🆕 Software Suggestion | Threema #2162
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2162
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: Threema
Category: Instant Messaging
URL: https://threema.ch/
Description
Threema is an end-to-end encrypted messenger. In contrary to signal it supports creating an account without submitting any personal information (like your phone number)
Why I am making the suggestion
It was just made open source. (at least the clients, though if the encryption on the clients is correct, it doesn't really matter wether the server is open source)
My connection with the software
n/a
Please read:
https://restoreprivacy.com/secure-encrypted-messaging-apps/threema/
Section 6.3 shows some security problems with Threema such as:
https://ieeexplore.ieee.org/abstract/document/8406614
does somebody know whether they are resolved?
seems like a good addition to the list.
The official clients are still paid, but if the application is open-source I don't see why that is should to be a blocker for including it.
Threema still does not provide PFS, but has a more limited forward/future secrecy on the transport level.
So it seems like they use a more traditional encryption scheme without PFS, but I don't see that necessarily warranting exclusion from the list if the encryption scheme they do implement is solid.
I actually think that this is problematic. It of course depends on your thread model, but the Signal protocol offers a far better standard for securing your messages. If anything they should only be listed as worth to mention. I think we shouldn't recommend it as long as they do not offer the same standards that can already be achieved. Signal's protocol is fully open source and proven secure. Therefor also implemented by many others, I really wonder why Threema has chosen not to do so.
PFS is essential to protect against modern attacks and needed to protect conversation history. I am not saying Threema is bad but I don't see the value of recommending it.
Not to go into Whataboutism, but aren't their compromises to both Signal and Threema, with signal requiring phone numbers?
In this particular case I do feel that Threema being paid kind of defeats the purpose, a messenger should be something really accesible for everyone.
Personally i don't see this is a huge problem. Exposing that you use Signal is not really a big deal to me. In addition to that it's also possible to sign up with a VOIP or prepaid number. And above that Signal is actually slowly migrating away from this requirement and has said to introduce usernames in the near future. (see https://community.signalusers.org/t/hide-phone-number-entirely-in-group-chats/17192/15)
Nice looking forward to that.
AFAIK Signal will still require phone numbers, the only change is that you will be able to hide this from others, just as Telegram does.
In some countries, prepaid numbers are not available anonymously.
@romanholiday12 then just get a VOIP number or SIM from another country. It's not that hard to get around.
You can create a Threema account without filling in your cellphone number.
It will ask something alike: "are you sure you want to create a totally anonymous account, the number can be used for recovery or some such".
Then just proceed.
Threema is also buyable from their own website independent from any play or ios store.
Though I have no clue if they accept anonymous payments with crypto and or tor connection.
Yes they allow crypto payments
@LongJohn-Silver
While I agree that this would be best, is it a reason not to list it as an available option? The goal of PrivacyTools is to "provide services, tools, and knowledge to protect your privacy against global mass surveillance," not to protect your wallet against being used.
Currently there is only one option listed if you want a secure, general purpose messenger like everyone else uses: Signal. It has various downsides, not least that its reliance on Amazon services doesn't support the aforementioned goal according to PrivacyTools itself, and alternatives like Matrix/Element or Jami are not as mature as Threema in terms of UX and features. I'm actively looking for a Telegram replacement that comes close to the experience of Telegram (so that friends and family will not mind using it) and the only options I see are Threema, Signal, and perhaps Wire. If I didn't already know of them, PrivacyTools would have me go with Signal exclusively. If Threema is listed, people can make a more informed choice.
Adding to this, it's interesting as an option as it has different features compared to Signal (for example not requiring a phone number).
Whether recommended or not, it is worth mentioning.
If you look at say Signal or Wire, although open source there isn't anyone bothering to make alternative clients for a centralized service. Also I don't see anything about server source code there. One of the criticisms of Keybase was always the closed source server component and eventually led to it's removal.
I don't see the point of swapping one centralized service for another. Matrix is maturing rapidly and doesn't require me to trust one company's servers. In regard to metadata, Signal is pretty minimal there with metadata using sealed sender.
