1. 49

by https://hashbang.sh Security Team


  2. 23

    I’d like a column in here that notes whether there are desktop apps that don’t involve Electron.

    I see Tox in this list. Last time I looked at their crypto, it was pretty horrible – see https://github.com/TokTok/c-toxcore/issues/426 for example – with a core developer eventually admitting there, “We haven’t got to the point where we can enumerate [Tox’s security guarantees] properly, given the general lack of understanding of the code and specification. “ No clue how far they got since that thread – if they moved forward at all – but, well, it’s certainly not a messaging system designed by cryptographers. Careful!

    So maybe the list would also benefit from a column called “crypto is good” or something sufficiently vague that you can include Signal and exclude Tox, for example.

    1. 1

      Sorry for the delay. I’ve noted this under the E2E Audit column with a link to the github issue.

    2. 9

      Sadly this does not compare the quality of the different clients which definitely plays a big role for me. Also, an in-depth feature analysis would have been nice. I’m missing criteria such as API access, bot scriptability, stickers, gifs, platform integration.

      1. 2

        Sadly this does not compare the quality of the different clients which definitely plays a big role for me.

        Perhaps the most important feature, but, unfortunately, also not as objective as the fields listed here.

      2. 7

        I am not surprised at all that XMPP has way more true checks than the other options.

        1. 1

          Except the most important thing “E2E by default”.

          1. 3

            Conversations.im, arguably the most popular XMPP client, has E2E by default.

            1. 1

              True. Probably the best mobile XMPP client. But not all clients have get on board the OMEMO ship yet.

              1. 1

                Yes, you probably know it but for a wider audience one can track OMEMO deployment progress on https://omemo.top

                On desktop I’d recommend Gajim, it still looks a little bit dated but it supports all modern XEPs and is actively maintained.

        2. 6

          As someone who created a p2p messaging system Fire★, I’m sad that P2P isn’t called out as a separate feature. And no, decentralized != P2P. It’s almost like people found P2P too hard and gave up.

          1. 3

            P2P is ‘distributed’, right?

            I’m glad I bookmarked this depiction of Centralized vs Decentralized vs Distributed.

            1. 1

              P2P means that peers which are communicating with each other are doing so directly, not through any intermediaries. So yes, you can say it’s distributed. And because Fire★ can do more than just messaging, you can do distributed computing on it too.

            2. 1

              EDIT: I meant to say decentralized != P2P. The double negative in my previous post could be confusing.

            3. 7

              Any link to a Google Docs with the tag privacy feels kind of completely wrong. I for a fact can’t see it, because that whole domain is sink-holed. (so I don’t know if @benharri authored it himself)

              Feature suggestion for Lobsters:

              I would prefer if submissions involving proprietary and privacy unfriendly services like Google Docs, Microsoft Cloud etc would be prompted with a:

              ‘You’ve submitted a link to an online service that some of our readers have significant privacy issues with. Could you instead provide HTML, a wiki page or a downloadable PDF from a privacy friendly domain?’

              1. 2

                I co-authored. I’ll check with the doc owner and discuss an alternate format. (I somehow lost permissions when it was set to comments only)

              2. 3

                I hadn’t heard of https://delta.chat before, but that seems clever! It works on email. I would guess that the UX must be a bit clunky because of some impedance mismatch, but it’s always interesting when somebody builds something new on old, proven protocols.

                The other day, I was thinking that perhaps NNTP should be extended to support a modern forum like this.

                1. 3

                  Telegram Desktop does work on FreeBSD

                  1. 1

                    This is updated.

                  2. 2

                    Nice survey. Am I missing Off the Reccord Messaging on this list? It had quite a bit of use.

                    1. 3

                      It probably could, but it’s not an independent messaging system. Rather, it’s way of using other messaging systems as transport for encrypted content. Adding it would render the E2E Private and E2E Audit fields true, and arguably the TLS field based on OTR’s message structure (it wouldn’t be true TLS but signed encryption of OTR messages would likely be sufficient to mitigate the absence of TLS). The rest of the fields would be unchanged, by my quick assessment.

                      1. 2

                        I think of it as its own messenger in a way. It’s basically like FOSS version of a commercial bundle or value-added reseller. IIRC, E2E Default might be true, too, since my setup automatically attempted OTR with friends.

