Dessalines. 🙄

Almost all those can be self-hosted, and built from source, so matrix, xmpp, simplex, are fine. Don't use anything that's uses a centralized server in a five eyes country, like signal or threema.
- How is Threema in a five eyes country?
  I mean, sure, only the clients are open source. Don't use it for that.

So, we have reasons not to use Signal, reasons not to use Matrix
yes, nearly all possible things in the world have been argued by someone somewhere already
- From what I've seen there's a lot of very bad security advice out there with even tech journalists and such just straight up repeating stuff they don't understand

Depends a lot on who you're talking to, and your, and their threat models. For many, signal provides pretty good protection, which brings us to a salient point, anything that actually provides good security will attract plenty of negativity, often from state level actors who feel (are) threatened. If you're playing at that level, adam_y is right, dead drops and one time pads. Presuming lesser threat, signal beats telegram and FB etc. Email is plaintext unless proton to proton, encrypted email is fine (look at PGP) and indeed if you encrypt at home before sending it's pretty much a dead drop anyway, as long as the other party has a key, and I'm wandering off the beaten path.
Seems you want a secure messenger that works and are scared by random crap because you don't have the relevant knowledge to decide (spoiler, very few do, and it's insider knowledge, the world is imperfect), fair enough, but don't let perfect be the enemy of good. As long as you're willing to give up your phone number, Signal is well regarded (exchange privacy for security, you decide). But yeah, no perfects, world imperfect, trust hard, deal ;)

Snikket is an attempt to solve the XMPP issues, or at least to reduce them, single all-in-one XMPP server distro and clients across platforms, and since it's self-hosted no one should get their hands on your data (in normal circumstances).
That said, the saying goes "Perfect is the enemy of Good". Just because a solution is not perfect doesn't make it unusable, any of those options you mention full of problems are a helluva better than FB Messenger or plain SMS for example. Depending on your threat model they might be more than enough.

What level of attacker do you realistically need protection from?

Dead drops and one time pads.
Set up a numbers station if you can afford it.

XMPP lacks good clients and suffers from fragmentation of protocol standards implementation
For Android: Conversations is excellent, also on F-Droid if you don't want to use the Google store.
For iOS/MacOS: Siskin or iOS/MacOS: Monal.
For Linux/Windows: Gajim or Linux: Dino.
"Protocol fragmentation" is not a valid complaint about XMPP -- it's like complaining that ActivityPub is fragmented; but that's not a problem: you use the services (Mastodon, Lemmy, Kbin, etc) built with it which suit your needs, mostly interacting with that sector of the federation (eg, Lemmy+Kbin), but get a little interoperability with other sectors as a bonus (eg, Lemmy+Mastodon).
- I fucking love gajim (but I call it Gaijin because it's funny to me.)
- Do those ios clients support push notifications?

I don't consider those comments regarding Matrix as problematic. Don't use someone else's server if you don't trust them - including a third party lookup server.
/selfhosting Matrix
- The article he linked specifically mentioned that the data is sent to matrix’s servers even when using a self hosted server though
  
  ... if you configure to use their lookup server.
- There’s a 90% chance the other end of your conversation will be with someone on Matrix dot org or a server they host for a organization. Like email, your other end is likely still using Google or Microsoft so the metadata & anything else unencrypted is going to be synced back to the centralized server.

People say this over and over "depends on your threat model" and yet people seem to have a hard time understanding that. Your threat model is "who is your adversary and what he is willing/able to do". Your security goal is what do you want to keep from your adversary.
As others said, if you are an activist or sth important, perhaps you might want to build a working knowledge of cryptography yourself. If you just want META not being able to see your NSFW chat with your romantic partner Signal might be more than enough. In fact, people way more relevant than me also suggest that Signal is good even for bounty hunter vulnerability reporting.
Having said that, what bugs me most is that people think the instant messaging format as suitable for everything: activism, jobs, crimes, broadcasting 1970's prog rock for extraterestrials , whatever lmao. Do you really want to use your phone for all that? Like, just carrying the phone around in the first place nullifies your other precautions, for all advanced threat models beyond privacy of non-critical social messaging.
Persistent/resourceful adversaries can eventually get to you, using a set of penetration and intelligence techniques, which means, if you are involved, the convenience of messaging your partners in crime from the phone in your pocket while waiting for a bus is a convenience you probably can't afford.
- It's impossible to escape the surveillance of those three letter agencies. We only got a brief glimpse into the other side of the curtain back in 2013, and there is no idea how advanced their surveillance technologies are, so why bother for a normie?
  It's also painstaking if not impossible to wipe all your metadata from the internet, which can later be mined to infer personal data and sold by data brokers. Not to mention that people have jobs and use their credit cards, no way even to hide the most important personal identifying information.
  So using Signal, despite being centralized, is not too bad at all. Very few people can totally sacrifice convenience for privacy.
  
