Cross-posted from : https://lemmy.ml/post/16566616

Hi, I wanna know what is the most secure and best messaging app/platform… Need an app that is crossplatform and has a very good numbers of features and security. (And it has to be FLOSS) I thought about XMPP clients, Signal, Session, IRC clients… Propose and explain me your choice

  • Simon Müller@sopuli.xyz
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    SimpleX is quite a promising project, uses Double Ratchet End-to-End-Encryption (from Signal), and has a very interesting protocol and model to provide quite strong metadata protection, especially in regards to whom you talk to and groups you’re in.

    If your threat model requires exceptionally strong Metadata protection, SimpleX is probably going to be your go-to

    Though, for a more lenient threat model, where still good, but less laser-focused metadata protection is enough, Signal will probably do just fine.

    Personally I use Signal, but I also have a SimpleX Profile, an XMPP Account and Matrix. (preferred in that order)

  • rrobin@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    Depends on what you mean by “secure”, being very loose with the definitions, we have

    • end to end confidentiality (i.e. only you and the intended destination can see the message contents)
    • privacy (only the destination knows i’m sending messages to them)
    • anonymity (no one can find out who you are, where you live, i.e. metadata/identity/etc)

    My personal preference is Simplex.

    Reasoning for a few:

    • Email: even if you use PGP to encrypt messages the server(s) in the delivery path have access to all metadata (sender, receiver, etc, etc). If no encryption is in use, they see everything. Encryption protocols in e-mail only protect the communication between client and server (or hop by hop for server to server)
    • XMPP: similar reasoning to email. i.e. the server knows what you send to who. I should note that XMPP has more options for confidentiality of message content (PGP, OMEMO, others). So I find it preferable to email - but architecturally not too different.
    • IRC: Again similar reasoning to email - even if your IRC server supports TLS, there is no end to end encryption to protect message contents. There were some solutions for message encryption/signing, but I’ve never seen them in the wild.
    • Signal: Good protocol (privacy, confidentiality, etc). Dependency on phone number is a privacy concern for me. I think there are 3rd party servers/apps without the use of phone numbers.
    • Simplex: Probably the strongest privacy protection you can find, but definitely not easy in terms of usability. The assumption is that we do not trust the intermediate server at all (and expose nothing to it), we just leave our encrypted messages there for the receiver to pick up later. It also does some funny stuff like padding messages with garbage.
    • Matrix: In theory it supports end to end encryption in various scenarios, but my experience with it has been so bad (UX, broken encrypted sessions) I only use it for public groups.

    Some more food for though though; these protocols support both group communication and 1-1 messaging - privacy expectations for these two are very different. For example I don’t care too much about confidentiality in a group chat if there are 3000 people in there. It might be more concerned with concealing my phone/name/metadata.

    In general I consider large group chats “public”, I can try to be anonymous, but have no other expectations. e.g. some people use some protocols over ToR because they do not trust the service (or even the destination) but they try to protect their anonymity.

    On a technical note: I don’t think there is any protocol that supports multi-device without some kind of vulnerability in the past. So I would temper my expectations if using these protocols across devices.

    I’m not familiar with the other ones that were mentioned in comments or in the spreadsheet.

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    5 months ago

    Email, probably. Kind of depends on your needs, and how willing other people are to accommodate them. The most secure messaging platform is email with a third party IMAP client using OpenPGP. That way the client and the server are run by different people, and the encryption is based on a verifiable and well known standard. But will other people use that to communicate with you? Probably not. So probably something like Signal would strike a good balance between privacy and ease of use.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      5 months ago

      I strongly disagree, email is a train wreck for secure communication.

      Proton has done a pretty good job of making an implementation that’s actually secure but PGP email has fundamental flaws like the subject line and recipient being clear text on the message, user error/key management complexity, and it’s also just a high-friction means of communication vs “texting” or “IRC”-like approaches.