like, if I send the QR code to someone I want to talk to via email, anyone intercepting this message will at the very least know my SimpleX address; same thing if I send it via messenger.

edit: let’s assume we don’t have an established and trusted channel. furthermore, they’re not expecting this info.

  • Eggroley@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Send the address and delete it after you’ve verified that the recipient is in your simplex contacts. You can verify via security code. You’ll know when they use the link. Delete the address afterwards.

  • ksynwa
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    You can encrypt your message using something like gpg or age

  • HandwovenConsensus@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Well, there’s not much they can do with the QR code. You can deactivate it as soon as you’ve made contact and established proof of identity with the recipient.

    But, if it was really important, there are cryptographic key-exchange protocols you can do even over an insecure connection. The Diffie-Hellman key exchange is one of them. Using something like that, you can derive a shared secret key even if someone’s listening.

    But personally, I would just break it into two parts, and send one by email and one with pastebin’s “burn-after-read” option.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    Without face-to-face communication, you cannot guarantee you haven’t been man in the middle MITM.

    One of the benefits of public key cryptography, is everybody can publish their public key, and then you can have a reasonable assurance that you’re talking to the appropriate person, cuz you can see the key, they can see the key, so in theory you have verified the key.

    With simple x, if one of you publishes a known non-incognito, static receive address. IE on your public website, or in your letterhead, or something, then the other side knows they’re talking directly to you. You don’t know you’re talking directly to them. Or at least to the published address

    If you want to talk to somebody, in a deniable way, then you probably should not be sending them direct mail. Meet them in person, exchange addresses that way, use briar, something.

  • Evgeny PoberezkinM
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You don’t have to encrypt the message, simply observing it won’t compromise security. You only need to ensure that the channel is 1) authenticated (that is, you know who you send to) 2) cannot MITM you (that is, replace the link). MITM can be mitigated with security code verification via yet another channel, but SimpleX relays cannot MITM key exchange (unlike any centralised service).

    • dingdongitsabearOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      valid, but observing it will reveal that this SX address is linked to this email address and there won’t be any return information that it was read and thus compromised, if I understood everything correctly?

      I’m looking for a way to send my address to someone with whom I haven’t established a secure channel and this party doesn’t expect my contact info.

      what I came up with is hosting a web server with said info and making sure it will serve this url only once and then delete it. I can then send this url and be sure that either the intended party received it or that it was intercepted.