I am a firm believer that there are many privacy techniques you should focus on before encrypted messaging because they will offer you much more “bang for your buck,” things like good passwords, two-factor authentication, and even encrypted email. That said, I still believe that encrypted messaging is a critical part of a well-rounded privacy and security strategy. While the vast majority of our day-to-day conversations may be benign, it can still offer a lot of insight into who we are as people – our routines, likes, and personal thoughts. This information – mundane or not – is worth protecting.
TLDR: Avoid Telegram and WhatsApp. Recommended messengers are Session, Signal, SimpleX and Threema. Honorable mention: Briar.
Session should probably be avoided as well, primarily because they’ve disabled things like perfect forward secrecy and a few other security measures that probably should not have been disabled.
OK, WhatsApp is owned by Meta and it is proprietary, but why not Telegram?
Effectively does not have end-to-end, phone number required and overall hard to use anonymously, etc.
Another basic thing – If your messenger is throwing your messages in a notification; it’s being logged. Google was found to be logging almost all notification content. Make sure your message app isn’t putting the content of messages into notifications.
If the app implements their own notification system and doesn’t rely on GCM then Google isn’t able to log them as far as I know.
I can throw a few examples:
- SimpleX
- Threema Libre
- Briar (afaik)
- Conversations (XMPP client)
- FluffyChat (matrix client), probably some others too
- Telegram FOSS (Telegram fork), Mercurygram (Telegram FOSS fork)
- Molly (Signal fork)
- Session F-Droid (Session fork)
So, the answer is — almost every of them.
Unless you don’t have Google or Apple services.
Also I don’t think they log the normal Android notification mechanism. (Not push)
You can also just use a degoogled os which won’t be logging your notification content. But in any case you shouldn’t have notifications as notifications are exclusive with at-rest encryption (or I guess you could have at-rest encryption but just have the db constantly decrypted whenever your phone is on? Seems to defeat the point then)
Which DeGoogled OS do you know of that uses their own notification backend?
Presumably any degoogled OS would remove that kind of telemetry—it seems like quite an obvious oversight if they continue to send notification contents to Google’s servers? If the suggestion is that it’s through a backdoor, then that’s the responsibility of the open source community to spot the backdoor in the AOSP.
Do they also log everything that comes through a private ntfy server? Or just what goes through their notifications?
NTFY uses the same mechanic that they do for push notifications; it keeps an open socket and then just communicates across the socket. So they shouldn’t be keeping track of that, so far as I understand the AOSP codebase.
If you put the notification in unencrypted form, across google’s push notification system, it is logged in puretext. I, and everyone else knows, that messages can be encrypted. This was a warning about a very specific thing.
Law enforcement has been doing this to signal users for a while now. The default is to not show the message in a notification, but users keep turning it on, and it uses Google’s notification servers. So law enforcement, got access to people’s signal messages, by going through Google to get the notification history/logs.
What I like about Matrix so much is that it can be run fully on your own infrastructure, even the TURN server for VOIP, and you can build the clients from source yourself too.
But I agree that it’s quite difficult to use. And until now only my dad and my spouse use it with me because they love me and trust me. But they both always have problems with their clients. It randomly logs out and then they have to login with the password and with the encryption key again. For a long time calling didn’t work because I misconfigured the server. Then videos were for the longest time uploaded in full size and anything longer than a few seconds would be rejected. The whole spaces thing is implemented very weirdly so it confuses them. And then the threads are even worse so we can’t use them because nobody gets how to do it.
Signal ux is much better fyi, though I accept it’s hard to roll your own. Trade offs are generally worth
As far as I know you can’t host your own signal server which connects to their servers.
I’m using Signal with the rest of the family and most friends.
XMPP, for example, does not enable end-to-end encryption by default
Why always these false myths? The most popular XMPP mobile clients do enable it by default.
It was a conscious decision for them not to enforce E2EE by default. https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/
XMPP clients have like 10 different implementations because of that and are not always consistent with each other or even function universally across platforms.
But I’m not an author. That would be @nateb@mastodon.thenewoil.org.
The article you linked is a highly misleading nothing burger. And enforcing e2ee at protocol level is a bad idea for many reasons.
Why are we still pushing XMPP? It isn’t the 90s and I don’t feel like learning IRC 2.0.
Maybe because it works, is easy to set up, light on resources and still is evolving?
It isn’t easy to setup and the core protocol is dated. You can add all sorts of extensions but at the end of the day the core system is old. It feels weird to push it over Matrix. If you want something simple use IRC as you can setup encryption.
Matrix doesn’t offer disappearing messages (which I consider important for digital minimalism and cybersecurity.
I noticed this in the article and figured I’d throw my 2 cents in. This might be a spicy take, but I actually can’t stand apps that do this.
When I was in school I had someone harass me online with threats of violence (they spent a couple of hours insulting and threatening me) then lie to the staff that I was harassing them with even more extreme shit. The staff and other students all took their side until I logged in and showed the conversation. If the messages had disappeared I wouldn’t have been able to prove my innocence.
I very firmly want encrypted communications for privacy (I use Signal and Matrix), but I am quite wary of purging communications automatically. That said, it’s anyone’s right to use services that auto delete and my right not to.
I’m curious what other people’s take on this would be.
For disappearing messages to work, your conversation partner has to promise they won’t take photos of their screen, and they have to promise to use an app that actually implements the feature instead of just pretending to, and the app developers have to promise to have implemented the code to delete a message when the service says it should
Is there actually a cryptographically-sound and physically-complete method for ensuring that a message is only legible for a temporary duration once it leaves your own device and is delivered to someone elses?
I fail to see how that would’ve helped in that situation, it had extended to real life.
This was almost a decade ago but it was a real life issue extending online, blocking might have made the in person stuff worse. Hard to say, teenagers are awful.
These days I simply don’t keep company I don’t enjoy so it doesn’t become an issue. I also stepped away from posting on social media at all until I recently joined Lemmy and Mastodon.
