I am a firm believer that there are many privacy techniques you should focus on before encrypted messaging because they will offer you much more “bang for your buck,” things like good passwords, two-factor authentication, and even encrypted email. That said, I still believe that encrypted messaging is a critical part of a well-rounded privacy and security strategy. While the vast majority of our day-to-day conversations may be benign, it can still offer a lot of insight into who we are as people – our routines, likes, and personal thoughts. This information – mundane or not – is worth protecting.
You must log in or # to comment.
TLDR: Avoid Telegram and WhatsApp. Recommended messengers are Session, Signal, SimpleX and Threema. Honorable mention: Briar.
Session should probably be avoided as well, primarily because they’ve disabled things like perfect forward secrecy and a few other security measures that probably should not have been disabled.
Session is dead lmfao
OK, WhatsApp is owned by Meta and it is proprietary, but why not Telegram?
deleted by creator
Doesn’t Signal also require a phone number?
Yes, and that’s a mark against Signal.
Not anymore if I understand everything correctly
As a long time user of Session, it is hard to believe someone would describe it as “user-friendly”.
As always, the problem isnt using a new service or super secure app, the problem is making everyone else I talk to use said app, not happening anytime soon sadly.
I like Signal, but I really miss multi device support. Same issue with Threema.
deleted by creator
Another basic thing – If your messenger is throwing your messages in a notification; it’s being logged. Google was found to be logging almost all notification content. Make sure your message app isn’t putting the content of messages into notifications.
If the app implements their own notification system and doesn’t rely on GCM then Google isn’t able to log them as far as I know.
Sure – but how many of them actually do?
deleted by creator
Element X (Matrix client). Basically anything that offers F-Droid or open source release will have builds without built-in notifications. Play Store/App Store builds requires using native notification systems.
You can also just use a degoogled os which won’t be logging your notification content. But in any case you shouldn’t have notifications as notifications are exclusive with at-rest encryption (or I guess you could have at-rest encryption but just have the db constantly decrypted whenever your phone is on? Seems to defeat the point then)
Which DeGoogled OS do you know of that uses their own notification backend?
deleted by creator
What I like about Matrix so much is that it can be run fully on your own infrastructure, even the TURN server for VOIP, and you can build the clients from source yourself too.
But I agree that it’s quite difficult to use. And until now only my dad and my spouse use it with me because they love me and trust me. But they both always have problems with their clients. It randomly logs out and then they have to login with the password and with the encryption key again. For a long time calling didn’t work because I misconfigured the server. Then videos were for the longest time uploaded in full size and anything longer than a few seconds would be rejected. The whole spaces thing is implemented very weirdly so it confuses them. And then the threads are even worse so we can’t use them because nobody gets how to do it.
XMPP, for example, does not enable end-to-end encryption by default
Why always these false myths? The most popular XMPP mobile clients do enable it by default.
It was a conscious decision for them not to enforce E2EE by default. https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/
XMPP clients have like 10 different implementations because of that and are not always consistent with each other or even function universally across platforms.
But I’m not an author. That would be @nateb@mastodon.thenewoil.org.
The article you linked is a highly misleading nothing burger. And enforcing e2ee at protocol level is a bad idea for many reasons.