The scope of that audit was only the ios/android apps https://threema.ch/press-files/2_documentation/security_audit_report_threema_2020.pdf
No server source is a negative point for Threema, but similarly it's negative that Signal is a USA-based service which PrivacyTools says is "not recommended". The former needs some payment method, the latter a phone number. The former had a recent and stellar audit report, the latter never paid for or published any sort of audit -- but they have sealed senders. Up and down, back and forth, it's not at all clear to me that one is better than the other.
Regardless, I don't think anyone here proposed to "swap out" Signal for Threema. They should both be mentioned since they have different downsides that different people weigh differently.
Or just remove both, that makes sense too given that Matrix is indeed the better choice for privacy and Matrix/Element is indeed maturing real fast -- full agree with you there. As it stands, though, Signal is recommended as the one and only good centralized service, above Matrix/Element even. That's not a status quo we should aim to maintain.
There is some context to that, firstly the source code for Signal's server software is available https://github.com/signalapp/Signal-Server. However with any centralized service, if you deployed it, people would require a special client too that points to your server. That is one of the downsides in general of centralized services.
In regard to the USA thing, we've been thinking of removing that/refining it for some time, as it is an ancient part of the site. Essentially the arguments for that are made in this part of the issue https://github.com/privacytools/privacytools.io/issues/1437
In regard to Signal, we know exactly what metadata is available https://signal.org/bigbrother/ it's not much at all.
Neither were intended to be anonymous. If you require that something like Matrix/Briar over Tor fits the usecase better.
There has been a number of audits: https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243 also in general the Signal Protocol is very well understood, and there are a number of implementations. It has in fact influenced OMEMO, and Matrix's own Olm encryption.
That's likely where we will end up, which is why I don't want to add any centralized services which have significant downsides, over the one currently listed.
In general we've done away with "worth mentioning" as something is either good or it is not. We aim now to supply a usecase for option A, a usecase for option B instead. This helps reduce the "what do I need?" threads.
No it isn't and likely when the Matrix P2P functionality drops we will be only recommending that. https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix/
Thought I'd chip in my two cents and give a simple thumbs up for Threema. I use both Signal and Threema for different reasons (and because my friends/colleagues use either one or the other, if at all).
Positive aspects of Threema for me personally was the incredibly short & easy to read privacy policy, not requiring a phone number, having a random seed generated by random swipes through the user (and not by a computer) and offering encrypted backups (as opposed to iCloud/Google Drive backups, which I both don't have and aren't cross-platform compatible).
Seeing that Signal is a recommended app (for good reasons, it's awesome especially for "normies" coming from WhatsApp/Facebook), I think it is just as reasonable to also list Threema, both with the various issues they have as a warning label (Signal already has one, Threema could have one warning about it not being fully open source, using their own unpopular protocol and not being as good with metadata).
It appears that there are others here that have a similar opinion, so please reopen this issue so we can talk about it without a hurry! 👍
Threema's server source is not available, and such we won't be recommending it. The general consensus since the cleanup is we don't want to be recommending a gazillion instant messengers which really offer nothing over anything else. Centralized messengers are really not that special.
We did this for keybase for some time, but eventually decided against it after it was acquired by Zoom.
So you were okay with it not having an open source server until Zoom acquired them? What's the problem with treating Threema the same then?
I also believe that it is important to encourage others to use decentralized messaging protocols, but atm centralized ones are being heavily preferred by most users. And at the end of the day it doesn't matter if your protocol/platform/app is great if none of your friends communicate over it. Signal, Threema and Telegram have gained a lot of popularity ever since WhatsApp announced their infamous ToS change - IRC, Matrix, XMPP/Jabber and Jami have not.
Valid argument, but I am of the opinion that adding Threema won't hurt. It trades blows with Signal (unlike most other alternatives) and presenting a selected range of options allows the user to choose his preferred messenger himself. IMO it is better to tell visitors what messengers are okay to install and which ones to avoid (ie WhatsApp/Instagram/Facebook, Snapchat, Telegram etc) instead of just having one option there with others missing.
I feel like it doesn't help when both sides just repeat their stance. I hope the privacytools.io team can reconsider adding Threema anyway.
But in the case of Threema, yes:
These are features that make it at least worth mentioning for those that need them.
