Instant Messaging page updates #951
No reviewers
jonah
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#951
Loading…
Reference in New Issue
No description provided.
Delete Branch "master"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Resolves: #948
Here is my proposal for changes as discussed in #948
Overview of changes:
Add criteria to cards with details. This would be nice to show an overview of how an app adheres to each category, and give a chance to briefly explain any concerns.
Open Source
Cross Platform
Ease of Use
Privacy Respecting
Prevents Mass Surveillance
Add Threema, Wire and WickrMe as cards
Make securechatguide.org link into two links to the EFF and Features Matrix pages
Combine all XMPP clients into one list under the "Worth Mentioning" section
Add Briar, Keybase and TwinMe to the "Worth Mentioning" section
Create a separate "Experimental and Beta" section
Deploy preview for privacytools-io ready!
Built with commit
6163730d06https://deploy-preview-951--privacytools-io.netlify.com
Would add another field for anonymity and one registration information.
I disagree with removing Threema from this list. Also could this have alphabetical order or are they in some obscure order of which is the least worst? Personally I have also started calling WhatsApp as
Facebook WhatsApp(note the nonbreakable white space).Why remove Mobile?
Isn't it still Android & iOS? I last used Signal desktop today and it wanted linking to my phone by scanning a QR code, so I wouldn't call it as cross-platform, maybe `Android & iOS + X remote clients).
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"👎 for not being open source.
I think you forgot to change these two lines while copy-pasting?
Riot 1.0 has been released some time ago, so it's not in beta anymore.
(See also https://github.com/privacytoolsIO/privacytools.io/issues/840)
@ -119,0 +66,4 @@<li><a href="https://get.wire.com/">Wire</a> <span class="badge badge-warning" data-toggle="tooltip" title="Wire stores metadata such as list of your connections/conversations in plaintext (= not encrypted).">experimental <i class="far fa-question-circle"></i> (<a href="https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text">more info</a>)</span> - A free software End-to-End Encrypted chatting application that supports instant messaging, voice, and video calls.</li><li><a href="https://status.im/">Status</a> - <span class="badge badge-warning">Experimental</span> A free and open-source, peer-to-peer, encrypted instant messanger with support for DAPPs. </li><li><a href="https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support">List of OTR Clients - Wikipedia</a></li></ul>It's doing some weird things though like the key verification is a bit hidden.
Where are you taking the number of supported platforms by the way?
👎 for not being open source.
I need to read this at a better time to comment.
I hear from iOS users that ChatSecure has issues with notifications and Monal is more often recommended.
I would prefer linking to https://conversations.im/ instead of Google and mentioning https://f-droid.org/packages/eu.siacs.conversations/ for users who cannot get over the price.
Oh and I think it's OpenPGP with a capital O, but I need t ocheck.
I don't think OTR should be recommended anymore as there are platforms with better E2EE by default.
I wonder if https://github.com/privacytoolsIO/privacytools.io/issues/740 should reach concensus first?
Even if Threema doesn't get added as a recommendation, I don't think it deserves to be grouped together with the likes of Viber and Messenger. Threema is always encrypted using elliptical curve and XSalsa20 protocols.
You have to have (exactly) one master-device, which is always going to be either signal4android or signal4ios, in order to install signal4desktop, but not to actually use signal4desktop (i.e. once it is installed).
gory details
The reason is because some functionality is only available within the smartphone-apps, in particular, registration requires the ability to receive inbound SMS or inbound robocall which signal4desktop doesn't do -- because laptops tend not to be able to get inbound SMS/PSTN. You also need signal4smartphone if you want to make and receive cryptocalls, signal4desktop does not have that yet -- because again, laptops tend to be a much worse UX versus desktops.
If you are like me though, you install signal4android, then link signal4desktop running on your choice of Linux distro ... after which you can pop the battery out of your smartphone and signal4desktop will work just fine. You cannot do this permanently but signal4desktop is definitely not some kind of "remote control of the phone" type implementation, which is how whatsapp functions for example.
People that are serious about not having a smartphone as their upstream-device, can use the unofficial github.com/AsamK/signal-cli as a workaround: register that as your master-device, and then link the (official) signal4desktop client to your (unofficial) sig4cli master, and you need never leave your laptop. If you want cryptocalling from your laptop, you can also install android into a VM, and then install signal4android into the VM. It is a bit tricksy to link signal4android-in-a-VM on your laptop, with signal4desktop running on the SAME laptop, because it is tough to QR-scan your own screen, but there are ways to skin that cat.
