Interesting project, but last time I tried it was battery hungry, and having made quite an effort to get some of my contacts on Signal, I don't see it happen to get them all on SimpleXChat. And Signal Stickers make Signal more attractive for some.
But wouldn't that mean if someone writes to your desktop profile you can't respond on mobile and vice versa? And you would have to be added by everyone else twice too?
You just never use a desktop profile. You have an account on mobile, and every time you go desktop you sign in with the app and qr code so you're always using the same db on each machine.
My desktop app has zero profiles and no db; I only sign in with my mobile.
For a while, it was only CLI and not even listen on the project's main page - it was only linked on its Github. But now there is a GUI in several forms and it is listed on the main page, so kind of interested where it all goes.
There is a desktop app but linking is not as easy and featured as Session, which is really easy to use on multiple devices, but then you lose the superior security of SimpleX
Desktop is a first-class app (not dependent on a mobile app), no phone number required, and syncing chats between all your devices just works.
Wire hasn't been updated in 2 years on fdroid tho, so I'm eager to switch to something else. But nothing else exists that meets these basic usability reqs.
Because when you read their website https://simplex.chat/ and they say stuff like "Possibility of MITM > NO" and "Central component or other network-wide attack > No - resilient" they kind lose their credibility.
Also, "Other apps have user IDs (...) SimpleX does not, not even random numbers." > there must be an ID at some point. When you invite someone with a QR code or a link that effectively becomes an ID - even if it changes for every invitation. Also servers need to coordinate message delivery, some form of ID is required for that.
The way the messaging queues work and what the servers see is interesting but I'm yet to dig into that.
I saw a user’s hash just this week — it was in a ransom note. They required their victims to sign up for the service and text a code to their userhash to kick off sending the attacker cryptocurrency so they’d send a decryption key and not make stolen data public.
Other than that use case, it hasn’t picked up many users that I’m aware of.
This is way more of a self-promo blog post than an article, but it's also along the lines of Signal or Apple announcing their own successes in cryptography.
I also appreciate their clarification that post-quantum encryption is a guess, not a sure thing. Actually, they're much more blunt than that:
post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.
Good on them for saying that.
But then on expounding with minimal jargon... At least, as far as explaining cryptography can be done that way.
The guy literally printed the algorithm in a book to show that the first amendment protects encryption math. Luckily the justices at the time were definitely pro first amendment. Unlucky that they used first amendment to justify citizens United
post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.
Good on them for saying that.
A "remedy against the illness that nobody has" is a good analogy, but it is important to note that it's an illness which there is a consensus we are likely to eventually have and a remedy that there is good reason to believe will be effective.
It isn't a certainty that there will ever be a cryptographically relevant post-quantum computer, and it also isn't a certainty that any of the post-quantum algorithms (as with most classical cryptography) which exist today won't turn out to be breakable even by yesterday's computers. The latter point is why it's best to deploy post-quantum cryptography in a hybrid construction such that the system remains secure even if one of the primitives turns out to be breakable.
That said, I think it is totally wrong to call PQC snake oil because that term in the context of cryptography specifically means that a system is making dishonest claims: https://en.wikipedia.org/wiki/Snake_oil_(cryptography)
I didn't post the part after the "snake oil" quote because my post was getting a bit long but yeah, they basically agree with you. I also get mild ESL vibes (the phrasing on the title is a little off, and I believe a couple of the developers are Russian-born) so I don't think they were trying to be too inaccurate.
I should've made clear in my comment that, aside from a bit of imperfect English and incorrect use of the term snake oil, I think this is an excellent blog post.
simplex.chat
Newest