Freedombone
freedombone.net
external-link
Frequently asked questions

On mobile there are various options. The apps which are likely to be most secure are ones which have end-to-end encryption enabled by default and which can also be onion routed via Orbot. End-to-end encryption secures the content of the message and onion routing obscures the metadata, making it hard for a passive adversary to know who is communicating with who.

m-p{3}
link
10
edit-2
3M

Signal has end-to-end encryption, but depends on a single server and requires a phone number for the account creation. Available on iOS and Android, and has a desktop client you can tether your phone with. It can do secure text, audio and video calls, as well as multiple types of attachments.

Briar has end-to-end encryption, and will natively use Tor over the Internet to anonymize your traffic. Also has the ability to sync communication across Bluetooth and local WiFi if Internet is censored (can be useful in a public demonstration). Doesn’t depend on a phone number or any personally-identifiable info to use. Available only on Android, no desktop client and no backup features yet so your identity isn’t portable across devices. The network is entirely decentralized. It only does secure text communication and picture transfer, no video or audio.

Matrix (Element) is a federated secure communication network, and has end-to-end encryption available. You can create an account without any email address or phone number (optional to ties those for easier discovery amongst your contact through the Vector ID Network), and you can host your own federated instance if you want. Mobile, desktop and web clients available, and you can add trusted devices to your account quite easily, making the account and existing communications easy to transfer across devices. You can route the mobile app through Orbot on Android if you want to add another layer of anonymity. It can do secure text, audio and video calls, as well as including attachments.

I think that summarizes well the three I’m most familiar with.

@roastpotatothief
link
23M

If you are thinking about Signal, think Wire instead. It is similar, but does not require a phone number and is not based in a 5 eyes territory.

@TheAnonymouseJoker
link
7
edit-2
3M

Wire’s holdings are in USA, though. I quit using Wire immediately back then.

@KLISHDFSDF
link
22M

Signal is completely open source, has reproducible builds on Android, and uses “sealed sender” so they cant see who’s sending messages, just who the intended recipient is. Why would I use Wire when its hard enough to get people to switch to Signal, the most secure messenger, which also happens to be free?

@roastpotatothief
link
22M

Wire is open source too. https://github.com/wireapp/wire

IIRC both the server and client code is open source. But I don’t know if that can be easily proven.

I didn’t know about “sealed sender”. Sounds great. Though TBH it doesn’t seem to be working (yet) on my account. Have you actually tested it?

I’m not sure sealed sender is enough to compensate all signal’s other failings. Let’s wait and see.


IMO … this is all a false choice.

If there are too many choices, none will gain critical mass, and all will fail. The key is bridging. Once your messager can bridge to a few other secure messagers (and to email) then it stands a chance of taking on facebook.

stlsht
link
83M

No, no, no. Signal cannot be placed in the beginning of the MOST secure chat apps. I cannot accept it, this opinion is very dangerous - because people take it for granted. No. In many countries you cannot buy a burner SIM and make anonymous account. Also - you can be added to a group without permission and someone you don’t know can gain the possibility to dox you, stalk you or phish you. I saw it, I’ve been there. Security is not about encryption only. Visible phone number is TOO MUCH INFORMATION - and I’m really pissed off when I see that people are not taking it seriously. Maybe for you, when using disposable number and talking to few people - OK. But please, imagine that there’s a lot of people with a lot of security models and it’s not reasonable to always put Signal on the top of these MOST SECURE chat app lists. No, not for everyone.

If not for everyone - then it’s not MOST secure.

@KLISHDFSDF
link
32M

Signal gives you privacy between friends/family. It doesn’t claim to grant anonymity. Signal is secure. Just because you misunderstood it doesn’t mean it’s insecure.

@ajz
creator
link
23M

Interesting. Thanks for sharing.

stlsht
link
43M

I’m sorry if I sound rude. I just experienced an issue with what I’m talking about, and big part of it was believing that Signal is the most secure messenger, “because this is what internet says”. Just let us all be cautious about that what we believe is not exactly true for everyone.

@KLISHDFSDF
link
1
edit-2
2M

I’m sorry but this sounds like FUD from someone trying to get people to use less secure systems. For everyday messaging Signal is the best private messaging client out there (that is - you can be safe knowing nobody is intercepting your messages). If you want something decentralized that won’t share your profile with your friends/family, use Sessions or Briar. No need to dissuade people away from Signal just because you didn’t understand how it works.

stlsht
link
1
edit-2
2M

Okay, I see that you’re very unhappy because of my thoughts and you’re showing it in every response. I’m totally ok with that, but if you could tell me one thing: are you white cis hetero male from usa/europe/australia? Just need to know if it’s worth to engage.

