Oddbean new post about | logout
Cyph3rp9nk | 3 months ago (raw) | root | parent | reply | flag 
 The problem is not the content of the message that is effectively encrypted, the problem is the metadata that is generated or that can be ascertained through the communication network.

For example imagine that you live in a totalitarian regime, you are A and if you talk to person B you are dead.

In signal we cannot see the content of what A talks with B, but if we know that A has talked with B, the server knows them, you are dead.

In P2P networks if they do not use some kind of routing type tor as session, we can find out if A talks to B as would be the case of Keet, although you can not know the content of the messages because they are encrypted if you can know that they have spoken to each other, you're dead.

With Simplex you can not know that A has spoken to B, simply because there is no such persistent identity and also the sending of messages is rotating between different servers, add also that there is now routing of messages so it is impossible to know where the message comes from. Therefore you can neither know the content of messages nor can you know that A has spoken to B.
Chris Krause | 3 months ago (raw) | root | parent | reply | flag +1 
 Thanks for the explanation.
Janneke | 3 months ago (raw) | root | parent | reply | flag 
 SimpleX Chat don´t know how many servers they have!

Then they also don't know who is behind some servers!

This provides a large attack surface for collecting metadata. The big tech companies only need the IP address and they know which user it is.

How do they do that?
85% of all smartphones use Google's Android and this sends encrypted data packets to Google every day. This means that Google knows the IP address of every user.

Amazon (online shopping monopolist in Western countries) knows the names & addresses of users (if an order was recently placed with the IP)

Microsoft (operating system monopolist worldwide) knows the IP of the home computer and Internet router.

This is the reason why it is insanely dangerous to get involved with money from big tech companies.

They don't put their money into SimpleX because the logo looks so great, but because they want a “foot in the door” and data.

PS: The same goes for Signal, they also run all their traffic through Google, Amazon, Microsoft & Cloudflare.

What does Threema's server do?

It only stores messages until they have been successfully delivered to the recipient and then deletes them again. The message is then overwritten by new messages on the server disk. This means that the deleted message cannot be recovered.

This seems to me to be a much safer way than using a service like SimpleX, where the operators don't even know who is behind their server.