[–]▶ No.989311>>989507 >>989617 >>990201 >>990537 >>995488 >>997150 >>997151 [Watch Thread][Show All Posts]
Since there's a few threads discussing alternative chat protocols, I figured we should attempt to centralize it in order to have a decent discuss the strengths and weaknesses in our preferred clients/servers.
As far as I know this is a fairly complete list of the currently most common chat protocols and applications used by privacy conscious users. If something was forgotten feel free to add.
>IRC
The long standing champion of ez internet based chats. Not very secure by default.
>XMPP
Currently the most well known/tested privacy conscious chat protocol. Used by many different users around the world for secure communications
>Signal
Phone based e2e encrypted messaging client and protocol. Trusted by many, has created the new and interesting encryption method known as double-ratchet.
>Telegram
Similar to signal but owned by a Russian, one of the largest private messaging platforms in russia
>Whatsapp
No.
>Matrix
A fairly new decentralized chat protocol that supports e2e encryption. The main matrix.org server has a CoC as well as pretty poor privacy protections from the server admins. Hosting your own matrix server appears to be safe and is indeed end to end encrypted. More testing needs to be done as the devs don't seem as paranoid about privacy as they should.
>Tox
A P2P and E2E encrypted chat network based on a DHT, pretty decent but comes with the usual problems of P2P software. Supports groups, voice, and video although the video still sucks.
>inb4 great we have another thread about chat services.
Fuck you I hope there's more threads about it, it's good to have discussions about things that you depend on and knowing their strengths/weaknesses.
▶ No.989316>>989318 >>989319
>>989313
>KCI
This is on the same level as CVEs needing local access.
>leaks your IP
Not its job to do what Tor/i2p do.
I don't even use it since I have nobody to talk to, but you sound like a shill.
▶ No.989318>>989319
>>989313
>leaks your IP
Nigger how does P2P software, designed to use your normal IP "leak" your IP?
>Vulnerable to KCI
See >>989316
▶ No.989413>>989416 >>989417
>>989313
>if A's longterm static private key is stolen, an attacker can impersonate anybody to A without A realizing
>Tox is not secure
>fundamental security flaws
▶ No.989416>>989418
>>989413
This is a fairly genuine concern but can be worked around with proper opsec in practice. That being said, it'd be nicer if things just werked with tox but it's fairly immature as a platform.
▶ No.989417>>989608
>>989413
This is required for deniable encryption. Pick one and only one.
>Hurr Durr I want every message I have ever sent to provably have come from me after a conversation is over
You are retarded
▶ No.989418
>>989416
>If your private key is stolen bad shit can happen
Wow such a horrible problem!
▶ No.989422
Since this thread went to shit already.
OP can't inb4 you fucking retard.
▶ No.989507
>>989311 (OP)
>XMPP
Come join us at publicg@conference.yourdata.forsale
▶ No.989588>>989608
>>989319
Wow rather than declaring samefag you went for a LARP? Haven't seen this defence before I'll need to review my deck to counter this.
▶ No.989608>>990161
>>989417
>This is required for deniable encryption
Proof? Protip: You are just a LARPer. Of course you don't have any proof.
>>989588
stfu LARPer
▶ No.989617
>>989311 (OP)
DISGUSTING FAGGOT. THROW YOU FROM A ROOF.
▶ No.989919>>990088 >>990135 >>991376
I fucking hate that all chat programs need to have a centralized server of some sort to be usable. There’s literally no way around it to get the modern features people expect from messaging clients.
▶ No.990088
>>989919
Glowers don't like decentralized services. Harder to track. They like complicated and feature bloat. Enjoy your voice chat.
▶ No.990135>>990163
>>989919
Well, Tox doesn't and neither does Ring, but I wish they did have a "tracker" option for phonefags who can have trouble participating in a DHT among all the other troubles with phones like idle with cloud botnet for notifications.
