The following is a cross-post from my mastodon thread
In the wake of metas enshitiffication I have seen people recommend Signal and Matrix as private open source alternatives to meta products. In the following thread I will outline how if your goal is software freedom anti surveillance and anti censorship the best option for direct and group messaging is neither Signal nor Matrix but instead the up and coming https://simplex.chat/
Signal is centralised meaning its vulnerable to censorship it almost got backdoored by uks online safety bill and that bill still has a damocles sword clause hanging over signal. Signal is also not anonymous, your account is linked to you through your phone number, if your contacts are compromised then your conversations can easily be linked back to you and your contacts all be correlated. In contrast simplex is like having “a burner phone for every contact” meaning even if one contact is correlated you have no consistent identity that can be compromised by default. Also simplex has a custom onion routing protocol to hide your ip from relay servers by default and it makes it very easy to connect over tor if simplex is blocked in your country im pretty sure signal doesnt do that. Matrix has been floated as potentially being a decentralised and e2ee open source alternative to Signal, but Signal shares one massive pro with SimpleX which is that both have post quantum encryption meaning that quantum computers that many researchers say are a few short years away from being able to decrypt all historical data that is encrypted using classical techniques ie not post-quantum encryption - such as the private messages you are sending across matrix today Afaik Matrix currently has no plans to add post quantum (PQ) encryption today and previously they were relying on it being implemented in MLS a standard that Matrix has been trying to adapt to their decentralised framework for years with stagnant process. Whats more afaict the motion to add PQ to MLS quietly expired and wasn’t renewed so it’s likely not coming any time soon. SimpleX has PQ on top of their classical encryption implemented and working today and you can download the app and have PQ rn (the additional classical encryption is insurance in case it turns out PQ has some classical attack vector, hybrid encryption is recommended by sec researchers at this stage) In conclusion both Signal and SimpleX are PQ unlike matrix but SimpleX and Matrix are decentralised and less vulnerable to censorship than Signal, while only SimpleX supports Tor connections and protects ur IP with or without Tor, and has no persistent unique identifier creating a “burner phone for every contact” scenario where compromised contacts cant necessarily be used to correlate ur other contacts/groups simply by looking at ur phone number/username in those groups
Heres some evidence and argumentation to support building post quantum encryption now, state and capital are hoovering up encrypted data rn to decrypt for profit as soon as it becomes cheap enough to do so with quantum computers https://www.youtube.com/watch?v=-UrdExQW0cs
And here’s the best explainer of SimpleX on youtube, sorry about the racist thumbnail the guys a right winger but his knowledge on OPSEC is valuable. If you don’t know why the thumbnail is racist search “Terry Davis glow in dark” (the search results for which I have to give a racist slur cw for but theres no slurs in this video) https://www.youtube.com/watch?v=0cRu98XSap0
SimpleX has some interesting ideas, but also some shortcomings for people who want a practical messaging service. For example:
- It is funded by venture capital, which calls into question its longevity, and if it does manage to stick around, suggests that it will be leveraged to exploit people once the user base is large enough.
- Its queue servers delete messages if they are not delivered within a certain time frame (21 days by default). Good luck if you take a vacation off-grid for a few weeks.
- No multi-device support. (This means a single account accessed concurrently from multiple independent devices.) The closest it comes is tethering a mobile device to a computer.
- Establishing new contacts requires sharing a large link or QR code, which is not always convenient.
- No support for group calls.
It is definitely an interesting project, but not yet a suitable replacement for Matrix or Signal in many cases, if not most. It will be interesting to see how it develops in the coming years.
Signal is centralised meaning its vulnerable to censorship
…what? How do you figure? Signal has attempted to be censored several times but you can just switch relays.
if your contacts are compromised then your conversations can easily be linked back to you and your contacts all be correlated
…how do you suppose that works?
Because the architecture is centralized, a law can target signal. Currently signal is hosted in the United States, a law United States writes could take it down
How is simplex going to turn a profit for the people who’ve currently invested in it? This is why things get enshittified, they have vulture capitalists helping them start out and no one thinks about it till one day it comes time to pay the piper and features start getting broken, ads get shoveled in, and unless enough money is generated the app will eventually fail.
I hope simplex finds a way to go non profit, until then I can’t trust their business model to not shift in the future.
This is exactly what I was trying to figure out on the website to no avail.
I mean, you also covered the reasons someone might choose signal over simplex.
I agree SimpleX is superior protocol. I use it to share text between my devices. But I’m little bit hesitant to recommend it to friends and family because it is VC funded. Until SimpleX becomes non-profit or alternative implementation of SimpleX protocol starts showing up, I won’t use it as my main IM.
I am all for using the true and tested xmpp protocol.
Isn’t SimpleX VC funded?
Horrible name choice though: https://en.wikipedia.org/wiki/Herpes_simplex_virus
Signal’s leadership team includes former Google and Whatsapp executives. What’s your point?
There is concern about simpleX sacrificing privacy down the road for profit like all the other chat options that started this way.
SimpleX will have to return a profit at some point
Exactly, Signal is at the very least has a non-profit foundation involved while it’s very clear SimpleX has investors it needs to please.
“It’s worth noting that some private foundations operate on the VC model in supporting nonprofits, either by requiring Board seats or requesting that their funding be used towards very specific objectives not always in alignment with the organization’s values and mission. It’s also worth noting that some nonprofits actually operate on the models of surveillance and censorship. Therefore, whether an organization or company is VC-backed or a nonprofit should not be the sole factor in deciding whether or not it is trustworthy. Actions are important, with full transparency being one of the most critical factors, and being fully open source being another to attract valid criticisms and audits to ensure any product or protocol lives up to its privacy and security promise. SimpleX Chat prides itself on being both transparent and open, on top of also being fully decentralized. If you’re new to it and eager to know more, you can start with this overview.”
https://simplex.chat/blog/20240404-why-i-joined-simplex-chat-esraa-al-shafei.html
There are more topics to cover than just encryption. Less on encryption, more on other topics.
Is it p2p or server model? I happen to lookup and it seems to be server as intermediary.
Is server side open sourced? Who is running servers? How does client choose the server to connect to? if hop server is tracking data, what will it see?
With all that end address obfuscation, how user friendly is establishing a connection with a friend?
Please use more paragraphs