Signal4desktop has some downsides, the main ones being A) it uses a few hundred megs of RAM because it is an electron-based app for ease of portability, B) you have to switch gears and use signal4smartphone if you want to cryptocall or perform groupchat-management or a few other such platform-parity things, C) there are not yet any real keyboard-shortcuts available. But it works fine with texting, file-transfer, voiceNotes aka audio-recordings as a kinda-sorta-substitute for cryptocalls, and most other messenger-type-things.
Whether the signal4desktop quasi-standalone slave-device "really counts" as cross platform or not, depends on your definition. To me, signalapp is linux-compatible (works on LineageOS+GrapheneOS and works on Debian+Ubuntu officially as well as Fedora+Arch+etc "unofficially"), and that is what really matters, but YMMV. Wireapp has "officially unofficial" Linux support, but some people prefer that.
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"RiotIM folks are still cautious about their crypto, and MegOlm is still "officially" in beta. But I agree, in practice they are quite mature, self-imposed overly-strict we-still-call-ourselves-beta kind of thing should not be held against them. https://matrix.org/docs/guides/faq#what-is-the-status-of-e2e%3F "End-to-End Encryption is currently in late beta. Rooms can have encryption enabled, but it is not by default." Hosting your own Synapse server tends to mean you CAN have e2e by default, however, is my understanding
I have heard the same (from the interwebz rather than from actual XMPP-on-iOS endusers however). But there are sometimes compatibility issues when you want Monal + OMEMO + ability to talk with people on non-Monal platforms, rumor has it?
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"Portions of it are open-source, but yeah, most of it is not, and because charging endusers to join is the business-model, pretty much never has a hope of that either.
To me though, the detail of "does not require any personal information to sign up" seems wrong... don't you have to enter a credit card number, or something, to sign up? You are issued a threema hash-num, so you don't have to give out personally identifiable details to USE threema, but you do have to pay, right? I assume they accept Monero or zCash or whatever, but 99% of everyday endusers are not going to do that, instead they will just use Visa or Amex, doxxing themselves in the process.
To be clear, I'm not saying that Threema folks retain such details, just, that the majority of everyday endusers will give out the sensitive details during the payment process. To me this is a downside, over and above the difficulty of convincing folks to pay for something the marketplace has convinced them ought to be free-as-in-beer
How can this be confirmed if it's not open source?
Do you have a link to documentation or something about this? Regardless I would still find calling it as cross-platform misleading as the user still needs Android/iOS for similar setup and if Signal Desktop would work after death of my smartphone, it would still seem like a temporary measure until I got a new one.
(sorry, the better time is not now)
I am having no issues OMEMOing from Gajim and Conversations to Monal user (or vice versa), but I will ask my contact to comment here.
Correct, OpenPGP is written with capital O judging by https://www.openpgp.org/
Hello. ChatSecure does indeed have issues with notifications: they are not reliable and seem to only come through sporadically or when the app is opened. However, I have also had issues with Monal being able to upload images (and I believe this is a bug in the way it requests access to Photos on iOS), and ChatSecure is also unable to deal with images correctly.
I should mention that I run the betas of both these apps but I don't think these particular issues are specific to the betas, and these issues could also be an issue with my own server installation.
I'm not aware of any "compatibility issues when you want Monal + OMEMO + ability to talk with people on non-Monal platforms".
I think you are probably best to link both ChatSecure and Monal because they are both viable options for iOS users and are both actively developed.
Ah, sorry I was misremembering. Monal is the one which has full OMEMO support, there are still some things missing in ChatSecure (and Zom-derived-from-ChatSecure-as-opposed-to-NewZom-derived-from-MatrixOrg). http://omemo.top/ lists Monal at 100% OMEMO support, but ChatSecure is stuck at ~75% support. (Zom is listed as "100%" but I suspect that refers only to zom4android which formerly was a soft-fork of ConversationsIM, if I understand things correctly.)
So my question is, should privacyToolsIO list Monal, instead of zom4ios and chatSecure? I don't think we want to list every XMPP client, we just want to list the ones that everyday people might actually need/want as their "best overall option" for the platform in question:
would be my "only from reading the interwebz not from actual experience" recommendations. Dropping chatSecure because it has less-than-full-OMEMO (plus notifications-problems apparently), dropping Zom because they are switching to Matrix-architecture, dropping ConversationsLegacy because (why is it on there still? honest question), dropping ConversationsPlayStore because why encourage paying when we can encourage FDroid, and only mentioning four XMPP apps because four is a lot of things to need to mention! :-)
My list of mostly personal experience is from https://github.com/privacytoolsIO/privacytools.io/issues/60#issuecomment-471736220 and I hear Dino recommended for beginners more often than Gajim even if Gajim is my personal choice.