                    2. 2

                      The most important feature, regarding security, is “E2E by default”. Encryption exists either by default, or it doesn’t exist at all. And this is currently the biggest failure of XMPP.

                      1. 2

                        What messengers does everyone else use? I’ve got actually a good amount of my contacts using Signal, and I hesitate to make the attempt at migrating yet again, but if the benefits are significant enough I might be able to be convinced.

                        1. 10

                          You should consider submitting that as an Ask Lobsters. It probably deserves its own thread. Ask’s on Lobsters are usually pretty interesting with lots of good ideas and setups.

                          1. 2

                            Fully agree (unless we can politely ask moderators to split this into its own thread, if that’s actually a thing)

                              1. 1


                            1. 8

                              IRC is still one of my main messengers. weechat makes it so nice.

                              Other than that, I have quite a few friends and family using telegram, which is a great client with questionable crypto.

                              1. 1

                                weechat is a bit annoying to use on mobile. I got a proper weechat relay setup and use the official weechat Android app. However, it really likes using a ton of battery. Do you experience the same problem?

                                1. 2

                                  Are you referring to weechat-android? If so, I use the same setup.

                                  I leave it on all the time and haven’t noticed any significant battery drain. According to the battery stats, it’s about 1% of today’s usage. Compare that to syncthing, which counts for 9%.

                                  1. 1

                                    Ironically I found XMPP to be the best way (for me) to use mobile IRC. Thanks to biboumi, a very reasonable bridge. And you can also connect biboumi to your Irssi or WeeChat IRC relay

                                2. 5

                                  We shouldn’t dismiss XMPP yet. It comes pretty good off in that matrix above there, and with Conversations and ChatSecure has good mobile support. Some criticise it’s distributed nature, which I believe to be a strength. And the chaos in the implemented features often cited from Matrix side can be seen in another matrix wr.t the publicly operated servers thanks to the “XMPP Compliance Tester”

                                  • Another plus is that you do not need to share your phone numbers or upload your phone book
                                  1. 3

                                    I’ve been looking into XMPP in response to both this post and Librem’s desire to support it in their phone. I was quite disappointed that XEP-0313 isn’t supported well on Desktop.

                                    Mobile is doing fantastic, but it’s hard for me to get excited when I don’t feel like there’s a large range of clients. Even for Windows to chat with my SO.

                                    1. 2

                                      You may be interested in movim.eu https://github.com/movim/moxl#xmpp-support

                                      or Dino https://dino.im/

                                      Gajim is also ok.

                                      Edit: may also be interesting: https://conversejs.org/#features

                                      Personally I have not enabled MAM on my server at all, Carbon copies seems enough (I rarely need a coherent history on all devices). Another thing you can do is open a “group chat”, which has it’s own way to record the most recent history.

                                      If you are using terminal based clients, you may find they are running on a server 24/7 anyway and thus do not need explicit MAM either

                                      1. 1

                                        movim is interesting, but looked like it was a social network rather than an IM software? Maybe I’ve misunderstood though. Dino looks great, except that it hasn’t had a release yet. Gajim doesn’t have a UI that I think my partner would like, saying that, I don’t want it to change, because I quite like it.

                                        Converse.js is rather neat, especially inverse. That would probably provide a good experience for desktop use for my partner.

                                        I personally could get by with the carbon copy stuff, but my partner could not. I have to convince her that XMPP is superior to other things. Being able to randomly open/close the desktop application is part of her workflow, even where it may not be part of mine.

                                    2. 1

                                      Check out the note on XMPP towards the end of this post https://blog.torproject.org/sunsetting-tor-messenger

                                    3. 3

                                      I went from irc in the old days (never a heavy user) to msn (around 2006), Skype (from 2004 until they were bought by Microsoft), Hangouts (my mind is a bit fuzzy), WhatsApp (early adopter and huge fan until Facebook bought it and made it “free”), Telegram (again, huge fan until I realized there are actual problems with the crypto, still use it).

                                      Considering transitioning to Signal or Matrix but I’ll think twice about it before I migrate my family to a new messenger service. They are really stubborn, like more stubborn than I am :-P

                                    4. 2

                                      hey @benharri, good work. We just keep bumping into each other. We’re internet friends! Or perhaps neighbors. :)

                                      Add ssb please.

                                      1. 1