The following is a cross-post from my mastodon thread
In the wake of metas enshitiffication I have seen people recommend Signal and Matrix as private open source alternatives to meta products. In the following thread I will outline how if your goal is software freedom anti surveillance and anti censorship the best option for direct and group messaging is neither Signal nor Matrix but instead the up and coming https://simplex.chat/
Signal is centralised meaning its vulnerable to censorship it almost got backdoored by uks online safety bill and that bill still has a damocles sword clause hanging over signal. Signal is also not anonymous, your account is linked to you through your phone number, if your contacts are compromised then your conversations can easily be linked back to you and your contacts all be correlated. In contrast simplex is like having “a burner phone for every contact” meaning even if one contact is correlated you have no consistent identity that can be compromised by default. Also simplex has a custom onion routing protocol to hide your ip from relay servers by default and it makes it very easy to connect over tor if simplex is blocked in your country im pretty sure signal doesnt do that. Matrix has been floated as potentially being a decentralised and e2ee open source alternative to Signal, but Signal shares one massive pro with SimpleX which is that both have post quantum encryption meaning that quantum computers that many researchers say are a few short years away from being able to decrypt all historical data that is encrypted using classical techniques ie not post-quantum encryption - such as the private messages you are sending across matrix today Afaik Matrix currently has no plans to add post quantum (PQ) encryption today and previously they were relying on it being implemented in MLS a standard that Matrix has been trying to adapt to their decentralised framework for years with stagnant process. Whats more afaict the motion to add PQ to MLS quietly expired and wasn’t renewed so it’s likely not coming any time soon. SimpleX has PQ on top of their classical encryption implemented and working today and you can download the app and have PQ rn (the additional classical encryption is insurance in case it turns out PQ has some classical attack vector, hybrid encryption is recommended by sec researchers at this stage) In conclusion both Signal and SimpleX are PQ unlike matrix but SimpleX and Matrix are decentralised and less vulnerable to censorship than Signal, while only SimpleX supports Tor connections and protects ur IP with or without Tor, and has no persistent unique identifier creating a “burner phone for every contact” scenario where compromised contacts cant necessarily be used to correlate ur other contacts/groups simply by looking at ur phone number/username in those groups
Heres some evidence and argumentation to support building post quantum encryption now, state and capital are hoovering up encrypted data rn to decrypt for profit as soon as it becomes cheap enough to do so with quantum computers https://www.youtube.com/watch?v=-UrdExQW0cs
And here’s the best explainer of SimpleX on youtube, sorry about the racist thumbnail the guys a right winger but his knowledge on OPSEC is valuable. If you don’t know why the thumbnail is racist search “Terry Davis glow in dark” (the search results for which I have to give a racist slur cw for but theres no slurs in this video) https://www.youtube.com/watch?v=0cRu98XSap0
edit: see whitepaper for technical privacy details https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md
I mean, you also covered the reasons someone might choose signal over simplex.
Signal is centralised meaning its vulnerable to censorship
…what? How do you figure? Signal has attempted to be censored several times but you can just switch relays.
if your contacts are compromised then your conversations can easily be linked back to you and your contacts all be correlated
…how do you suppose that works?
Because the architecture is centralized, a law can target signal. Currently signal is hosted in the United States, a law United States writes could take it down
I doubt this cloud infrastructure would be able to disobey the main organization’s orders or go on without it if said organization is told to shit down.
There is a signal legal entity that can fail and take out all of signal which is less true with matrix since there are multiple client and server implementations the only thing a government can achieve by breaking a single entity is disrupt governance
Blocking the server is not even the most effective way it can be restricted. If a country wants to gimp Signal, it can ban their cell carriers from delivering the confirmation codes. Or, on the contrary, if US wanted to restrict sanctioned countries, they could prohibit Signal from interacting with the country’s range of phone numbers.
Yes, you could rent numbers of another country to avoid that. But while pretty much everyone can figure out how to bypass website censorship, phone rentals are much more of a roadblock, especially if your payment method is sanctioned and thus you have to use crypto or workarounds. Not to mention that the number being temporary introduces a permanent security hole, and if it is not temporary - it’s an extra expense, which may be noticeable for poor people.
On a similar note - the issue I take with Signal in this regard is the fact that the stock app only allows their own censorship bypass proxy. Why not just arbitrary Socks?? Sure, you can use a whole-device VPN, but for a lot of people this is inconvenient (like if the free VPN is very slow), so a proxy for a background connection is much better. Thankfully, Molly addresses this.
How is simplex going to turn a profit for the people who’ve currently invested in it? This is why things get enshittified, they have vulture capitalists helping them start out and no one thinks about it till one day it comes time to pay the piper and features start getting broken, ads get shoveled in, and unless enough money is generated the app will eventually fail.
I hope simplex finds a way to go non profit, until then I can’t trust their business model to not shift in the future.
This is exactly what I was trying to figure out on the website to no avail.
As an anarchocommmunist I hope they go non profit too, but the protocol is robust and decentralised enough that I’m not worried whatevever the company does it can just be forked. Look at Simple Mobile Tools for andoird, an open source project that sold out to a data harvesting company, within a few months it was forked and now you can get the exact same apps under the name Fossify. And then theres the example of Redhat a forprofit company that “sells linux” by providing techniocal consultation to large businesses. Idk anyone who would say that redhat linux is enshittified bc redhat is forprofit. Evgeny the lead dev has said several times this is the kind of model they want to pursue and they recognise privacy and anonymity is their only selling point, they are into right wing conspiracy theories too so they have an ideological reason not to sell out like that they actually believe in the right to privacy and anonymity. You may be interested in evgenys blog posts about this contention https://simplex.chat/blog/20240516-simplex-redefining-privacy-hard-choices.html
Please use more paragraphs
There are more topics to cover than just encryption. Less on encryption, more on other topics.
Is it p2p or server model? I happen to lookup and it seems to be server as intermediary.
Is server side open sourced? Who is running servers? How does client choose the server to connect to? if hop server is tracking data, what will it see?
With all that end address obfuscation, how user friendly is establishing a connection with a friend?
I think you will be interested in the whitepaper, I will append it to the OP https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md I’ve read it and it satisfied me.
