Hi, I wanna know what is the most secure and best messaging app/platform… Need an app that is crossplatform and has a very good numbers of features and security. (And it has to be FLOSS) I thought about XMPP clients, Signal, Session, IRC clients… Propose and explain me your choice

  • Lung@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    5 months ago

    It’s basically just Signal if you want ease of use + good security. Not totally 100% since it is funded almost exclusively by the US govt, and I can’t be sure if the encryption is not backdoored, but it’s the best bet we got. IRC: not secure, XMPP / Matrix maybe ok but hard to use for most, Telegram wouldn’t really trust though in theory has e2e, Whatsapp and Google world stuff even less faith. Honestly none of it is super great, but Signal has the best balance imo. There’s also some crypto based messaging stuff that’s used on darknets but that’s the clunkiest

    I think the only fully guaranteed method is having a pre shared one time pad encryption key between two parties & then send the encrypted text however you want (ex post on a far corner of a mostly dead online forum or Reddit). That doesn’t have any fancy algos that may be bugged, or private/public key stuff

    • RayJW@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      17
      ·
      5 months ago

      I think we can be pretty damn sure that the encryption is not backdoored since the Signal Protocol is the gold standard in encryption nowadays and thousands if not more highly skilled cryptographers without tied to the US govt looked at it thoroughly. Also Snowden calls Signal the best messenger on the grounds on him using it daily and still being alive so that’s also a pretty good sign.

      Also, do you have a source about them being mainly funded by the US govt? In their blog they talked about mainly being funded by small donors and a few initial loans from people who care about privacy.

      • Broken@lemmy.ml
        link
        fedilink
        English
        arrow-up
        5
        ·
        5 months ago

        Also Snowden calls Signal the best messenger on the grounds on him using it daily and still being alive so that’s also a pretty good sign.

        The real litmus test right here.

        • foremanguy@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          I don’t think so, do you think it is better to arrest 1 person and make flew away all the others users than let this guy live in peace and spy on millions others?

      • Lung@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        Ok, my bad, it’s not mostly funded now (though funding isn’t totally clear for all of its history) but we do know it was handed 3m near the start by Open Technology Fund which an arm of the US Agency for Global Media which is the US govt, and at best has the mission of pushing us news ideology globally. Ex they did Radio Free Asia after tianamen square, and guess what, that was conceptualized by none other than senator Joe Biden

        Yeah the encryption is probably okay, and I use it daily, but these backdoors are often hella sneaky and we know that the US govt loves doing shit like that if they can

      • foremanguy@lemmy.mlOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        I think than Signal messages are mostly not backdoored but maybe all the profile picture, the name and the description are surely leaked to US gov if they found most of the servers

        • bigmclargehuge@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          5 months ago

          Signal has been subpoena’d multiple times by the US government to hand over all user data. Signal complied. The only data that Signal gave, because it’s the only data they themselves have access to, is the username, the unix timestamp of when the account was created, and the unix timestamp of when they last signed on.

        • RayJW@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          That’s not how it works. All metadata is also E2EE with the same protocol. Even if they control all servers it wouldn’t change much.

    • foremanguy@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Okay thanks, and when you speak about “crypto based messaging” what does it means?

      • Lung@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Various schemes to use the cryptography of blockchains to send messages in a decentralized and theoretically secure way. The classic version of this used by early darknets was Bitmessage. There’s some more recent takes via Ethereum too

          • LWD@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            If you see something that says it uses blockchain to store your data, run away from it. Blockchain is used to make records permanent, not private. The only way to delete data from a blockchain is to erase the blockchain from existence, which cryptocurrency bros will never want to do (because that’s where all their money is).

            I miss the good old days when crypto meant cryptography and not cryptocurrency.

            • Lung@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              5 months ago

              Absolutely false, you can store data encrypted on the blockchain, such that it can be read only by a recipient. In this way it functions no differently than sending an encrypted email. But Bitmessage isn’t even a cryptocurrency, it just uses the ideas from them

              • LWD@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                Why would you want to store messages, even encrypted ones, on a publicly accessible distributed database with no delete function?

                Bitmessage was created well before the concept of post quantum encryption was widely discussed, so it is not safe for that use case.

  • yogsototh@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    5 months ago

    matrix with element as client.

    If you really care about privacy you can hist a matrix server without much resources needed.

  • aa1@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    I think this question has some sort of relativity. What is your threat model ? Are you trying to protect your data from the service itself, fromyour mom, from the police ? You want anonimity ? And so on.

    There is no an ultimate answer to this question. For example, i’m using WhatsApp because it fits my threat model (messages are encrypted, metadata is not but for me is fine). Then, i use Signal with people that use Signal (where i live, 99% of people use WhatsApp).

    I would never use Telegram since is not encrypted by default.

  • Eyedust@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 months ago

    I ran into one called SimpleX recently. No accounts or anything and you can host your own chat instance. Downside: The app either needs a constant spot in your notifications or will otherwise only check for messages every ten minutes.

    The desktop app is pretty rough to use, as well.

  • TechNerdWizard42@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    I’m intrigued by Threema.

    But I have enough trouble getting people to use Telegram and Signal.

    In the end, don’t let perfection be the enemy of better than what you have.

    For example I use WhatsApp for like 80% of my communication because 80% of them are non-nerds that are barely moving from rawdogging SMS to an encrypted platform. I’d rather use WhatsApp than SMS.

    I don’t have any meta accounts and my WhatsApp number is different than my cell number and is registered internationally in a privacy focused country. So to Meta, I’m protected by those rules and any invasion of my data by government forces would need an excuse big enough for international cooperation. Not just the local PD of a podunk town.

    • foremanguy@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      I’ve found that SimpleX is one the best option, it use the Signal protocol + more and has really robust anonymity (in fact it’s Signal but without inconvenients) Threema is a company, you shouldn’t use it

      • TechNerdWizard42@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        It’s a company that’s model is one I support. If you’re not paying for the service, you are the product. Eventually the free-ness of other solutions will run out. There’s only so much VC money and grant money that doesn’t have alterior motives.

        Paying a company to provide a service, which does cost real money to operate, makes me more happy if they abide by their rules.

        But it’s a snowball type issue. I’m not going to use Threema if nobody else I need to talk to doesn’t use it. And they aren’t going to use it if nobody else does. WhatsApp has critical mass across the world except USA because iDiots don’t understand. Signal and Telegram have mostly negative awareness due to copaganda telling the general populace that encryption is bad and only shady people use encryption to hide criminal activity. Everything else, (excluding China and their whole different ecosystem) is really just nerd talk between nerds.

        • foremanguy@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          You’re right, but I would prefer to use something that isn’t relaying on any type of company, my go-to is SimpleX, fully decentralized and you can run your own server. Just great I think