@KLISHDFSDF
link
12M

are you white cis hetero male from usa/europe/australia? Just need to know if it’s worth to engage LMAO. get out

stlsht
link
02M

That would be for “yes” I suppose? Okay, okay - sorry, I don’t actually want to attack you anyhow or LMAO around - I just want to point out that it’s nice to imagine that “to be secure/to feel secure” is really not under control of someone’s privileged point of view. All what we’re talking about - just a reminder - that the question was about the MOST secure app. You’re accusing me of “trying to get people to use less secure systems” or “dissuading people away from Signal”. What can I say about it? I feel so deconspired that getting out is really the only option for me!

But maybe you could consider to really get in, huh?

ugh... lo!
link
62M

The most secure is briar messenger without a doubt, but it’s nor usable for general public, so for myself I choose matrix.org - compromise between security and usability

@KLISHDFSDF
link
32M

This is one of the more sensible comments on here. I personally use Signal for friends/family and matrix (element.io) as an IRC replacement.

Halce
link
62M

While not the most stable yet https://jami.net is an option.

stlsht
link
63M

Okay, so I here’s what I think for the main question. (Sorry for my English, I’m not the native speaker - if something is hard to understand let me know, please)

On the internet we have a lot of discussion about this topic. And we have a lot of different views on it. And a lot of apps. We need to be sure what we’re talking about and how precise we are. These are my main thoughts, listed. There is no such thing as “most secure chat app”, especially if we’re not asking precisely what we mean by that term.

I think of three main factors of the case. And I want to put it clear: I don’t want to go on full-geeky or start a discussion about “normal user will not understand”. Every user is different. The “most secure app” should be “most secure” both for an undercover agents and our grandmothers.

  1. Software and it’s environment. So, the app - but this is just the surface. But mainly it’s something that everyone can agree - the app and it’s environment should be open-source, and actively maintained. Also there should be a quite interest around it - because there should be some people who actually can really say that they looked up to the source and “approve” it’s reliability. The communication with the company/foundation/creator should be good and smooth. The community around the app should be treated well and should feel listened. Should be well documented. Should think about “typical users”, so to obtain that - app should be easy to manage and have well designed UX (not for geeks only). The app and information in it should be encrypted out-of-the-box. The communication should be decentralised and not depending on the main server (because that’s the future of the internet, damn). E2EE have one big problem - it’s hard to have control of messages you’ve already sent. App should have some ideas inside for solve this problem. The app should have possibility to register the account without giving your credentials. No e-mail address, no phone number.
  2. User and it’s environment. Every secure app can be used in unsecure way. You cannot jump over it. If you cannot think creatively about your tools, security model, things you want to achieve - none of apps from the toplist will help you. You don’t need to be a specialist, really. It’s about few articles and some hours of research. Educate yourself, think. If you’re using secure app on unsecure system - huh, nothing will help you then. Encrypt the phone. Use password manager. Don’t give away your contact information easily. Take control of what you want to share before you will share it. Educate yourself.
  3. Geopolitics and awareness It’s easy to forget about it. When I see discussions about different apps - people are talking from their perspective - what means - perspective of the country they live in. “Most secure” app should be “most secure” in USA and in Iran. In Poland you need to register every phone number on your credentials. In Czech Republic you don’t need to. There are places where government can easily gain access to data of your internet provider without even asking the court. Think global, try to gain knowledge about specifics of your country. I can use Signal - but I need to register it on Czech SIM card with phone that I bought second hand, on which I never used my own, private SIM card. Then I can really feel safe - not only for government (that’s not the deal for many of users though) but also from stalking/doxing by private users/trolls. Remember that nobody of us is “typical user”. If your country is fucking up the abortion law and you cannot legally use the “day after” pill - which could be an issue for 50% of human beings - you need to be sure that your credentials are safe. We had these situations in Poland when - hear me out - right wing “catholic” foundation ran a fake “safe number” for woman with this problem, and afterwards they doxxed their private information. The same with human rights activists or LGBTQ+ people, especially young people. They are not special agents - they need just to feel safe. This is ALL OF US. There is NO SHUCH THING AS “TYPICAL/NORMAL USER”.

So, when it comes to this I need to say that I cannot tell which app is really “most secure”. I’m not an tech expert, so I cannot pentest the app by myself. But I can tell you which app looks the most reliable to me.

For me it’s Session app. It has some cons, like everything. But I will tell you why I believe in it. Yeah, “believe” it’s a good word for it. Because it’s always about trust. If the devs are sincere with us and everything is working as they say - that’s the way it should work for every secure app. First - let’s look at the main concerns. First one is Australia, which the app is from. It has very fucked up law - court can easily access the data of users (please correct me if I’m wrong). But the app is designed in a way that even if the government would get this access - they will find nothing or almost nothing, just scraps of metadata which would be hard to use against you.