Sure... because you can validate that the production servers are running the same code on GitHub? If you know how, it will be interesting to hear it. That BTW have almost a year old https://github.com/signalapp/Signal-Server
@John3 It's not a matter of knowing if they're actually running the software, and that's not what Gray said, nor did it imply that. We can't look into the server source code, which is a negative thing. In the grand scheme of things, it has more to do with reducing recommendations, hereby less work for us, and less "what choice is right for me".
Gray put it well that we are trying to cut down on vast amounts of recommendations in a single sector. Threema's nice in a few ways, but it doesn't have many advantages over Signal.
...and Signal doesn't over Threema, and so we get back to the original point of why recommend one but not the other...
Another recurring theme is "we are trying to cut down on vast amounts of recommendations in a single sector", but two months into the thread that isn't happening either.
How much work is it to add Threema vs. wait some years until we deem Matrix/Element to be good enough to remove Signal and Threema from the recommendations? We should decide on what we want:
I think in regard to removing Signal, we'll be waiting for Matrix's P2P stuff to drop Introducing P2P Matrix. At the moment, Matrix does have more metadata than say Signal, with Sealed Sender.
In regard to Keybase, the main reason that was added is because it started out as a method to prove one's identity, rather than an instant messaging client. It was removed later when Zoom purchased it, and made some dubious claims (E2EE facilitates crime, it wouldn't be available for free users, and in fact E2EE was available in Zoom already - when in fact all they offered was transparent encryption via https). They backflipped on most of these. There was also the article about how they fed some users through Chinese datacenters, which is just bad for privacy. Some of these were mistakes, or off-key marketing. Either way the community trust in the company as a whole was pretty low.
I don't really see any compelling reason to add Threema, other than some users wanting to validate their own use cases by having it added. About the only point that gets made is that Threema doesn't require a phone number, and that's about it.
Signal was never intended to be used anonymously.
I would like to draw the attention of the community to the fact that the messenger under discussion is actively cooperating with the state authorities of the Russian Federation. In particular, it was one of the first to rush to register in the register of organizers of information distribution. Inclusion in this register implies that the messenger is obliged to collect, store and provide information about the actions of users on its resource to the authorized state bodies. Including: all the contacts in the user's address book, data on the number and volume of messages, all authorizations, the exact time of visits, and other metadata. By a strange coincidence, around the same time there was a de-anonymization of the group Anonymous International, which published dirt on top government officials and slightly lesser known individuals. For unknown reasons, they used Threema as a means of communication. All of them had to go to jail.
@q1011 Instead of downvoting everyone that speaks positively about Threema here, you might want to read through their privacy policy, which clearly states that they do not collect the information you're claiming they would send to the russian government. Additionally, Threema is open source and openly auditable and their spokesperson has confirmed a while ago that this information isn't collected, making me think that the article you linked is just conspiracy fearmongering. It's funny how you're trusting Signal with not lying to its users about sending data to some government, but you believe any article you can find that puts Threema in a bad light.
@dngray
I have already stated some more reasons in my first comment here:
The Signal privacy policy is over 4.5 times as long as the Threema privacy policy, and in fact Threema's is one of the only privacy policies I've ever read because it was so easily understandable. They clearly detail how little data Threema collects in there. I'm repeating myself, but I think Threema is just as worthy to be listed as a great privacy-centric messenger for newcomers as Signal is. Any of these messengers are a great improvement to what the visitor might have previously run (WhatsApp, Facebook, Google etc) and they trade blows, which we can't say about most other messengers (keybase falls short for the reasons you already listed, Telegram has its own issues, Wire has problems as well...)
@dngray I get you want to cut down on recommendations, but why not put it on worth mentioning then, with it's benefits over Signal?
Just to set the record straight:
You got that backwards. I don't use Threema myself, I use Signal instead and even ask my friends to use that.
The reasons are that (1) Signal has a better network effect so people might actually stick around, and (2) Threema doesn't have a proper desktop or web applicationfootnote which is an instant no-go for me. I talk a lot with people on messaging apps, especially now with covid, and I'm not about to cramp my fingers trying to write hundreds of messages per day on a touchscreen.
But those are both usability reasons.