  Not to mention that people have jobs and use their credit cards, no way even to hide the most important personal identifying information.
  Exactly, this is a lost cause. If you participate in society your essential data are simply out there. For most people the task is to minimize their footprint. If we are talking about evading mass surveillance, then we should take for granted that the person will be to one or another degree marginalized, or lead a fringe lifestyle.

The German technology blog Kuketz has a comprehensive overview and comparison of all major messenger services.
- Thanks for sharing. Very useful.

For me SimpleX does everything I need. Unified push would be nice, and would address battery usage. I don't need or want message sync, so that's not an issue.
They all have tradeoffs, so it's just a matter of your priorities. For instance I'm OK with the higher battery drain because it's not using Google.

Simplex.chat
No identifiers, pfp, FOSS, can route through tor.
Or host your own matrix or xmpp server.

Use Signal or Simplex.
Signal does require a phone number. However, as long as you understand what that means you are fine.
- Would recommended SimpleX over Signal if you want the "best", but for users that are pretty new to this maybe Signal

It really just depends on your threat model.
Think it in this way: What is the most secure way to walk in the city? You'll need a team of armed bodyguards and wear a full bulletproof vest. Do you REALLY need this level of security? Who are you protecting from? If the answer is a criminal organization or law enforcement, then yes, probably. But if the answer is a random thief, then you'll probably need to just carry a gun, pepper spray, knife etc.
Same goes for privacy online and messenger in this case. Are you an activist or a drug dealer? Then you'll probably need Tails + something like SimpleX via TOR. Otherwise, if you are just concerned of typical surveillance capitalism (and don't want the government to scan your chats like it probably will in the EU after Chat Control), in my opinion, Signal is the best compromise of privacy, security and convenience.
- What is the most secure way to walk in the city?
  Way ahead of you.
  Step 1: stay in the basement
  Step 2: hire a representative to wear your face and livestream IRL back at you
  
  See, this is the benefit of stem cells. I was able to cut off my face a few years back and now I have several copies of it that I grew and surgically attached to my doubles.
- I have family in China and I need to communicate with them. Seems like a pretty common threat model. Signal works only with a foreign SIM and that's only tolerated with tourists. XMPP servers get blocked almost immediately.
  
  does signal's censorship circumvention work for them? It is also possible to use Molly (signal fork) which supports TOR via orbot. If they cannot sign up in the first place, you could use SimpleX chat with TOR also via orbot, but you should figure out a way to send them your link or QR code without the government knowing, or they might get in trouble.
  Molly (signal fork): https://molly.im/
  Use TOR in China: https://support.torproject.org/censorship/connecting-from-china/
- @84skynet Exactly
  And even carrying a weapon to fend off a random thief might be too much in most of contexts.

You will always find problems associated with every thing but here's some recommandations :
For a good start, Signal and his forks (molly...)
For daily basis and better than Signal, choose SimpleX (SimpleX is only feature incomplete for the mainstream app, but in it you can send texts, voices, photos, videos, live messages, have a PP, a alias for your contacts...)
Important stuff and activism, use Briar
- Briar is really interesting but it doesn't work as well for a casual messager. It is a bit complex to setup and very hard to understand unless you have strong knowledge on the subject. I think it is very powerful but breaks the standard convention most messaging applications follow.

jami has so much potential. just wish it ran a bit more reliable

Conversations for android is an example of a good XMPP client.
- Any iOS equivalent?
  
  Monal comes close.

There are a few that do a good job of protecting our messages with end-to-end encryption, but no single one fits all use cases beyond that, so we have to prioritize our needs.
Signal is pretty okayish at meta-data protection (at the application level), but has a single point of failure/monitoring, requires linking a phone number to your account, can't be self-hosted in any useful way, and is (practically speaking) bound to services run by privacy invaders like Google.
Matrix is decentralized, self-hostable, anonymous, and has good multi-device support, but hasn't yet moved certain meta-data into the encrypted channel.
SimpleX makes it relatively easy to avoid revealing a single user ID to multiple contacts (queue IDs are user IDs despite the misleading marketing) and plans to implement multi-hop routing to protect meta-data better than Signal can (is this implemented yet?), but lacks multi-device support, lacks group calls, drops messages if they're not retrieved within 3 weeks, and has an unclear future because it depends on venture capital to operate and to continue development.
I use Matrix because it has the features that I and my contacts expect, and can route around system failures, attacks, and government interference. This means it will still operate even if political and financial landscapes change, so I can count on at least some of my social network remaining intact for a long time to come, rather than having to ask everyone to adopt a new messenger again at some point. For my use case, these things are more important than hiding which accounts are talking to each other, so it's a tradeoff that makes sense for me. (Also, Matrix has acknowledged the meta-data problem and indicated that they want to fix it eventually.)
Some people have different use cases, though. Notably, whistleblowers and journalists whose safety depends on hiding who they're talking to should prioritize meta-data protection over things like multi-device support and long-term network resilience, and should avoid linking identifying info like a phone number to their account.
- Matrix is decentralized, self-hostable, anonymous, and has good multi-device support, but hasn't yet moved certain meta-data into the encrypted channel.
  yet? do they have plans? I'm (relatively) a fan of their platform because of federation, but I thought that it's not really possible, or at least a very much lot of hard work and even more to change that
  
