SimpleX relies on out-of-band key material transfer between clients, in addition to the honesty of routing server to protect privacy and metadata.
Cwtch uses the existing infrastructure of Tor and v3 onion services to establish p2p chat sessions, thus relying on the underlying security of the Tor network. There is some nuances regarding how different kinds of groups work, we have a security handbook that goes into it a deeper: https://docs.cwtch.im/security/intro
Use end-to-end encrypted messaging applications for all your digital communications:
- Ideally, use peer-to-peer and metadata-resistant applications such as Cwtch or Briar. Otherwise, use metadata-resistant applications such as SimpleX or Signal.
- Email is not metadata-resistant and should be avoided if possible. If you must use email, use PGP encryption and register an address with a trusted service provider.
Do not use:
- Delta Chat or Matrix, as they are not sufficiently metadata-resistant.
- Telegram, as not all messages are end-to-end-encrypted.
And this[2]:
Since SimpleX requires that users place some trust in the SimpleX servers, we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
> Since SimpleX requires that users place some trust in the SimpleX servers
Do you know what they mean by this? I could not understand from the explanation given. My understanding is that the message contents are still not known in any case, so I'm curious what it is they are worried about.
Because a malicious SimpleX server could run a modified version of the code that allows them to collect metadata, even if they can't see message contents. So, indeed, it assumes trust in the server[1]:
Our open-source code that we are legally bound to use doesn't provide any metadata that could be used to learn who connects to whom. But the privacy of users' connections still depends on us honouring our promises and privacy policy.
But they offer a way out using Flux, as they explain it here[1].
SimpleX relies on out-of-band key material transfer between clients, in addition to the honesty of routing server to protect privacy and metadata.
Cwtch uses the existing infrastructure of Tor and v3 onion services to establish p2p chat sessions, thus relying on the underlying security of the Tor network. There is some nuances regarding how different kinds of groups work, we have a security handbook that goes into it a deeper: https://docs.cwtch.im/security/intro
I found this[1]:
And this[2]:
As well as this comparison chart: Interactive secure messenger feature comparison - https://bkil.gitlab.io/secuchart/
[1] https://www.notrace.how/threat-library/mitigations/digital-b...
[2] https://www.anarsec.guide/posts/e2ee/
> Since SimpleX requires that users place some trust in the SimpleX servers
Do you know what they mean by this? I could not understand from the explanation given. My understanding is that the message contents are still not known in any case, so I'm curious what it is they are worried about.
Because a malicious SimpleX server could run a modified version of the code that allows them to collect metadata, even if they can't see message contents. So, indeed, it assumes trust in the server[1]:
But they offer a way out using Flux, as they explain it here[1].
[1] https://simplex.chat/blog/20241125-servers-operated-by-flux-...