▶ No.990161>>990166 >>990297
>>989608
>Proof? Protip: You are just a LARPer. Of course you don't have any proof.
Just google it faggot. Name EVEN JUST ONE protocol that has deniability without this. But you can't because you are an NSA shill.
▶ No.990163>>990519
>>990135
Yeah, mobile push notifications really kill it. You can’t do it without a centralized hub that if exists would completely defeat the point of a decentralized messaging platform. These days if you want users, having a good mobile experience is a must. This is why Tox and Bitmessage will remain unused.
▶ No.990166>>990173 >>990297
>>990161
>just google it faggot
ok
>name even just one
altright, how about these faggots:
https://eprint.iacr.org/2007/191.pdf
>Forward and concurrent (non-malleable) deniability against adversaries with arbitrary auxiliary inputs, and better privacy protection of players’ roles
>Resistance against key-compromise impersonation (KCI) attack
LARPer confirmed.
▶ No.990173
>>990166
>No perfect forward secrecy
Ah so they traded KCI for BEING ABLE TO READ EVERY PAST CONVERSATION. Fuck off NSA shill.
▶ No.990201>>990209
>>989311 (OP)
Isn't Telegram owned by Twitter?
▶ No.990209>>990289
>>990201
Not OP but no, it comes from VK a kind of Russian Facebook. Should be wary of that crap.
▶ No.990288>>990334
No love for webrtc?
https://codelabs.developers.google.com/codelabs/webrtc-web/#0
I have no idea about this, just wanted to know about the general opinion on this
▶ No.990289>>990301
>>990209
>implying Telegram is owned by the Russian government
>implying VK and Telegram are under one holding company
Its founder is currently literally in exile.
▶ No.990297
>>990161
burden of proof. just google it faggot.
>>990166
not me btw
▶ No.990301
>>990289
Sure thing, FSB-kun.
#FreeDurov
▶ No.990322>>990326 >>990334 >>990509 >>991374
>muhhhh privaceeeeee
>security based from entropy-radiation
>gets hack't by radio users aka lancernopt glowers
>using unshielded wires
>on their keyboard and monitor
>thinks that flimsy rubber will do anything other than act as an unintentional antenna transmitting every key stroke or display signal
>cpu has its own network and os stack that can read cache and other crap 'feature' even have nsa/aes instructions for better 'performance'
>gets hack't
>closed source router
>router is just a bridge connection from the main multicast which broadcasts all your transmitted and received data into three letters
>'aes over wire is secure'
>uses hard drives with built-in microphone 'it's for bakground vibration compensation'
>motherboard contains backdoor to forward the recorded audio directly into the backdoored network card/stack
>'no evidence'
>doesn't even know speakers can become sound recorders
>doesn't even know about the modern mind control device called 'wide screen'
bonus:
I bet you guys believe on clowns like Snowden.
Lol angry NPC detected. Fodder.
▶ No.990326
>>990322
based and blackpilled
▶ No.990334
>>990288
>No love for webrtc?
Webrtc can cause issues with leaking your private IP and creates another web tracking method
>>990322
Jokes on you nigger I built my own PC from scratch on a ton of breadboards, all of my devices are shielded by tinfoil, plus I live in a faraday cage and I directly interface with my network telling the packets where to go with my thoughts.
▶ No.990509>>997277
>>990322
>he doesn't have a POWER9 workstation
>he doesn't use an ancient librebooted thinkpad running OpenBSD with a replacement wireless card as his router
>he still uses spinning platters
▶ No.990519
>>990163
The real problem with push notifications are not really a problem of Tox (or other P2P), because it is instant messaging. You get the message in realtime, but Google decided that you need to use their botnet as an app developer if you want to allow your app to wake up from idle and notify the user. You can probably get around it with some battery draining setting like disabling idle or allow an app to have an open connection in idle mode or something like that (hence the need for tracker and not DHT), but as far as I can tell it is something the user must actively do. The App can't ask for permission to do it.
