• Off Topic
  • Signal vs Threema as a Secure Messaging App

[deleted] You can buy the Threema app from their own store and bypass Google completely. Threema also offers its own push service, so you don't need Google services.

For me, Threema is the only messenger with a transparent financing model. One-time payment from private customers and corporate subscriptions.

App developers also have to earn their bread and butter, and the server infrastructure also costs money. If you don't pay with money, you usually pay with something else (e.g., data).

Blastoidea Yeah, I went through this as well. My rule was that I was not giving any personal information (ie phone number) to the app. I narrowed it down to Session and Matrix.

It seems there is no perfect app but Session seems to work the best for me and my family. There were some issues with prior versions where notifications weren't sent, etc but that seems to be fixed.

And yes, convincing people to switch is hard. So I took the stubborn approach: use Session or don't bother messaging me. I had one hold out friend who tried to convince me to use WhatsApp, she just calls me now. :)

I think if you consider all the trade-offs between security, privacy and usability (which goes hand in hand with a decent number of users), these two messengers are the only choice. For Signal I have got a significantly larger user base which is probably due to the fact that it is for free and people get more pleasant features they like from WA (e.g. stories). Threema is a bit more sober. However, I like the polls there a lot. BTW: With Threema you can decide for every single contact if this contact recieves a "read receipt" or "typing indicator". And you still can see those receipts yourself if your contact allows you to see them. Even if you don't allow that contact to see receipts for the messages he sent to you. You can also tell Threema to search your own contact list for contacts who have Threema without the necessity to share your own phone number. So you can find Threema users from your contacts without telling them that you use Threema (unless you text them via Threema of course).

My family and I switched to Session on the first of the year.

It works fine for us.

i never see element mentioned in these discussions. is it not up to par with the rest? always seemed like a good option.

    itsjpb From what I've heard, the issue with Matrix (the protocol Element uses) is metadata.

    Matrix is more like federated IRC with optional end-to-end encryption. It doesn't have the same privacy/security focus as Signal, but it does allow you to host your own server on your own hardware/infrastructure which you could run behind a private VPN if you wanted. IMO the reference Matrix server implementation, Synapse, seems pretty janky but it fills the niche for people who are into the whole "fediverse" thing and want an IRC/Discord alternative.

    Max-Zorin To me it comes down to how many of your contacts are actually willing to use the messaging app. The unwillingness of many people to "install another messenger" on their phones seems to be one of the strongest forces in nature

    This.

    • [deleted]

    The best option is not to rely on centralized solutions. Keep in mind that Signal has not update server code for months without explanation. BTW, you have no idea what it is implemented on server side.

    You can consider using your own XMPP server in i2p or Tor network. It's easy and cheap. If someone has money for Pixel they should have 'pennies' for Pine board or RPI or something similar.

    https://discuss.grapheneos.org/d/2216-grapheneos-without-sim-signal-alternative/25

      [deleted] Excuse me for my ignorance, but isn't that part of the point of end-to-end encryption? That trust in the server is not required. And from what I understand Signal implements E2EE better than most. Or am I missing something?

        • [deleted]

        treequell
        From the operational point of view metadata is more important than content of your messages. The social graph has a big value.
        If you know social graph you can use other operational tools to obtain information you want to get.

        Former head of the National Security Agency Gen. Michael Hayden: "We Kill People Based on Metadata"

        Use Session for a TOR type network.

        My current path is Origin>VPN (Netherlands)>Germany>Greece>UnitedStates>Destination.

        Path changes as nodes drop out and are replaced.

        • [deleted]

        [deleted] Every year you can win free Threema shop licenses by solving their easter egg challenge. You get three free licenses which are then delivered via a Threema private message, but you can use those free licenses to create a new profile that is not affiliated to your payment info.

        10 months later
        • [deleted]

        Threema has a lot of issues, you should give this article a read.

        Session shouldn't be used nor recommended. It is a very broken and poorly maintained app an thus it's insecure. You'll accomplish the opposite of what you want by using session. They're also misguiding users into a false sense of security and privacy.

        While Threema and Signal have their issues, they're still the best secure messaging options out there. Especially with the upcoming Signal feature to remove the tel nr requirement.

          • [deleted]

          • Edited

          herbaert While Threema and Signal have their issues, they're still the best secure messaging options out there.

          I don't think Threema can be recommended when it intentionally doesn't have Forward secrecy (unless manually enabled for an contact) and has many amateur cryptographic mistakes.

            • [deleted]

            Themble The other issues mentioned in the article (Weak KDF, Unauthenticated CBC mode, Cache-timing attacks, etc.) still apply.