psynusoidal
soatok crushed that blog. That was a great read, thanks for posting.
Signal vs Threema as a Secure Messaging App
[deleted] You can buy the Threema app from their own store and bypass Google completely. Threema also offers its own push service, so you don't need Google services.
For me, Threema is the only messenger with a transparent financing model. One-time payment from private customers and corporate subscriptions.
App developers also have to earn their bread and butter, and the server infrastructure also costs money. If you don't pay with money, you usually pay with something else (e.g., data).
Blastoidea Yeah, I went through this as well. My rule was that I was not giving any personal information (ie phone number) to the app. I narrowed it down to Session and Matrix.
It seems there is no perfect app but Session seems to work the best for me and my family. There were some issues with prior versions where notifications weren't sent, etc but that seems to be fixed.
And yes, convincing people to switch is hard. So I took the stubborn approach: use Session or don't bother messaging me. I had one hold out friend who tried to convince me to use WhatsApp, she just calls me now. :)
I think if you consider all the trade-offs between security, privacy and usability (which goes hand in hand with a decent number of users), these two messengers are the only choice. For Signal I have got a significantly larger user base which is probably due to the fact that it is for free and people get more pleasant features they like from WA (e.g. stories). Threema is a bit more sober. However, I like the polls there a lot. BTW: With Threema you can decide for every single contact if this contact recieves a "read receipt" or "typing indicator". And you still can see those receipts yourself if your contact allows you to see them. Even if you don't allow that contact to see receipts for the messages he sent to you. You can also tell Threema to search your own contact list for contacts who have Threema without the necessity to share your own phone number. So you can find Threema users from your contacts without telling them that you use Threema (unless you text them via Threema of course).
My family and I switched to Session on the first of the year.
It works fine for us.
i never see element mentioned in these discussions. is it not up to par with the rest? always seemed like a good option.
- Edited
Matrix is more like federated IRC with optional end-to-end encryption. It doesn't have the same privacy/security focus as Signal, but it does allow you to host your own server on your own hardware/infrastructure which you could run behind a private VPN if you wanted. IMO the reference Matrix server implementation, Synapse, seems pretty janky but it fills the niche for people who are into the whole "fediverse" thing and want an IRC/Discord alternative.
[deleted]
The best option is not to rely on centralized solutions. Keep in mind that Signal has not update server code for months without explanation. BTW, you have no idea what it is implemented on server side.
You can consider using your own XMPP server in i2p or Tor network. It's easy and cheap. If someone has money for Pixel they should have 'pennies' for Pine board or RPI or something similar.
https://discuss.grapheneos.org/d/2216-grapheneos-without-sim-signal-alternative/25
[deleted]
treequell
From the operational point of view metadata is more important than content of your messages. The social graph has a big value.
If you know social graph you can use other operational tools to obtain information you want to get.
Former head of the National Security Agency Gen. Michael Hayden: "We Kill People Based on Metadata"
- Edited
Use Session for a TOR type network.
My current path is Origin>VPN (Netherlands)>Germany>Greece>UnitedStates>Destination.
Path changes as nodes drop out and are replaced.
[deleted]
[deleted] Every year you can win free Threema shop licenses by solving their easter egg challenge. You get three free licenses which are then delivered via a Threema private message, but you can use those free licenses to create a new profile that is not affiliated to your payment info.
[deleted]
Threema has a lot of issues, you should give this article a read.
Session shouldn't be used nor recommended. It is a very broken and poorly maintained app an thus it's insecure. You'll accomplish the opposite of what you want by using session. They're also misguiding users into a false sense of security and privacy.
While Threema and Signal have their issues, they're still the best secure messaging options out there. Especially with the upcoming Signal feature to remove the tel nr requirement.
[deleted]
- Edited
herbaert While Threema and Signal have their issues, they're still the best secure messaging options out there.
I don't think Threema can be recommended when it intentionally doesn't have Forward secrecy (unless manually enabled for an contact) and has many amateur cryptographic mistakes.
[deleted] This is no longer true: https://threema.ch/en/blog/posts/ibex
PintOfGuinness As far as messaging is concerned, Olvid is the best in security. Then signal. Its two messaging systems feature post-quantum encryption, have been audited and are widely validated.
A special mention goes to olvid, which contains fewer attack surfaces, as there is no telephone number library.
https://github.com/signalapp/Signal-Android
https://github.com/olvid-io/olvid-android
[deleted]
Themble The other issues mentioned in the article (Weak KDF, Unauthenticated CBC mode, Cache-timing attacks, etc.) still apply.