This is way more of a self-promo blog post than an article, but it's also along the lines of Signal or Apple announcing their own successes in cryptography.
I also appreciate their clarification that post-quantum encryption is a guess, not a sure thing. Actually, they're much more blunt than that:
post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.
Good on them for saying that.
But then on expounding with minimal jargon... At least, as far as explaining cryptography can be done that way.
The guy literally printed the algorithm in a book to show that the first amendment protects encryption math. Luckily the justices at the time were definitely pro first amendment. Unlucky that they used first amendment to justify citizens United
post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.
Good on them for saying that.
A "remedy against the illness that nobody has" is a good analogy, but it is important to note that it's an illness which there is a consensus we are likely to eventually have and a remedy that there is good reason to believe will be effective.
It isn't a certainty that there will ever be a cryptographically relevant post-quantum computer, and it also isn't a certainty that any of the post-quantum algorithms (as with most classical cryptography) which exist today won't turn out to be breakable even by yesterday's computers. The latter point is why it's best to deploy post-quantum cryptography in a hybrid construction such that the system remains secure even if one of the primitives turns out to be breakable.
That said, I think it is totally wrong to call PQC snake oil because that term in the context of cryptography specifically means that a system is making dishonest claims: https://en.wikipedia.org/wiki/Snake_oil_(cryptography)
I didn't post the part after the "snake oil" quote because my post was getting a bit long but yeah, they basically agree with you. I also get mild ESL vibes (the phrasing on the title is a little off, and I believe a couple of the developers are Russian-born) so I don't think they were trying to be too inaccurate.
I should've made clear in my comment that, aside from a bit of imperfect English and incorrect use of the term snake oil, I think this is an excellent blog post.
I saw a user’s hash just this week — it was in a ransom note. They required their victims to sign up for the service and text a code to their userhash to kick off sending the attacker cryptocurrency so they’d send a decryption key and not make stolen data public.
Other than that use case, it hasn’t picked up many users that I’m aware of.
Because when you read their website https://simplex.chat/ and they say stuff like "Possibility of MITM > NO" and "Central component or other network-wide attack > No - resilient" they kind lose their credibility.
Also, "Other apps have user IDs (...) SimpleX does not, not even random numbers." > there must be an ID at some point. When you invite someone with a QR code or a link that effectively becomes an ID - even if it changes for every invitation. Also servers need to coordinate message delivery, some form of ID is required for that.
The way the messaging queues work and what the servers see is interesting but I'm yet to dig into that.
But wouldn't that mean if someone writes to your desktop profile you can't respond on mobile and vice versa? And you would have to be added by everyone else twice too?
You just never use a desktop profile. You have an account on mobile, and every time you go desktop you sign in with the app and qr code so you're always using the same db on each machine.
My desktop app has zero profiles and no db; I only sign in with my mobile.
For a while, it was only CLI and not even listen on the project's main page - it was only linked on its Github. But now there is a GUI in several forms and it is listed on the main page, so kind of interested where it all goes.
There is a desktop app but linking is not as easy and featured as Session, which is really easy to use on multiple devices, but then you lose the superior security of SimpleX
Desktop is a first-class app (not dependent on a mobile app), no phone number required, and syncing chats between all your devices just works.
Wire hasn't been updated in 2 years on fdroid tho, so I'm eager to switch to something else. But nothing else exists that meets these basic usability reqs.
Interesting project, but last time I tried it was battery hungry, and having made quite an effort to get some of my contacts on Signal, I don't see it happen to get them all on SimpleXChat. And Signal Stickers make Signal more attractive for some.
Usernames exist for a reason, especially in chat apps. Not having usernames is only going to severely limit your target demographic. And if nobody uses your app does it's benefits even matter?
If I want a simple chat protocol, I use IRC or XMPP. These are battle proven by time.
If I want a really secure protocol, I use Signal or Matrix. These are endored by many security experts who their shit when they assess protocols, crypto and solutions.
SimpleX may be a good alternative for anonymous communication, but there is plenty options out there. Considering how many startups are funded by cheap VC money, and the business model is always "provide something awesome, and once you have enough traction - enshittify it" makes me very weary of investing myself in new solutions no matter how open-source the are.
I may sound bitter and skeptic, but I've seen this pattern has been repeated many times over.
SimpleX Chat Ltd is a seed stage startup with a lot of user growth in 2022-2023, and a lot of exciting technical and product problems to solve to grow faster.
Run by a VC funded for-profit company. That really should tell you all you need to know. Sorry, but no thanks.
Upvoted bc VC eventually means enshittifiication. But with xz getting back-doored recently, what is the middle ground that keeps these things sustainable financially and operationally?