Privacy-wise, I'd rather use and recommend Threema (from my European POV), and this is PrivacyTools we're talking about.
If more people pay for and use Threema, they're bound to improve both points.
Mainly for the former but also for the latter reason we should recommend it alongside the status quo. Everyone who cares about this already knows about Signal anyway, and it's not as if we would stop recommending Signal, so those who want the network effect would just continue to use that recommendation.
It's not like the main difference that you keep mentioning, sealed sender, is a downside of Signal's, but I also feel like it's being way overblown: traffic analysis is quite trivial if you're really worried about Signal (or someone who hacked them) knowing who's messaging whom. In the same breath you say it was never meant to be used anonymously, okay fine but when why do you keep bringing up this "anonymous" message submission? It doesn't make sense to me, but I guess it doesn't have to: I am in a position to compare the products for myself, understand the tech, and weigh the upsides and downsides against the feature set.
We're not doing this for me, to validate my decision (since it's the opposite of my decision), but rather for those who can't or don't have the time to do this. I would expect PrivacyTools to list tools that help with privacy (with practicality kept in mind), not just the one that I chose for usability reasons. That's why I am here, not to validate my own use case.
@GitGangGuy, I am able to distinguish the lie from the truth and the article I am referring to relies on the obvious fact - the state registry of the organizers of distribution of information. I recommend that you follow the link that leads to the website of the STATE ORGANIZATION and enter the word "threema" into the form. Here you can read the requirements for organizers of information dissemination. I will translate them:
store on the territory of the Russian Federation information on the facts of receipt, transmission, delivery and (or) processing of voice information, written text, images, sounds or other electronic messages of Internet users and information about these users for six months from the date of completion of such actions, as well as provide the specified information to the authorized state bodies carrying out operational-search activities or ensuring the security of the Russian Federation, in cases established by federal laws;
ensure the implementation of the requirements for equipment and software and hardware used by the said organizer in the information systems operated by the organizer, established by the federal executive body in the field of communications, in agreement with the authorized state bodies carrying out operational-search activities or ensuring the security of the Russian Federation, to be carried out by these bodies in the cases established by federal laws, measures in order to implement the tasks assigned to them, as well as take measures to prevent the disclosure of organizational and tactical methods of carrying out these measures.
Threema was the very first service to appear on this list since its inception. No official response from Threema about the reasons for this action has been received, neither by me nor by anyone else. It should be noted that no other foreign messengers deigned to register in the said registry and meet the requirements of the Russian authorities.
For this reason, among others, it cannot be recommended for use.
@q1011 Dude you need to research more, that is not accurate or fair, similar to that Russian institution exist in other countries. What are you linking probably is conspiracy. You are mixing conspiracy, country law, data retention and Russian politics stuff. Please don't bring that topic here.
To keep it short. Threema:
If this does not fit to be included in a privacy conscious community I don't know what... Matrix? Hahaha Better go to Telegram have more features hahaha. (This was sarcastic for people that don't understand the joke)
I'd be curious about that one. Does it have a robust verification system? That does seem like one method of exploitation. (No I haven't personally used Threema - really had no reason to).
Being in "Switzerland" really doesn't mean a whole lot these days. What generally happens in situations like this is users in repressive countries have to have their data stored on servers in those countries. China for example often does this.
Which isn't inherently anonymous. I wonder how many people have not cleaned their bitcoins before buying. I would say at this point states would love people using bitcoin because of the whole public ledger thing. Not everyone uses local services or does altcoin shifting 😄 frankly I'd say for most users Threema isn't anonymous - not unless you really know what you are doing.
I'd like to see more details about that.
The difference is with Matrix is that the E2EE implementation was actually audited before implementation, unlike Telegram. It's also not centralized so you can pick a homeserver in a country that is unlikely to give your country information. Additionally it can be used anonymously, with or without Tor, without an email and doesn't require any form of payment (that last one inherently makes things more complex).
The P2P stuff will mean you won't even need a home server.
I don't get it. Who...? Why are you talking about be anonymous? 🤔 Man, it seems to me you are mixing privacy with anonymity and you are mixing instant messengers categories and team collaboration.
Probably they never realized since the years they have on the market. Hope not happen what happened to Matrix.
