Closed Perelandra0x309 closed 5 years ago
I would prefer seeing a draft pull request so the changes would be more obvious and easier to comment upon than a screenshot.
TP | SMA | SCG
What are these abbreviations?
Based on this I think we should add Wire, WickrMe and Threema as recommended apps for instant messengers.
I am moving my family to Wire before removing my WhatsApp account and I agree on it, but I am under impression that Wickr and Threema aren't open source and wouldn't recommend them.
There are some other apps I think worth mentioning, such as Briar, Keybase and TwinMe. We should also create a separate section for Experimental/Beta apps since these may be risky to use.
We have an issue about Keybase at https://github.com/privacytoolsIO/privacytools.io/issues/740, Briar has been discussed in multiple issues, but I didn't find a separate issue for it (maybe it's by a :ghost: or no one ever thought about it other than doing side-mentioning) and I don't remember hearing about TwinMe before.
I would prefer seeing a draft pull request so the changes would be more obvious and easier to comment upon than a screenshot.
Certainly
What are these abbreviations?
TP = thinkprivacy.io, SMA = securemessagingapps.com, SCG = securechatguide.org
I am moving my family to Wire before removing my WhatsApp account and I agree on it, but I am under impression that Wickr and Threema aren't open source and wouldn't recommend them.
They are partially open source- the encryption/messaging protocols are open. Audits have been done.
We have an issue about Keybase at #740
Sounds like libBletchley doesn't recommend any app which isn't perfect.
Briar has been discussed in multiple issues, but I didn't find a separate issue for it (maybe it's by a 👻 or no one ever thought about it other than doing side-mentioning)
Briar is Android only, perhaps that disqualifies it. But it is secure in that if used as intended you must physically meet with a person to make them a contact, which is also something that hinders it's use with other people you can't physically meet. However it is possible to just send the QR code through another channel... but then you are willfully breaking the security model.
and I don't remember hearing about TwinMe before.
Give it a try- peer to peer (no messaging server) and no personal info required.
About briar, remote contacts is a feature that should be done in a few months. Also a think desktop app is already in the works. The lack of an Ios app is because of a limitation of ios as an operating system the briar requires.
Lots of good improvements here. I disagree with some of the suggestions:
just because a project-team SAYS they are 'beta' does not actually mean they really are. Riot is far more mature of a codebase than most of the other items listed. They should not be dropped to the bottom of the section, on the basis of the beta-label, it should be on the basis of whether privacyToolsIO folks believe the software is "not ready for regular endusers" yet and thus the section should be called not 'beta' but something more like "for advanced users" type of thing. Riot is fine for many everyday endusers, though as with XMPP, you have to host your own synapse server if you want to avoid the metadata-risks.
signalapp and threema are not "mobile only" ... signalapp has a desktop version (which you can use even if your phone has the battery popped out of it), and threema has a webapp version (not sure it if requires reverse-tethering like whatsapp does?).
ricochet just needs to be removed methinks, but the process of making that decision got stalled #476 and #530 for instance. If the section gets revamped, to me it would make sense to drop ricochet out of the top3 and into WorthMentioning... or maybe into the "for advanced users" section because you have to hand-update the Tor binary to use ricochet properly, right?
While I applaud the idea of listing trackers, privacyToolsIO should NOT say "zero trackers" because we cannot know that for sure. Places like exodus-privacy which analyze APKs for tracking-codebases are careful to say "zero detected trackers" and explain that there are false positives (trackers that are actually disabled) as well as false negatives (seems clean but really was not). IzzySoft similarly uses the phrase "zero known trackers" rather than a flat-out-assertion. Recommended that privacyToolsIO should also be more cautious and say something like "zero trackers we think" rather than over-promising please :-) As certain as possible, but no certainer
never heard of TwinMe, and some of the other items on the suggested changes to WorthMentioning do not seem to be adding much value. In particular, there is a section right above the WorthMentioning one, where people can read more details -- at your own SCG website for example, and thank you kindly for making that. I don't agree with all your recommendations but I like your work ethic, a helpful and thought-provoking guide. Point being, we don't want to list every messenger on privacyToolsIO methinks, we want to be selective and conservative in what is recommended.
SCG has eleven highly-recommended messengers (in alphabetical order: bbmEnterprise briar keybase riotIM safeSwiss signalapp silenceIM threema twinMe wickrMe wireapp) and fourteen more less-highly-recommended ones. TP has 3 recommendations for beginners and 2 for intermediate folks (signalapp wireapp jami + riotIM keybase). SMA has 3 tldr-recommendations (in alphabetical ordering: signalapp threema wireapp) as well as 2 tldr-surprisingly-not-good-enough anti-recommendations (riotIM and wickr) which in the aboutpage explains wickr was eliminated for being closed-source + FiveEyes based while riotIM was eliminated for being still in beta + FiveEyes based but that it "looks promising".