As opposed to whom? Are investors in VC startups less compromised or more? What are the incentives in either case? Who do you trust to be competent and/or incompetent enough to compromise it without you noticing it? Who is likely to change a project that was well intentioned first after the fact? In what ways?
I wonder what that looks like fleshed out a little, though. Is that a mandatory or voluntary payment? And by paying for what they use is that per message or per month like a subscription?
Either way, if one needs to communicate without the use of identifiers like a phone number (afaik signal requires one) I trust Session. SimpleX features cool new tech but let’s wait until it matures
this is a wrong take for a few reasons, if we're talking about trust.
Also, Signal literally was taking money from the CIA for a decade and also is based in the US anyway, and no one hardly said a word 🤣🤣 "Privacy" activists are a joke lmao. Also signal made a crypto coin and took away features like SMS, but of course they get a free pass for that too. Makes you wonder.
SimpleX is fully open source, verifiable, and audited. If there are changes that are bad, the community will talk about them, and at worst it can be forked
SimpleX has made it clear that they dont want you to trust them. It's decentralised and anyone can run their own relay, and the servers are designed prevent correlation. They also make it very easy to use TOR and multiple circuits. This is contrary to the inferior Signal model where you just have to trust that the centralized Signal org isnt leaking your phone and IP to the feds.
moving towards a decentralised, open, and trustless world is better for everyone. In this kind of system, I really dont give a damn where they are getting their money from, as long as they arent putting crap in the software, and if they do, we will all know about it. But so far they have shown that they are committed to extreme security and privacy, and they obviously arent trying to appeal to normies, so i doubt they would ever even try to put VC-pushed garbage in.
If you want a good app, you will need funding from somewhere. Look at apps like Session that arent funded well. They suck. So I'd rather SimpleX be funded by a VC instead of by the feds like Signal, as long as everything stays open, free, trustless, and decentralised
Exactly what I thought; if the technology is so decentralized does it make sense to care so much about who finances the project?
Like if one instance of lemmy was funded by Microsoft, we could easily use another one and block it, right?
yeah it's like TOR. it's public knowledge that it was both made and is funded by the US Gov, but we all see it as the standard of anonymity online because everything is open, trustless, and decentralized.
originally it was. but it was given to the larger community as an open project, because they realized that without public use, it would be useless.
There is endless discussion on whether tor software is backdoored or not, but I severely doubt this with all the eyes on the open source code
There is also debate on how many nodes are owned by the feds, but the largest estimates at the peak were about 20%ish iirc. i doubt it's a significant number enough to worry about, from what I've seen.
tldr I'd recommend to look up all the opinions online yourself.
I've been a fan of SimpleX for a while now. Privacy comes at the cost of convenience, and SimpleX is the most private messaging platform according to this spreadsheet.
unified push works as a stand in for gms on devices without it. it runs in the background & receive the wakeup pings for the apps (in this case simplex) so you only need one websocket open instead of a different background service for each app. hugely reduces battery use.
Does that work without google services? I thought this was why signal said they wouldn't remove gapps depends, and all privacy apps do pull instead of push?
What really bothers me about Session is that you effectively cannot selfhost - hosting a node is prohibitively expensive. So seems like the only people who can realistically host a node are crypto bros, big companies and government agencies. Thanks, I would rather stick with IRC/XMPP/Matrix.
i don't know in what world you're living, but in this world where people think you're (edit: we are) a pain in the ass for refusing to install WhatsApp when everyone is expected to use it for official communication (work + organizations); Signal is great.
I've convinced a couple of dozens of people to use Signal, and only one to keep Simplex as, at least, a backup.
as a caring-about-privacy minority we can invite "them" to Signal. "They" know Signal and Telegram👎. "They" understand our concerns. "They" for whatever incomprehensible reason keep using WhatsApp 🤷 We're left out of the loop because once "everyone" is on that WhatsApp group, it's tiring for them to send an email or an sms to the exceptional one or two people
requiring phone number and being centralized doesn't make Signal "not great" in a world where a great majority of people use WhatsApp + read the last comment again but more carefully ;)
signal is a great alternative to a WhatsApp world. Simplex or Session has no chance with the general public
I don't need people to be hyper-privacy minded.
But just a little bit at least. I'm not expecting everybody to self host a matrix server and use element and run self hosted services on their own RPI.
In F-Droid, after disabling all anti-features, SimpleX still is listed. Signal never will be due to connecting to GCM or Firebase. Molly is an improvement for Signal but not for untrackable privacy like SimpleX from using a different ID with each individual SimpleX contact.
Not to mention, SMS was removed because it’s inherently insecure at every level. Keeping it would mean there’d be an insecure side channel into the protocol. While it’s a useful onboarding mechanism, it can also be abused — and was. So eventually it got removed to prefer privacy and security over convenience.
simplex.chat
Oldest