https://www.securemessagingapps.com is the great comparison of messaging apps, but there are several incorrect statements about SimpleX Chat.
Commenting in the thread below!
1. Main reasons why the app isn't recommended: Provide a transparency report
It is available online and updated at least quarterly, or if anything changes: https://simplex.chat/transparency/
2. Company jurisdiction: UK
We disagree that there are any jurisdictions that are particularly good for privacy. Also, this might be important for centralised services, like Threema, where the users can't host servers, and much less important for decentralized network, such as SimpleX, where there are hundreds (if not thousands) of servers that we don't control.
3. Cryptographic primitives: Curve25519 / XSalsa20 256 / Poly1305 (downgraded for the absence of PQ encryption).
We added PQ encryption in March this year: https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html
This is done in the same way as Apple describes as PQ3 here: https://security.apple.com/blog/imessage-pq3/
4. Directory service could be modified to enable a MITM attack? Yes
This is incorrect, as there is no user directory service, and MITM by relays is not possible by design, even without optional security code verification (that exists to mitigate MITM by the channel you used to pass one-time invitation link, e.g. email).
5. Does the company log timestamps/IP addresses? Yes
This is incorrect, we never logged IP addresses and access timestamps of the users.
Further, the private message routing that is now enabled by default for all users prevents such logging by any 3rd party servers with modified code:
https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html
6. Is the design well documented? Somewhat
The design documentation was reviewed in preparation for design security audit - report is about to be published.
Thanks to our users who highlighted these inaccuracies to us!
@simplex but there are quite a few UI bugs in the dark mode iOS app
@simplex Does it make sense to enable private message routing for all servers, including simplex servers, in the settings?
@sk8er @simplex I have the Private Routing option set to "Always use private routing", and the Allow Downgrade option set to "When IP Hidden". This keeps Private Routing active by default, but will send messages directly when the destination server doesn't support private routing as long as your IP is hidden (by tor). I think this is the best configuration for maximizing privacy as it minimizes required trust, and errs on the side of caution.