@rysiek In my view Signal using Electron is an indicator of their level of commitment to security on the desktop.

@bob "hey we need something to base our super secure IM app; I know, let's use this thing that tracks Chromium but is always a version or two behind, so vulnerabilities fixed in Chromium are already public even though we had no time to release a version that contains the fixes".

*sigh*

@rysiek @bob
What do you need?
The email protocol is not very famous for security, but "everyone" uses it.
F-Droid has two clients which organises email-conversations as chats!
So almost universal chat app!

They do provide security built in, I presume
(But I guess they cannot hide the metadata).

You might miss video/audio chat.
I haven't tried them.

@neb @bob I need a secure IM tool that is not e-mail.

I already have encrypted e-mail. This is not what I am asking for here.

@rysiek @neb

If you want the top level security then use an xmpp server running on an onion address with the conversations app and orbot. You can also set the app and server to only accept encrypted chat.

There are other possibilities. qTox proxied through tor on the desktop is not quite as technically secure as the double ratchet but is still quite practical.
Follow

@bob @neb I need something that works for regular people. I tried deploying *Tox to people, it did not work very well. Signal so far is the only solution that has a sane combination of security and usability, but I'd like something less... moxified. ;)

@rysiek @neb There's also Ricochet, but I've never used it so don't know if it's suitable for regular people.
@bob @rysiek @neb

Nope it's not. The UI has some bugs, both sides need to be online to exchange messages, there's no queueing when you close the application etc.

The concept is cool, it needs work though.
@ckeen @rysiek @neb Another possibility is RocketChat or Wire. Both have centralized servers though and so are only really suited for small groups or business intranets.
@bob @rysiek @neb

I haven't tried ring yet, seems like a more polished tox...

@ckeen @bob @neb Ricochet is great for high-risk communication. It's not an option for day-to-day secure communication (no mobile client, no store-and-forward, etc).

@rysiek @neb @bob

For high risk I would use pond instead, it distorts timing so, relating traffic is not as easy as with ricochet.

@bob I haven't seen Matrix/Riot in the discussion. Anything wrong with them?
@neb @rysiek

@paolo @rysiek @neb If security is a significant factor I wouldn't recommend Matrix at present. It might become more viable in future, but for now Matrix is better suited for IRC style public chat.

In recent tests with Matrix there is far too much device key proliferation.

@bob @neb @paolo I remember Matrix was being retro-fitted e2e encryption. I am always a bit suspicious towards retro-fitted encryption. I'd like to see some code and protocol audits. I expect downgrade attacks, at least.

@rysiek @paolo @neb The e2ee algorithms they use are probably ok, but the implementation and user experience (the parts around the encryption) are pretty bad. Only recently have they been focusing on improving the e2ee functionality.

@rysiek I set it up on matrix.opencloud.lu and tested it with a few people before opening it up. You have to pair the devices by confirming codes and it warns you if any unconfirmed device has joined the conversation. Haven't done any audit or security testing on it. By next week I should be able to open it and if you wish we can run some tests. @bob @neb

@rysiek @bob @neb Yeah, I'd like to know the answer to this too. I originally phrased the question as "what should I replace google hangouts with", but I think your formulation is better.

@bremner @rysiek @bob
[Why don't I see the beginning of the thread on Tusky? Beacuse I don't follow OP?]

@rysiek
"Something less moxified" ahaha, that one made my day
@bob @neb

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!