Worth mentioning: Disroot has usage instructions for multiple XMPP clients mostly including screenshots.
Dino is Linux-only, and not 100% OMEMO though, right? Whereas Gajim is cross-platform and 100% OMEMO, so to me the only one WorthMentioning here on privacyToolsIO is Gajim, because it is the more privacy-respecting and more cross-platform choice.
The disroot helpdoc is about chatting and not about privacy: "SASL and TLS has been built into the XMPP core and E2E encryption can be implemented". I think that privacyToolsIO should only recommend IM clients that actually implement end2end crypto, preferably on-by-default. People that are the readership of privacyToolsIO will want
chat-clients that give them solid privacy and
something that runs on their existing platform AND the existing platforms of all their contacts.
With care, XMPP gives a reasonable amount of privacy, if you run your own ejabberd/prosody to shield metadata, and if you pick clients with full OMEMO support, and if you configure everything such that OMEMO is always used correctly (with somewhat-well-vetted crypto implementations).
The vast majority of XMPP clients are legacy options which don't fully support end2end crypto, or unfinished projects that have yet to fully implement OMEMO, and those are ones we should not be listing at all. That's my strong opinion anyways :-)
Thanks for your work on this. I'm willing to add the suggested new messengers and adopt to the new sections, but this code cant be published currently. Our descriptions aim to be brief, and we use icons to show if its open source or what platforms are supported. Your long descriptions dont match with the rest of the website.
https://omemo.top/ links to https://github.com/dino/dino/issues/36 which is closed and I don't know what they owuld be missing. They are Linux-only though.
Replied over at #967 with links/etc, but can report from personal anecdata, it works just fine :-) Definitely does require some kind of master-device-running-android though, or an unofficial workaround like github.com/AsamK/signal-cli or android-in-a-VM if you want to PURELY operate from a laptop, not just 99% from the laptop
@BurungHantu1605 this reply didn't show up below your post:
Do you mean this part?
Open Source: Yes Cross Platform: 5 Platforms Ease of Use: Easy Privacy Respecting: Yes (but does require a phone number) Prevents Mass Surveillance: Yes for Signal messages, No for regular SMS messagesSince it seems Open source is pretty much across the board, and the platforms are shown by icons what if we just use the last 3?
Cards have been grouped into sections: "Mobile Devices", "Mobile and Desktop" and "Desktop". Some people just need messenger apps to be on their phones, others need them on both a mobile device and their desktop, so I think it is good to make some distinction between those that have the capability to be on both. Signal is under the "Mobile Devices" section so having the "Mobile:" in front of the name is redundant.
Yes, it does only link to your Android/iOS mobile device from the desktop clients (Mac, Windows and Linux). Those 5 platforms were already listed on the original version of the page so I just followed what was already there. So the desktops are a bit of a grey area- not full clients, but they do allow the use of Signal on a desktop. So do clients that require or link to another platform count as a platform?
Since you can't have an official standalone desktop install I would not count that as a platform. I don't use Signal much even though I have it installed since I don't like giving out my number and I haven't used the desktop client.
Please see https://threema.ch/en/blog/posts/audit19en for audit information.
There is also https://threema.ch/validation/ which provides instructions on how to compile a suite of applications that will let you decrypt a Threema data backup (using the password that you encrypted the backup with when creating it) to extract the encrypted messages and your private Threema key. Then with the NaCl library installed on your system (which is what Threema uses) you can use your private key to decrypt ciphertext from your backup.
I have not seen any other non-open source application provide this amount of resources to examine what the application is doing and how it encrypts messages.
Another meaning of "always encrypted" that I mean is that there is no option in the application to choose to send an unencrypted message, so there is no change of sending a message in clear text by accident. That is not the case with the other apps.
If we only have 3 apps as we are seeming to be leaning towards then these categories probably aren't necessary.
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"On the contribution guidelines "Ease of Use" is listed as being most important, and Open Source is # 4 on the list and is "preferred but not required". Threema is partially open source.
Oh, yup.
The encryption libraries are still considered to be in beta:
https://matrix.org/blog/index
If you get the app through the Play or Apple Store then those companies process your payment, not Threema. Threema just knows that you paid somehow and you have a valid registration from Google/Apple. You can also purchase it direct on their website with Bitcoin or PayPal. You can also get a registration code as a gift, you don't have to prove you paid for the license you have by verifying an email or anything.