Yet you are commenting in a product that you don't know and yet you closed the issue without a real consideration.
Good. Then, reference should be removed from the main site. USA, Switzerland, Eyes... you know, all the conspiracy. We can avoid this kind of misunderstanding in the future.
Dude that was a joke 🤦 and I talked about features. But yeah actually I do remember all the mess with the encryption, group encryption, the endless verification and people stopped using E2EE. Is it working now? How about all the metadata, they fixed that too? and the data that keeps forever on the DB?
Good! lets wait few more years with a mess product. Hope in the way not get hacked again and then they delete everything "just in case" (because all the metadata). In the mid-time, let's keep recommending matrix and use Jami, if actually send a message.
By the way talking about "doesn't have many advantages over Signal". Why bother to change from WhatsApp to a similar product like Signal?
WhatsApp is E2EE with the Signal encryption (No man in the middle) integrated into the product by them the Signal people (No backdoor), the messages and the private key are keep on the device of the ends users, they have safety numbers verification and disappearing messages too. If moxie said the message content are private why change to a similar product like signal, he implemented it after all.
Signal blog::
As you see, privacytools have a nonsense recommendation for only Signal, that not even tried to test Threema.
@John3, boy, you're too aggressive and it doesn't add to your credibility. You're just stuck with your delusional idea of Threema's security and can't seem to calm down. I gave you the links to the website of the Russian government, from which even a moron can understand that Threema stores data on the territory of Russia and provides access to it at the first request of the Russian authorities.
@q1011 You're spreading an incredible amount of FUD about Threema. Please do more research before spamming an otherwise reasonable discussion about adding Threema to a newcomer-oriented privacy recommendations website. I won't quote you here in order to keep it short.
Please stop harassing others chiming into the conversation around Threema with your delusional fantasies.
@John3 Great to see some more Threema support!
I agree with @dngray here, being in Switzerland (just like basically any other country) doesn't say anything. Nowadays privacy laws are mostly equally poor everywhere, so it ends up being a sales pitch.
The five eyes is a real thing and not something for conspiracy nuts only. Its members are listed in the UKUSA agreement and the term has its origins as a shorthand for the "AUS/CAN/NZ/UK/US EYES ONLY" releasability caveat (citing Wikipedia). The snowden leaks (and others) have revealed to what extent our privacy is being invaded with the help of these international treaties.
This is the case with Signal etc. as well. (Not sure if you're mentioning it just for completeness sake or because you thought it's an advantage over other messengers?)
I don't get it ಠ_ಠ
Because privacy and anonymity are two closely related concepts, and I always enjoy anonymity as an additional bonus.
This is all pretty off-topic, please don't turn this into WhatsApp vs Signal, Matrix vs Signal, or P2P vs Threema
@dngray
It shows you how trusted the person you're communicating with is (based on if they have been found via email, phone number or qr code). Not sure if that was what you were asking for.
Bitcoin isn't anonymous at all, but anyone who did some research knows how to buy monero and exchange those into bitcoin instead. (And there are some pretty sophisticated bitcoin anonymization solutions out there: Wasabi Wallet implements trustless CoinJoin, Bisq is a P2P exchange).
Here's the app privacy policy, it contains the metadata stored by Threema servers:
With "Threema ID" referring to a
8-digit ID and a key pair created by the user himself(through random swipes during setup)All stored data can be viewed in the App or online, mobile phone numbers and emails can be unlinked from an ID (in case of a lost device) remotely and all personal data related to the ID can be deleted anytime as well.
Sorry if seems aggressive 😄 @q1011 (and other people) probably is because is not my native language, either way, that what you post is FUD 😄 If you want to talk FUD mix signal funds hahaha (Please don't reply this. I'm joking)
Hey @GitGangGuy
Yes I get it 👍 thanks. That was nothing special really, except just mention a brief overview of the app, I forgot to add something else to complete that chunk.
Haha I know man. That's was no the point. Anyways forgot this, I don't really care.
Yes. In that comment, what I said was to keep it short and give a quick overview of Threema, Only one comparative to make a point in the server code.
