How does SimpleX compare to Signal?

[deleted]

For my use case, it's either SimpleX or Signal. I'm curious, in terms of privacy/security, how good is SimpleX? Signal is recommended everywhere and seems like the gold standard, how does SimpleX stack up. Can it be trusted?

N1b

[deleted] there is a good and up to date messenger comparison table by German pen tester Mike Kuketz. The table is available in English and he has a German blog about it that goes into more details, see here.

Once you selected whatever messengers fit your threat model, the tricky part is to find the one which all your peers are using or willing to use. That's where most people recommend Signal, since it's an easy and convenient user experience and among the secure and private messengers it has the largest adoption (partly because of the number requirement). Choice is up to you and your peers of course, a messenger is only valuable if you agree to use it.

Blastoidea

Why not just use Signal, since it “seems like the gold standard”?

I’ve been using it for years, with no complaints.

boldsuck

Blastoidea Why not just use Signal, since it “seems like the gold standard”?

Because there are a lot of SimpleX groups concerning Monero-, Bitcoin-trading, Haveno-reto, privacy & security.
A messenger without user IDs and you can have multiple user profiles in one app. You can host your own Server.
Simplex has many interesting features and will be a very useful tool for the next few years. I fear that, like Keybase, SimpleX will be sold in a few years.
I use Molly for family and friends. Simplex for groups.

beammer335d

At least when using SimpleX ,there's NO phone number required which I use for most people when I don't want to give out my number to them . Others that already have my number and are close friends we use Molly/Signal

spiral

beammer335d

Signal recently added usernames as a method of contact. Phone number is still required for registration but it's no longer required as a contact address.

DjogaRo

spiral Is this feature fully released already or still only available in Beta?

rmc

spiral Phone number is still required for registration

This is precisely the problem. It shouldn't require a phone number. It should have never required a phone number in the first place.

[deleted]

N1b Nice, I'll check it out. I tried posting a link to an article that gives me pause about Signal but it got taken down. As long at SimpleX is as secure as Signal, I will probably use that. Adoption, in my case, isn't an issue

*Too bad I can't read German

[deleted]

N1b It's like 2 years old, has there been any updates? Has any of the issues been addressed?

longshots Never heard of DeepL before, cool stuff

longshots

[deleted] That's why we have DeepL
https://www.deepl.com/en/translator

Eagle_Owl

[deleted]
SimpleX is the best combination of all the good features of the best messengers of the world.
But without the disadvantages of them.
Example: Double Ratchet and Perfect Forward Secrecy like Signal.
Platform-independent backup (including design settings) since day 1.

But: not NSA-friendly weakened post-quantum secure encryption, but serious security.
Reference:
https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#how-secure-is-end-to-end-encryption-in-different-messengers

Dan-cer

longshots Not only best online translate website, but also a DeepL plugin is recommended, especially to have a one-click-button in forum editors.
The plugin is available for chromium-based browsers (I'm using Vivaldi!) and Firefox.

N1b

[deleted] the messenger comparison was updated last month (see top left cell). His blog is stretched over some years but I assume the facts are kept up to date, although you might want to cross check with other sources. Simplex is out of my use case (all my friends and family finally have been convinced to use Signal, they'd kill me if I started suggesting alternatives :D). So I can't help you here...

Eagle_Owl

[deleted]
The best AI-powered translator ever, but as all electronic translators – not perfect.
Much better than Google's solution. ;-)

Blastoidea

Anyone is pretty much free to post almost anything on the internet, whether or not they know what they are talking about.

There will always be articles which will “give pause” about just about everything. Most of the people who read those articles seem to find their way here.

I will say again that I, my family and (some of) my friends have used Signal for many years, with full confidence that what we say will remain between us.

Note: We also use Session.

[deleted]

Blastoidea I agree however I don't think the issue raised by said article is insignificant

DeletedUser29

DjogaRo It's been available for several months, see here for how to enable it.

[deleted]

Eagle_Owl The one knock according to that chart is that "Notification if contact's fingerprint changes" which Signal has. Plus, apparently, SimpleX hasn't had a complete code audit.

Nuttso

Eagle_Owl just FYI. This image in this post is inaccurate. Signal has fixed massage padding for years. Also attachment are padded.

Eagle_Owl

[deleted]
You are right.
A full audit is planned for this year and I am very excited to see what it will look like.

I could use my test account on an older iPhone to simulate the case that a contact changes the device (which leads to a notification from Signal due to a change of fingerprint, just like a MITM attack).
But it could be that the fingerprint doesn't change at all with SimpleX if a contact makes a backup due to a device change and then restores it on the other device?
I'm curious and have several devices to test, so I'll simulate this.
I have already checked/validated my main ID and the test ID on the second device.

[deleted]

Eagle_Owl You seem like you know what you're talking about lol. I don't 100% understand the fingerprint thing, whether is means the specific device or that specific connection? As far as the audit, glad to hear they are doing one. Do you have a source where they say it so I can check it out? Hopefully everything checks out and we hear back soon.

Eagle_Owl

[deleted]
:-)
Here is the reference, you asked for:
https://simplex.chat/blog/20240426-simplex-legally-binding-transparency-v5-7-better-user-experience.html

I recommend that anyone interested in SimpleX, or indeed anyone interested in any messenger, read their blogs regularly.
Especially in times like these, when governments in the US and Europe want to abolish end-to-end encryption. You should inform yourself more often than usual about what's going on. ;-)

Now I am ready with my “test-drive”: have migrated my test ID from an old iPhone Xs to my Pixel 7 Pro.
To be on the safe side, I backed up the database as a file on the iPhone beforehand and could have transferred it to the Pixel via Tuta.com. But as always, the migration via the Internet was completely hassle-free.

Then I have continued the chats from my test ID with the IDs/profiles on my main driver Pixel 8 Pro to see, if SimpleX warns my “contacts”/IDs by any info, that the fingerprint has changed, like every user of Signal messenger know it.

Conclusion: no warning (necessary), because the verification (QR code/fingerprint) is still the same.
Notice: Signal users are tied to their device with their account. It is only possible to switch devices on the same platform without losing data (just like with Threema, by the way).
Users of SimpleX are completely independent of the device with their database (and all profiles created in it!), provided they take the precaution of making regular backups and also securing them outside the device, which may suddenly have to be changed at some point (due to a defect, theft etc.).