[AMENDMENT] Encrypted Messaging

Lissy93 / awesome-privacy

🦄 A curated list of privacy & security-focused software and services

https://awesome-privacy.xyz

Creative Commons Zero v1.0 Universal

6.58k stars 293 forks source link

[AMENDMENT] Encrypted Messaging #133

Open magical-heyrovsky opened 1 year ago

magical-heyrovsky commented 1 year ago

Title

Threema

Amendments

In the Encrypted Messaging it says

Many messaging apps claim to be secure, but if they are not open source, then this cannot be verified - and they should not be trusted. This applies to Telegram, Threema, ...

But Threema is FOSS (https://github.com/threema-ch) and has been for quite some time now. For Android there is even a additional Threema Libre version (without proprietary libraries) that can be installed via the F-Droid store.

Association Disclosure

No response

Would you like to submit a PR?

No.

Please tick the boxes

[X] You have filled out this form accurately, and to the best of your knowledge
[X] You have indicated weather or not you are associated with the project the amendment refers to
[X] A similar submission has not already been opened for this software/ service
[X] You agree to the code of conduct

liss-bot commented 1 year ago

If you're enjoying Awesome-Privacy, consider dropping us a ⭐
_{🤖 I'm a bot, and this message was automated}

ltguillaume commented 1 year ago

Not the server part
A recent blog/press release stated they had only recently introduced (optional) perfect forward secrecy, which seemed rather odd to me at least.

magical-heyrovsky commented 1 year ago

Not the server part

Doesn't matter. E2EE can still be verified. As with all client-server messaging apps, one should always assume that the server and network is compromised. Even if the server part is Open Source, that doesn't mean that's the code that actually runs on the servers. There was a time when Signal stopped updating their server code repo for an entire year.

introduced (optional) perfect forward secrecy

Good to hear. Another reason to remove it from that list of insecure messaging apps. Threema has very little in common with Telegram, Cypher, Wickr, Silent Phone and Viber, etc.

I am not saying it should be added to the list with XMPP, etc. I am saying it should be removed from that Word of Warning part because it's just not true.

ltguillaume commented 1 year ago

Yes, that's sound reasoning, thx for elaborating.
Yeah, while the issue was that people already assumed that Threema had PFE implemented (which basically shows how complicated/diverse e2ee implementations are), I guess adding it now at least is a positive. I don't use it, but I do wonder why they made it optional (I have only read a press release so far).