Hahaha Oh man! 🤣🤣 It was an ironic example because the only Signal policy, and that some guys keep bringing Signal or Matrix into the Threema discussion, and they not even take the time to evaluate a good alternative or even understand if they are in a different category, they only close the issue. Forget the sentiment, did you understand the technical side what I said about whatsapp? haha I know... hilarious.
Anyways man, for me, to finish the discussion. It seems for what I read, they just close the issue without digging too much or nothing technically, that's bad and biased for this kind of informative site, that should inform people, so they can make a good decision for their needs.
To clear things up, I will be producing an analysis of Threema. The project is huge, so I will be cherry picking security critical components. When I have finished my work, I will compare Threema to Signal here.
@lynn-stephenson Let's hope Threema ends up well in your analysis!
@dngray
Signal's server source code hasn't been updated in a year now, and its api is out-of-date with the frontend, showing that Signal has silently shifted their development into the private. I believe this is very bothersome, and I've lost a bit of trust in the developers.
Signal is still a great messenger and since the client is open, we can verify/audit that the encryption works, but if we'd adhere to the rules you mentioned, you'd have to remove Signal now. I'd instead vote to add Threema to the list, now that they're basically the same in terms of openness/trustworthiness (Threema doesn't need a phone number though, and its servers aren't in the US, which does give it a slight edge).
@GitGangGuy
It has recently updated, but it is definitely concerning. Signal is designed in the event that the server is malicious, so it doesn't effect the security of the protocol, or the application as whole. Jurisdiction matters far less than you think. If it matters, it means that the protocol wasn't designed to not retain information about its users.
And I don't agree with @dngray on the server source code part. While I highly prefer the server code to be open source, its not a complete no-go. If designed properly it doesn't matter if the server is malicious, or otherwise proprietary.
Threema still collects more metadata on its users compared to Signal. Unfortunately Signal still requires a phone number. From a UX perspective Threema is more technical, and not as friendly to less technical folk. Signal takes that away and lets the user focus on messaging while also retaining security. It doesn't expose or tell the users details of the internals.
Signal's cryptographic protocol is still better than Threema's (no Sealed Sender (this means Threema's servers know who is talking to who) like functionality, no PFS, and from what I can see, no cryptographic plausible deniability), and it is an easier to use application. For most people Signal is great, and far easier to get people switched over.
PrivacyTools target demographic is average users. Threema requires payment while Signal doesn't. We want users to be able to go to PrivacyTools, see which messenger to use, and just install it easy-peasy. They shouldn't have to pay for privacy. So for most users, Signal is fine. And it generates less confusion.
Often there is a money trail as well, and unless users "clean", "wash", or otherwise obscure their Bitcoin (which isn't even that effective), then exchange it for Monero, then move it to a different wallet, they aren't going to be truly anonymous on Threema unless they also use Tor. If they're doing that, they might as well buy a phone number with Monero and just install Signal, and send it through Tor.
Threema is good, and makes a joke out of Telegram. But Signal is free, arguably easier to use, and generally has better privacy (though we're still waiting on usernames....).
Sources:
@lynn-stephenson
Thanks for the extensive analysis!
I feel like PrivacyTools is actively favoring Signal over other messengers. You did not pull Signal from the recommendations after their server source code was obviously out-of-date, but you are proactively removing other recommendations because of missing server source code. That isn't consistent behavior.
I don't see a reason to not add Threema. It is a worthy alternative, and while lacking in some aspects, it is better than Signal in others. Omitting the recommendation, due to debatable concerns, leads people to think Signal is the only truly private messenger, which would be sad for the overall landscape of private messengers. We need more privacy tools and more options, not less.
The target audience of Signal is people who are using phone numbers to contact people in the first place.
I think its fine too.
Absolutely understandable. Transparency is an important aspect. For 1, Signal doesn't even have a GitHub issues tab on their server repository. 2, the community seems to be ignored; I've been searching their official forums, GitHub issues & pull requests. 3, Kind of on point with the last one, but its pretty important, and they won't answer the community about the outdated code.
Signal has pissed me off (and that's not even getting into the new cryptocurrency bs, or other aspects).
The only benefit of Threema in comparison is Signal's usernames (e.g: when you want to securely contact a stranger without giving out your phone number, which is valid criticism).