They are also still working on the whole device verification system, which is a mess in groups, so it is still a work in progress. I would say Riot is only for advanced users, those willing to do strict key management, or lower their security by just blindly verifying every device.
@ -119,0 +66,4 @@<li><a href="https://get.wire.com/">Wire</a> <span class="badge badge-warning" data-toggle="tooltip" title="Wire stores metadata such as list of your connections/conversations in plaintext (= not encrypted).">experimental <i class="far fa-question-circle"></i> (<a href="https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text">more info</a>)</span> - A free software End-to-End Encrypted chatting application that supports instant messaging, voice, and video calls.</li><li><a href="https://status.im/">Status</a> - <span class="badge badge-warning">Experimental</span> A free and open-source, peer-to-peer, encrypted instant messanger with support for DAPPs. </li><li><a href="https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support">List of OTR Clients - Wikipedia</a></li></ul>What do you mean by hidden key verification?
Usually I get the number of platforms from the available downloads and 1 more if they have a web interface.
https://wire.com/en/download/
Partial open source- https://github.com/WickrInc/wickr-crypto-c
It could be, iOS isn't my primary system. I installed Monal on a test device and logged into one xmpp account, then sent a message to that account from another account but I didn't receive it in Monal but did get it in Conversations on a 3rd device.
OK, that link was on the original page.
I tried Monal again and got it working to message my other accounts on Conversations.
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"https://github.com/vector-im/riot-web/issues/6779 could be a better link for it.
@ -119,0 +66,4 @@<li><a href="https://get.wire.com/">Wire</a> <span class="badge badge-warning" data-toggle="tooltip" title="Wire stores metadata such as list of your connections/conversations in plaintext (= not encrypted).">experimental <i class="far fa-question-circle"></i> (<a href="https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text">more info</a>)</span> - A free software End-to-End Encrypted chatting application that supports instant messaging, voice, and video calls.</li><li><a href="https://status.im/">Status</a> - <span class="badge badge-warning">Experimental</span> A free and open-source, peer-to-peer, encrypted instant messanger with support for DAPPs. </li><li><a href="https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support">List of OTR Clients - Wikipedia</a></li></ul>I have a contact who found it difficult to find where to verify devices of a contact, but now that I am looking at it, there is an arrow next to the contact name on the menu where it works, so I am not sure it applies.
Ok, this is probably the third time I read my previous two comments so now it's on my actual todo list, I probably won't remember it otherwise.
I am personally against recommending any proprietary software.
Services should be transparent and proprietary services are inherently a black box.
Promoting decentralized and transparent services over non-free ones can be vital.
More info:
https://www.fsf.org/campaigns/priority-projects/voicevideochat
https://www.fsf.org/campaigns/priority-projects/decentralization-federation
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"@Perelandra0x309 Privacytools.io is tasked with listing the best in privacy, not all.
Software freedom can be just as important as ease of use.
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"Unless, they have solved the decades long issue of taking payments and staying private then it is still a privacy violation.
IMHO, Apple and Goggle Play violate privacy and freedom therefore paying through them may be worse.
Donation-only services respect privacy and in many cases allow you to create burner accounts. Which can protect your privacy further. :)
Other services implement pay-what-you-want and just use the honor system for verifying you actually paid when connecting. Payment is not linked to account in any way.
@ -118,0 +24,4 @@{% include cardv2.htmltitle="Riot.im"image="/assets/img/tools/riot.png"description="Riot.im is a decentralized free-software chatting application based on the <a href\"https://matrix.org/\">Matrix</a> protocol, a recent open protocol for real-time communication offering E2E encryption. It can bridge other communications via others protocols such as IRC too. <span class=\"badge badge-warning\" data-toggle=\"tooltip\" title=\"The software is currently in beta and the mobile client states 'End-to-end encryption is in beta and may not be reliable. You should not yet trust it to secure data.'\">beta <i class=\"far fa-question-circle\"></i></span>"Yes it can be, but that is not the philosophy of this website. https://github.com/privacytoolsIO/privacytools.io/blob/master/.github/CONTRIBUTING.md states:
I'm just asking if being not open source is a disqualification, which it does not seem to be. Again quoting:
What you are talking about is being anonymous. That is different than privacy. This site is focused of protecting what you do or say (privacy) not who you are (anonymity). So discussions about whether a certain service knows that you specifically paid for their product isn't really relevant to the philosophy of this site as I understand it. If that is not the sase then the criteria as stated needs updating.
However this thread is getting away from the original comment about Threema not being open source. I can understand not wanting to include it as a card, as I have written before it is not something others want so I am willing to remove Threema as a card.