▶ No.990537>>990563
▶ No.990549>>990590
IRC is plenty secure if you don't allow random niggers without SSL to connect
▶ No.990563
>>990537
I haven't heard much about briar, is anyone a daily user? Sounds pretty interesting but I don't want just another private mobile only messaging app. I already have one for that and getting people to use signal was hard enough.
▶ No.990590
>>990549
>server operator can read every message
>secure
▶ No.990837>>991487
>>989319
>u larp
You either don't know what larping is, or you're just a monkey flinging shit around. Previous anons identified problems with protocol technicalities, not claiming to be Cisco engineers or some such shit. Crawl back inside your mother's womb because you clearly aren't ready for the real world yet.
Sage for fagposting.
▶ No.991374
>>990322
>modern mind control device called 'wide screen'
Would love some more info on that if you have any?
▶ No.991376>>991774
>>989919
>>>>>>""""""modern"""""" features
like what? i can't even send plain text over a chat protocol without getting pozzed
▶ No.991487>>991774
▶ No.991774
>>991376
Modern features like image sharing, embedded images, video, voice chat, multiple channels, etc.
For a pure text-based chat its relatively easy to not have a centralized server but for anything beyond that it's pretty much necessary
>>991487
No u
▶ No.991777>>991781
How can I get normalfag coworkers to communicate with me securely?
It looks like my best chance is to host a Matrix server with e2e and tell them to use Riot.im. Maybe Signal?
what about convincing boss/IT that its in our best interest as a businnes to switch from email/Slack to a e2e matrix server?
▶ No.991781>>996771
>>991777
Depending on your business/industry you may be able to get them to consider matrix and have people utilize it's bridging feature.
Make the argument that slack is a central point of failure and can go down, also that it's not encrypted/owned by your company.
Switching to matrix would allow your company to host and federate multiple e2e encrypted servers providing redundancy with local and global chat rooms for any and all branches. On top of all that, setting up bridges allows users to choose to use a matrix client or continue using slack or whatever it is you guys use.
▶ No.995477>>996708 >>996732
>check matrix clients
>so many are immature and/or unmaintained
>only two or three support E2EE so far
>riot.im seems to be the clear leader in matrix features
What does /tech/ think of Riot.im?
What does /tech/ think of self-hosting a E2EE Matrix server and using Riot's desktop client? (I believe it is the web client + electron. I don't know shit about that)
▶ No.995488>>996706
>>989311 (OP)
Telegram is currently the best compromize between security and features, use a burner phone to make an account and use tor which you probably should do on every IM client anyway and it's perfect
▶ No.996706>>996770
>>995488
No it isn't. Riot.im > Wire > Signal >>> Telegram. Telegram is fucking garbage.
▶ No.996708>>996771
>>995477
what 2 ore 3 support e2e ? I know only about the electron one, nheko has a warning about it and it's unmaintained
▶ No.996732>>996771 >>997240
>>995477
Riot has decent clients but the built-in opt-out analingus is annoying, riot collects the names of private matrix servers because you need to log in before you can opt you.
▶ No.996770>>996790
>>996706
It's funny because in terms of not being buggy shit your comparison order there is exactly the opposite of reality.
▶ No.996771>>996796
>>996732
>>996708
>>991781
Matrix leaks your IP to any server you use and they can record exactly when you talked to someone and who they are forever. As the old fed said "we kill people based on meta data".
▶ No.996790>>996795
▶ No.996795>>996798
>>996790
Look faggot it is simply a matter of fact that every open source messenger is in particular buggy shit. That being said, you should use them because the alternative is botnet bullshit.
▶ No.996796>>996797 >>996799
>>996771
You have no idea what you're talking about but it's okay, it's not your fault you're retarded.
>it leeks ur IP to teh survur
How else do you connect to the fucking server you gigantic fucking moron
>teh survur knows all teh metadatazzzz
First off, matrix is a fucking protocol. Secondly you can host servers that use matrix yourself and secure them yourself. Are you concerned about you having your own fucking metadata?
