Oddbean

2. Company jurisdiction: UK We disagree that there are any jurisdictions that are particularly good for privacy. Also, this might important for centralised services, like Threema, where the users can't host servers, and much less important for decentralized network, such as SimpleX, where there are hundreds (if not thousands) of servers that we don't control.

3. Cryptographic primitives. Curve25519 / XSalsa20 256 / Poly1305 (downgraded for the absence of PQ encryption). We added PQ encryption in March this year: https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html This is done in the same way as Apple describes as PQ3 here: https://security.apple.com/blog/imessage-pq3/ it provides stronger protection than Signal design where PQ encryption only applies to the initial key exchange.

4. Directory service could be modified to enable a MITM attack? Yes This is incorrect, as there is no user directory service at all (and no knowledge of even the number of users), and MITM by servers is not possible by design, even without optional security code verification (that exists to mitigate MITM by the channel you used to pass one-time invitation link, e.g. email).

5. Does the company log timestamps/IP addresses? Yes This is incorrect, we never logged IP addresses and access timestamps of the users. Further, the private message routing that is now enabled by default for all users prevents such logging by any 3rd party servers with modified code: https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html

This is a good point, however we are also aware the UK may leverage the fact you are doxxed to force you into compliance with their dissinformation legislation . youay wish, for your own safety, to leave and relocate now.

It's worth noting though, exactly the same considerations will apply to #Element and the decentralised #Matrix network seems to protect them from it. Of course Matrix has some big out of town backers like #Mozilla on their side at chat.mozilla.org but I see no reason Simplex could reach out in the same way. In fact it's a really good idea. One of the reasons organisations can't block Element is because they can't block Mozilla. That alliance has made them almost censorship proof. #chat #securechat #dex

Step 1. Jurisdiction passes law restricting encrypted secure social platforms, requiring back doors, etc. Legislation has criminal penalties for non compliance. Step 2. Jurisdiction will take 1-2 years to "police the perimeter" and identify entities within scope of the legislation. Step 3. Ban-Hammer nails down non compliant platforms, enforcement phase. Usually 3-4 years after passing of legislation. We are (in UK, Canada, aus, EU, ) currently in step 2. Mozilla and all other entities may bring enforcement matters to court however once a law is passed it's really hard to argue against it. Judges enforce the laws and interpret them. I wouldn't assume mozzila backing protects from 1984 government. Problem is most of those entities are doxxed and thus have balls to grab. Government will grab them and squeeze. solution : don't be doxxed. dont use legal entities like foundations or not for profits for your projects. Do them a-la-satoshi and give a finger to the central state

Interesting you say that. No one seems to know who wrote #retroshare which seems to worry some people, but you may be right. Some think the developer of #muwire -the #i2p based client - abandoned the project rather than kowtow to #Govt

I was not aware of either of those projects. Thank you. The way to dev is to dev without a governable structure (no company, foundation, not for profit, etc) and anonymously. Strange to think simple messenger apps may be targets for gov intervention .

It's worth noting, there are completely censorship resistant communication systems, but they're more effort. If I send you the public key by email and then send the private key as a QR code later, no one else even knows the server exists. https://image.nostr.build/51cea1ed61b5f2cbd775cc6bc4d9fb4b2fce03db8e34b9c42428027009380c2c.png

UK = https://en.wikipedia.org/wiki/Online_Safety_Act_2023 There are NO "Free Messengers" in this World! You are spreading missinformation: 1. ) Threema can be hosted on your own servers -see: https://threema.ch/en/onprem 2.) You don't know how many servers you have? Then you also don't know who is behind some servers! This provides a large attack surface for collecting metadata. The big tech companies only need the IP address and they know which user it is. How do they do that? 85% of all smartphones use Google's Android and this sends encrypted data packets to Google every day. This means that Google knows the IP address of every user. Amazon (online shopping monopolist in Western countries) knows the names & addresses of users (if an order was recently placed with the IP) Microsoft (operating system monopolist worldwide) knows the IP of the home computer and Internet router. This is the reason why it is insanely dangerous to get involved with money from big tech companies. They don't put their money into SimpleX because the logo looks so great, but because they want a “foot in the door” and data. PS: The same goes for Signal, they also run all their traffic through Google, Amazon, Microsoft & Cloudflare. What does Threema's server do? It only stores messages until they have been successfully delivered to the recipient and then deletes them again. The message is then overwritten by new messages on the server disk. This means that the deleted message cannot be recovered. This seems to me to be a much safer way than using a service like SimpleX, where the operators don't even know who is behind their server.