  I think the hardest part is the DNS and federation
  
  I don't remember the statement in the bug report verbatim, but it indicated that they intend to fix it, which is about what I had previously seen on other issues that they did subsequently fix. I expect it's mainly a matter of prioritizing a long to-do list.
  I can't think of a reason why it wouldn't be possible. The protocol is continually evolving, after all, and they already moved message content to an encrypted channel that didn't originally exist. Moving other events into it seems like a perfectly sensible next step in that direction.

After looking at the article about why not to use Signal it sounds like you're looking for any excuse no matter how small to not use something. If that's the case you might as well not communicate with anyone at all.

I'm using simplex without problems. I get all notifications and didn't notice an increased battery drain.

Conversations?
- Not as great of choice from a security perspective

The SimpleX battery drain issue does not affect everyone. At least for me, it has been perfectly fine.
- It is fine on the balenced setting. It is less fine when you run it with constant checking.
  
  I don't even know what mine is set to. I guess whatever the default is, because I don't remember changing it.

You could try Molly if you don't like Signal
- I will as soon as its added to the main fdroid repo

Wire is the best for security (it literally won't let you send messages unencrypted), cost (its free), privacy (no phone number required), and usability for the masses (Foss client on all the platforms, messages sync between each client like you'd expect)
I haven't found anything that checks all those boxes other than Wire (though I do wish we had other options that came close)
https://Wire.com
- Simplex Chat is better in many ways. The biggest reason is that you can self host the server.
  
  And it is worse in many ways

Personally using Threema and happy with it.

good messenger for what?
if you want a solution for you and a bunch of your henchmen to coordinate and discuss totally-not-crimes with ephemeral comms, practically any E2EE solution will work; once the not-crimen is done, burn your accounts and toss the devices for good measure and you're scot free.
if you want a secure messenger that's part of a widely used communication platform where you can also do normal people shit and also convert normal people to actually use it (think getting contact deets from cute boy/girl at a bar or giving yours to a business correspondent without an elaborate powerpoint presentation on how to use it) and you want to enjoy the fruits of 20+ years of continuous IM development, like having top-notch UX, battery efficiency, network resiliency, quality voice/video calls, etc., without being spied on then such a thing doesn't exist.
how come? meredith baxter recently stated that it costs signal $50MM/yr to run their infra. that money has to come from somewhere. if there are no advertising dolts dumping cash on spying on your social graph and convos, the remaining avenues for financing are few and far between.
in closing, there aren't any super awesome messengers you weren't aware of, everything is shit.

XMPP clients are fine albeit it all, as many as they are, slightly different as is the nature of the protocol. This just means there is value in contributing to existing clients, creating new clients, or embracing progressive enhancement (which most do for example with emoji reactions just being a quoted text reply & so on) & complete feature parity is a fool’s errand if you want an exensible protocol with diversity & experimentation in the community. With the broad exception of the Conversations Compliance, there isn’t a flagship client & instead the best ideas come to the most used or most innovative clients. I use Cheogram, Profanity, Gajim, Dino, Movim at different times (& would love to create my own). The protocol is stable, healthy, & ready for proposals for improvement.
If I compare this to the more-expensive-by-all-metrics-to-run Matrix, if it ain’t Element, you gotta problem since a vast majority of users are on it & using all of its features & no other client has anything near parity but are expected to have parity instead of allowing things to sometimes be gracefully missed or shown in a less than ideal manner as acceptable. This hurts experimentation. Good luck trying anything similar to GDPR when all nodes are design & required to duplicate all messages & attachments for all users to every server anyone in it comes from.
The only real gotcha is the same gotcha as Matrix when using multiple clients with double-ratchet encryption (ala Signal) is that clients will expire keys that haven’t been seen in a while & is hard to get both devices retrusting one another. Turning it off & on again rarely works & requires fiddling on both ends sometimes. I really should just use PGP for encryption more often…
- The problem is that iPhone has some weird shit about push notifications and none of the high security XMPP clients I have tried seem to support them.
  