I don't know. But they brought me onto the team to do research on projects. I believe I explained it pretty well why jurisdiction and server source code availability doesn't matter as much as you might think.
We are, see the reasons I mentioned in my past post.
That is an inconsistency, but I already explained why it's fine to add recommendations with closed source back-ends.
Threema is at the very least worth mentioning. Now that we've finally gotten to this point, right now, I don't think it's worth having a full on card for it since Signal beat it in almost every aspect, except a single factor, an identifier.
My opinion on that is that it doesn't really matter either...
The main reason for preferring source to the server comes down to a number of things:
Verifiability that there isn't metadata collection going on.
With Signal there is Sealed Sender. When this is enabled in a client there's literally nothing a server can do to change this behavior in the client. Even when server source is available, there's no way to make sure that is what is actually running in production. Therefore server source code may actually be less important than you think.
While with Matrix it is possible for a homeserver to collect some metadata, it's also entirely possible for a user to have their own homeserver that they control. The Matrix team is also working on a peer-to-peer solution that would eliminate this issue for most users. My understanding is it runs the homeserver in the browser in WASM.
So based on that there is certainly a barrier to use Threema anonymously, (payment). I really don't see any motivating reason that makes it exceptional. In regard to anonymous usage, the gold standard goes to services that aren't financially linked with a user anyway, regardless if they've disguised their payments. This is possible with Matrix, and you can always donate if you feel the homeserver/project would benefit.
Threema is, just yet another "privacy messenger" on a centralized network, something we should all be looking to avoid. I don't see any reason to recommend it over Wire or alike.
@dngray Comparing Threema to Wire is a joke, Threema is trading blows with Signal.
@lynn-stephenson Threema has additional benefits apart from not requiring a phone number:
These are all things Signal doesn't have.
If you're going to close this issue, at least remove Signal as well. Its sad to see how now that Signal has become unreliable regarding public source code development, the [server-side source code] criteria is removed from PrivacyTools. It is one thing to admit inconsistency; it is another to continue applying it in practice.
I'm basically yelling at a wall at this point. I'd just like to see PrivacyTools, a resource I have recommended to a lot of friends, to be open to more good options. But I see this discussion has come to a close (quite literally) once again.
The privacy policy for Signal. It's very clear what information you provide and they may share. The Threema privacy policy is actually a bit sparse on details.
That doesn't necessarily make something more secure or stronger keys. It adds entropy which means a random key can be reached quicker possibly, but it entirely depends on what is being generated. You can securely generate openpgp keys, and openssl keys without smashing your keyboard and moving your mouse for example.
No, because it entirely depends on the purpose of the server, what it does, how much privilege it has etc. In a distributed network you could argue each "node" is a server, (eg Session) but in that case those "servers" do very little and only pass around already encrypted data. The main reason for caring about it is because of the data that can be collected. That is evaluated on a case-by-case situation depending on the protocol and what is actually happening.
Frankly I think you're way too vested in forcing your opinion. PrivacyTools isn't here to validate personal opinions/choices but rather be objective about recommendations, and no, more options is not better if they complicate things and offer little advantage.
@dngray
That's the website privacy policy (I also posted it earlier, don't worry), you can find the app policy here. Both are shorter, more concise and easier to understand than Signals counterparts.
I stand by what I said. Shifting definitions of the importance of the server or the critea for being recommended by PrivacyTools doesn't change that Threema stacks up very well compared to the overall landscape, and even outweighs Signal in some aspects.
This Issue has been forcibly closed for unfair reasons.
It is not advisable to dismiss an article because it is paid.
It imposes the false notion that open source software must be free (beer).
That's not all. The server is closed source, and this is the same for both Signal and Threema. This is the same for both Signal and Threema (although Signal is "de facto").
It may not be worth creating a card and posting it.
But it is worth "Worth Mentioning".
I think what @lynn-stephenson says about this issue is right on the money.
@dngray is forcing Close.
@GitGangGuy, i won't even try to refute your "arguments", because they are so ridiculous that it's not even worth wasting time on them. What you write says only one thing - you are an interested troll, working to promote insecure software such as Threema and Telegram.