In the listings as of today, privacyToolsIO under voip has signalapp wireapp linphone in the top3, with jitsi tox jami WorthMentioning, aka 3+3. Over in the IM section we have signalapp riotIM(beta) ricochet(danger&experimental) in the top3, with retroshare chatsecure&conversationsIM kontalk wireapp(metadataRisks) and statusIM(experimental) which is 3+5or6 depending on whether the XMPP clients are considered one or two.
In your screenshot you are wanting to expand from a top3 layout to top5 layout, which I think is a mistake, and also expand from 5or6 additional tools all the way to 9or11 of them. This is a big jump, from ~8or9 tools in IM right now to ~14or16... not quite double the size. And by comparison to most of the other listing sections, the IM section is already oversized even with just the top3 and 5WM listings :-)
area | listings now | listings w/948 |
---|---|---|
top | signal | wire( |
top | riot(b!) | wickr |
top | ricochet(d&e!) | signal |
top | _ | threema |
top | _ | ricochet(d&e!) |
WM | retroshare | retroshare |
WM | chatsecure & conversations |
chatsecure & conversations & zom |
WM | kontalk | kontalk |
WM | wire(e!) | briar |
WM | status(e!) | keybase |
WM | _ | twinMe |
risky | (no such section) | riot(b!) |
risky | (no such section) | status(e!) |
risky | (no such section) | tungsten(e!) |
The biggest changes are that you want to
These I would prefer be discussed individually ;-) Or at least, not made without discussing each of the changes specifically! Always harder to revert fait accompli, if there was an unseen problem along the way
You are also making "less drastic" suggestions as well:
Usually these I would also consider something that ought to get their own github issue, rather than happen as part of a large number of other changes... but as a whole, the other problem is just the sheer size-expansion, that all these insertions lead unto.
Some of your ideas are obviously improvements, such as grouping the XMPP messengers together... though I will note that last I checked, Zom has decided to stop being a fork of conversations+chatSecure and start being a fork of riotIM so it is unclear whether it still really "belongs" with the XMPP messengers anymore. And such as mentioning the trackers in the descriptions, if any... though typically, trackers would tend to eliminate the software from the list, right? So my suggestion would be to just drop Kontalk if they really have a tracker... but as noted up above, this is a tricksy area. Up until about a month ago, the wireapp APK was detected as containing a tracker... they had not yet managed to remove the tracker-libraries fully, but my understanding is they HAD fully disabled the tracking functionality (and wireapp is GPL so you can verify if my memory is faulty). Crashlytics is not as tracker-y as some of the worst options... but it is not great for sure, and there ARE plenty of other tools.
five-c-d, Thanks for your thorough and thoughtful reply. I would like to comment on your points, but perhaps before getting too far into details of specific apps, it is a good idea to discuss how many apps in each section to limit selections to, and what sections there should be. Then with a finite number of slots available we can fit in the best options.
I think part of the difficulty is the different ways IM is used. Some people just use a cell phone for everything. Others like me move from phone to desktop to tablet throughout the day, so I prefer messengers that sync across multiple devices. So that is what I was trying to differentiate with separating out mobile only use from desktop use. Some messengers are mobile only, some desktop only, and some both. Then there are some like Signal and Threema which have desktop clients but are ultimately dependent on a mobile "parent" device, whether it is always actively connected or not.
As you mention PTIO tends to stick to 3 main options per category. So how about if we have 3 options for those who use mobile devices and 3 options for those who use desktop/laptops? That does not necessarily mean we will have 6 total options however, since a single app could cover both categories. If there were 1 mobile only app, 2 mobile and desktop apps and 1 desktop only app that would only be a total of 4 top choices. Then there could also be some other "Worth mentioning" options.
I will make some more comments in a bit, but I need to go just chill for a bit, I've been working up to 16 hour days this week.
1- The key management in group chats isn't finished yet, and I wouldn't say it's ready for normal users. It is quite a process to verify every device, practically impossible I would say in large groups. You also need to be aware that bridges to other messaging systems like IRC is not encrypted at all. For a normal user it is too easy to make a mistake and not realize which room are or are not encrypted. I like your idea of a section for advanced users.
2- Yes the Threema desktop client links directly to the Threema app, and sometimes remains connected but can lose the connection if moving between networks. Then you have to dig out your phone and connect again. I would define desktop as meaning you can set it up on a desktop without requiring a phone.
3- I definitely agree on making it an advanced users option, not a regular users option.
4- OK you make good points, it may be best to just drop the trackers. I too have seen where for example Conversations gets flagged as having a google tracker even though it is disabled but the setting in code triggers a false positive.
5- Yes having too many options is overwhelming and not helpful, especially if we direct people to other websites with more detailed information they can choose to use for more research.
In thinking about it some more tonight (while watching Rogue One) I think moving Ricochet to an advanced users section and replacing it with one easy to use app would make this list more helpful for normal people. Keep Riot as a recommendation card for advanced users. So have something like this:
Recommendation cards:
Signal
Another one that is not complicated and available for both mobile and desktop (Wire, Keybase, something like that)
Riot (mark as for advanced users)
Worth Mentioning:
Briar (Android only but did I hear about a desktop client?)