Next thing is reliability. There should be more third-audits done for the app, that’s true. But the foundation behind the app is showing very good attitude for it. They are communicating, they are active and I think it’s just a matter of time that it will be full-acceptable on the paper.

Design - it’s up to date. It has something that Signal doesn’t have if we’re talking about that E2EE problem - the capability of your chat inbox. You can make your inbox delete the messages after specific number (not only after specific time - but that is possible too). You cannot force the person which you are talking to do the same, but app is anonymous so It would be really hard to connect these messages to you. On Signal in other hand - all messages are linked to you because of phone number and you need to depend on security of other people - not cool. The next good thing - it’s using a decentralised network based on nodes (onion routing). That should be a standard, I will not comment on that.

But the biggest thing is that I can see on my own eyes that the developers running this project has really A LOT TO LOSE. Yeah, that’s a thing for me. I can see how they’re communicating, how they’re developing as a foundation/company. They are really into the privacy stuff. If they would make a mistake… oh, shit, that would be a total disaster for them. They just cannot screw it up - they have own coin, they have own node-network, they have the bright future in front of them. When you have a lot to lose - you are more reliable. But that’s my private opinion which cannot be measured scientificaly. I’m just watching closely and I can see that they are growing. If they are capable of doing what they annouced this year - encrypted voip call by the onion network - it would be a really huge step forward. Crossing fingers.

Wickr has that great system for ephemeral messages - ‘burn after read’ option. I really liked it. But Wickr is now part of Amazon. So using it is like you would give your money to ISIS - you’re just funding terrorism. Briar is great, of course. It’s the top for sure. But there is a problem with Briar. It will never be a standard - because is not “cool”. Why that matters? If the app is not used by a lot of people and is not popular - there is a possibility that it will die soon. That’s how it works for now, too bad - but true.

I would say that XMPP is also a good direction to look, I’m not sure about Matrix on not-self-hosted servers. Yup, that’s all I think. If someone will disagree - I’m cool with that and please don’t take my words as something what I will fight for. I’m not here for force-changing someones point of view. Thanks.

stlsht
link
53M

To fill the list it’s good to notice the Berty project, but it’s still in development though: https://berty.tech/

@Echedenyan
link
12M

join us on Discord

Wtf. For something like it, Briar forever.

stlsht
link
2
edit-2
3M

And here you have some words from one of Berlin’s collective on why they stopped using Signal. Take a note that it’s from 2017. https://resist.berlin/goodbye_signal.txt

@ajz
creator
link
6
edit-2
2M

deleted by creator

@TheAnonymouseJoker
link
6
edit-2
3M

Secure and private? Signal. It is not anonymous, though. And it can be a potential metadata honeypot later, even if it is not one right now. See recent Anom scam.

Secure, private and anonymous? XMPP. Matrix. Briar. Retroshare.

stlsht
link
03M

There are parts of the world, like 80% of it I guess, where secure=anonymous.

@TheAnonymouseJoker
link
42M

Encryption does not hide your identity, necessarily, as far as instant messaging goes. Different aspects.

@KLISHDFSDF
link
02M

far as instant messaging goes. Different aspects.

80%?! What magical planet are you from? This is complete nonsense, put some sources because this is a complete lie. Nobody will believe you without proof.

Graveyard Leprechaun
link
43M

There have been a lot that have come and gone over the last few years. Signal is probably the most popular and has stood the test of time. Whichever app you choose, make sure to read their privacy policy and make double sure that they’ve passed an independent security audit by security professionals. If they haven’t, don’t trust them.

@pinknoise
link
63M

make double sure that they’ve passed an independent security audit by security professionals

Thats not easily done without good funding. Also make sure the security professionals are actually any good. It’s pretty easy to be a “security professional” in countrys where it is common for companys to not care about security except for compliance reasons.

Also the most secure app isn’t worth a penny if your phones os and other apps are easy targets.

RandomSomeone
link
32M

This is the same as asking “what’s the safest way to go out on the street?”. Who? Where? When? For how long?

@0x90
link
33M

I’d say all XMPP clients

stlsht
link
12M

Does someone can say something about Status App?

@rando
link
1
edit-2
3M

deleted by creator

Confidentiality Integrity Availability

  • 0 users online
  • 2 users / day
  • 5 users / week
  • 16 users / month
  • 99 users / 6 months
  • 1771 subscribers
  • 466 Posts
  • 397 Comments
  • Modlog