Jesus fucking Christ go back to school
▶ No.996797
>>996796
>How else do you connect to the fucking server you gigantic fucking moron
p2p does not leak your meta data to a server that records everything you do
>First off, matrix is a fucking protocol.
A bad one that leaks your meta data to one party
>Secondly you can host servers that use matrix yourself and secure them yourself.
Ah yes like hosting your own email server that always works so well.
> Are you concerned about you having your own fucking metadata?
Not really, but the cloud provider I host it on (UK internet is bad) will have it 2.
>Jesus fucking Christ go back to school
Find a better protocol faggot
▶ No.996798>>996801
▶ No.996799
>>996796
>How else do you connect to the fucking server you gigantic fucking moron
p2p does not leak your meta data to a server that records everything you do, only the friend you are talking to knows who / when / ip.
>First off, matrix is a fucking protocol.
A bad one that leaks your meta data to one party
>Secondly you can host servers that use matrix yourself and secure them yourself.
Ah yes like hosting your own email server that always works so well.
> Are you concerned about you having your own fucking metadata?
Not really, but the cloud provider I host it on (UK internet is bad) will have it 2.
>Jesus fucking Christ go back to school
Find a better protocol faggot
▶ No.996801>>996997
>>996798
>someone who has not used every listed messenger
ok larper whatever
▶ No.996997>>997057
>>996801
Come on, autist. Tell me which bugs wire and riot have?
▶ No.997057>>997117
▶ No.997077>>997124
>>989313
P2p programs "leak" your IP so others may connect to you. Why do retards keep spouting this as a security concern? Did we get invaded by redditors who don't understand basic networking?
Doesn't it also support Tor so you don't even need to worry about that?
▶ No.997117>>997126 >>997127
>>997057
>most are feature requests
>didn't even mention Wire or Signal
>too stupid to realize that telegram doesn't have this type of error reporting because it's not open source
Wow, kys
▶ No.997124
>>997077
Trolls, idiots, and government agents keep repeating these shit arguments. Tox is a chat network that doesn't rely on people maintaining a server, a central location to host a chat forum. The way to make this work without a server is through P2P networking techniques. You can tunnel your Tox connection through Tor if that's what you really want.
▶ No.997126>>997127
>>997117
Oh god you dumb retard let me filter for bug tags for you: https://github.com/vector-im/riot-android/labels/bug
>>didn't even mention Wire or Signal
Yes anon I can lookup 2 more git repos for you. I guess that would be above your ability.
▶ No.997127>>997147
▶ No.997147
▶ No.997150
>>989311 (OP)
> XMPP
> Federated
< Most of the servers don't require STARTTLS for S2S, and when they do, they don't check the certificate validity.
▶ No.997151>>997172
>>989311 (OP)
> Telegram
< Requires a phone number
< You only need an SMS confirmation to log in from a new device (by default)
< Therefore server has the encryption key for most of the chats
▶ No.997172
>>997151
>< Therefore server has the encryption key for most of the chats
Not how any of those systems work. They use something similar to the signal protocol. A new device generates a new key. A new device cannot decrypt old messages (unless your old device sends the key to the new device). Users then get your new key sent to them (you can validate that it is actually yours manually) and they begin to encrypt all messages to you with the extra device key.
▶ No.997212>>997222
What about Ricochet/TorChat ?
▶ No.997222>>997234
>>997212
TorChat was abandoned over half a decade ago. It's 100% unsafe.
Looks like ricochet isn't maintained anymore either. The last commit and update were over a year ago.
▶ No.997234
>>997222
Shit, I thought there were forked. I used to talk to some BOs via Ricochet. I guess I should use Tox or XMPP, now.
▶ No.997240>>998005
>>996732
Analytics are opt-in, not opt-out.
▶ No.998005
>>997240
I highly suggest you do a packet capture on a fresh install of riot before you connect to a new server. It's definitely opt-out.