  XMPP doesn’t need notifications per se since it already has a connection to the client. Since it works for all other OSs to hook into this & display a notification, I don’t even want to know what restrictions Apple has on iOS that prevent such basic behavior. Apple digs its own grave here. What’s worse is I want to say “go get a Android phone, dummy” to a ‘normie’ but the stock OS on any Android phone is going to be on aggregate a worse privacy situation unless you would have to be ready to teach how to unGoogle it to the extent they would tolerate.
  Linux phone when?

DeltaChat. I don't use it myself because it's built on electron (which basically excludes 99% of modern chat clients); but as it's technically an email client turned into a chat client, we can assume you're protected by PGP when writing to most users, and with the added effect of not needing to convince anyone to install anything since from their end it's just an email.
- protected by PGP
  Someone here recently linked to this gem https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
  The article warns PGP over Email is a safety concern. They suggest Signal instead. (And several other tools to replace PGP)
  
  PGP is unfortunately one of the only reliable ways to get encrypted messages into and out of China. Most of that article is kind of nitpicking IMO. The only major cryptographic issue is lack of forward security. The rest can be dealt with if you have a bit of know how.
- E-mail is horrible for privacy, spam, instant messaging, etc. PGP "works" in very limited scenarios, and e-mail is not really one of them.
  Plus these two statements seem unplausible for me:
  we can assume you're protected by PGP when writing to most users,
  and
  and with the added effect of not needing to convince anyone to install anything since from their end it's just an email.
  I disagree with the first statement, most users don't know what PGP is and therefore don't have keys, so you can't encrypt anything to them. The only way most users would use PGP is if something sets it up for them, alá protonmail or my using some special client. Since you've said that from their end it is just an e-mail, how does Deltachat add any meaningful encryption?

Kind of limited due to there not being an iOS version, but Briar is pretty decent. It was made to be usable in repressive areas by press and other groups, as well as in areas where bad weather has taken out cell and regular wifi. Can be used with phone data, but also offline via ad-hoc wifi and bluetooth. But stuff like Signal and SimpleX are more overall useful to more people (and I think SimpleX also supports offline local immediate area of each other like wifi and bluetooth but I don't remember atm).
- I don't think Briar could be on iOS due to Apple TOS.

reasons not to use signal
Has this been updated in awhile?

If you really need it to be secure and private, and are communicating mostly with known acquaintances within a reasonable radius, with low bandwidth requirements, LoRA with encryption is the best bet.
It is a higher bar of entry but at least you can be confident your messages won't be intercepted in any useful form.
- Meshtastic can do this, and leverage other nodes as relays.
  
  Have you used it before? I'm curious about how it works. I don't personally have a use case but it seems very cool.
- I have been interested in trying out LoRA and just need to get some devices built. Though I am not as concerned about the super privacy part (thought that is nice). I am thinking that it would be good for emergency situations like shit that has happened with the south-east. Even if the communications would be limited to text, shit is good as long as I can use simple solar panels and battery banks.

I guess we could make one using newer FHE-RAM techniques and some edge case handling.

Signal, Threema, SimpleX.
Your source is ridiculous. Please educate yourself about more how Signal works.

This comment is a great start for what you're looking for.
https://feddit.org/comment/2362732

There’s no such thing as private on the internet. Sometime after the nineties everyone forgot that.
- Cynicism is a self-fulfilling prophesy.
  
  Do you need links to police cracking people crypto wallets. That’s about as secure as you’re going to get now and it’s still not enough. So what else have you got.
- There is no such thing as a binary choice between "absolutely private" and "absolutely non-private".
  
  This is not binary like this either. There are a TON of variables.
  You can have the IPs you communicate with visible to your ISP directly, or hidden from an ISP but visible to a VPN, or hidden from ISP but visible to the Tor network, the safety of which depends on "against whom".
  You can have your messages encrypted in transit but visible to the messaging server, or encrypted end-to-end and thus useless to the messaging server too.
  You can have the identity you post under bound to an identity outright, or you could obfuscate that.
  You can use a centralized messenger that has your whole communication graph and all metadata, or you can use a federated one with multiple identities and thus metadata scattered across multiple places. Or Briar that doesn't have servers at all.
  All depends on whom you want to be private against, as well as how much effort they want to put into getting your information. There is no "absolute privacy"... But there is "requiring more effort from the chosen adversary than you're worth".
  
  You’re either connected or disconnected. There is no in between. All you can do is toggle between them and hope no one is paying attention.

100 comments