XMPP: ChatSecure, Conversations (though this might be advanced), Quicksy
WickrMe
For Advanced users:
Retroshare
Ricochet
I think the above is a less drastic set of changes. I would add Threema too somewhere but I get the feeling there are too many objections to it being not open source, and a very small one time fee. I would still recommend removing it from being associated with the likes of Facebook Messenger.
That doesn't really make any sense that Zom could changed from XMPP to Matrix federation.
Could we focus the discussion on #951 for simplicity unless it gets closed?
And now I am commenting here regardless of my previous wish.
A feature I am often missing from instant messaging comparsions is: how big groups can there be (is the limit high enough to matter?), what information do others get of me and how are they managed?
To answer this on Signal and Wire:
regardless of my previous wish
Okay then I'll keep commenting here as well ;-)
* if I recall correctly
Yes, correct. Over on the voip section, signalapp cryptocalls are max 2 people, whatsapp is max 4, and wireapp is max 10. I don't think RiotIM/Jitsi has a max, but I would hesitate to list it as "supports infinite cryptocall sizes"
In actual practice, once your signalapp groupchat gets larger than 50 people you will start to have "social difficulties" with the lack of groupchat-admins and once your signalapp groupchat gets into the triple-digits you will probably have performance problems (pairwise client-side fanout). So yeah, the groupchat size is not limited by the software, but there ARE limits all the same, it is not possible to have a 99999 member signalapp groupchat, except in theory -- in practice it doesn't work.
Signalapp does show the signal-num to every other member of the groupchat, but you can control (on a per-conversation per-groupchat basis) whether your signal-profile info is revealed or not. Thus, if you have Alice from Australia get invited into a groupchat by Bob, then Bob will have revealed to the groupchat "there is a signal-num +1-111-111-1111 and they know Bob +2-222-222-2222 somehow" but Alice's signal-nickname and Alice's signal-avatar-picture will NOT be revealed (until and unless Alice taps "reveal profile").
My usual recommendation for people that want a bit more privacy, or are worried about getting added into random groupchats by their signal contacts, is that instead of registering for signalapp with their cellnum, they use a secondary num.
But signalapp cannot protect you if you befriend people like that :-) It is just software.
with a finite number of slots available we can fit in the best options
Yes agree 100% -- we are on the same page :-)
messengers that sync across multiple devices
Right, I understood you were separating on that basis. I just think that Threema (with threema4web) and also signalapp (with signal4desktop) actually satisfy that use-case. They sync across multiple devices. They let the enduser move from device to device during the day. What they do NOT support is endusers that ONLY own a laptop. See #967
define desktop as meaning you can set it up on a desktop without requiring a phone
Not me :-) I define desktop as meaning, you can move from device to device during the day. Signalapp has a non-reverse-tethered architecture, whereas Threema is like whatsapp, reverse-tethered.
tends to stick to 3 main options per category
Apparently I'm behind the times... this is now changing, before my eyes, with the new site-layout! :-) Which I think is a bad trend. I want privacyToolsIO to recommend the top 3 tools in each category, not the top9, and if there ARE lots of great tools, I want either a link to an offsite comparison like SCG, or I want a table with details like the VPN section, or ideally both. To me though, there are a clear top3 in the IM realm: signalapp, riotIM-with-your-own-synapse-homeserver, wireapp-with-a-warning-about-metadata-leakage, in that order. Everyday endusers will generally get a lot of privacy from those setups. Under the worthMentioning realm, I would list XMPP==ejabberd+conversationsFdroid+monal+gajim+converseJS with a warning about metadata-leakage. I would not list threema nor wickr, because they have the wrong business-model compared to the top3 options, but I would be "capable of being convinced" that they were worthMentioning, IFF they serve some specific need the top3 do not? (XMPP does: easy-peasy federation whereas Synapse is more aimed at Big Rooms.)
1 mobile only app, 2 mobile and desktop apps and 1 desktop only app that would only be a total of 4 top choices
I'm hoping we can eliminate that last one entirely. Ricochet is a dormant project that is hard to use securely. It is probably still WorthMentioning because of the strong security-guarantees and high degree of built-in-anonymity it offers, but I don't consider it top3 because everyday endusers ARE NOT gonna be able to use it properly, the hashnames are too difficult and the setup/install is too difficult and there is no place to ask questions (and get good answers). What other "desktop only" thing can compete with signal/riot/wire? All of them support desktop, in some way.
So my advice is that we have one "mobile-but-with-desktop-extensions" app in the top3 which is signalapp, and two mobile-n-desktop-apps which are riot-with-own-homeserver and wireapp. Signalapp is the best-vetted crypto and easiest to use of the three, so it should be listed first (if the goal of privacyToolsIO is to help everyday endusers ... e.g. we now list firefox first and TorBrowser second, so that seems to be the case). I would list wireapp in third place in the IM section, because there is no way to NOT store metadata serverside, and RiotIM would remain in second-place because there IS a way to avoid that (run your own Synapse homeserver). I would also be comfy with listing signalapp+wireapp as the top2, and then listing RiotIM+XMPP in the "for self-hosting endusers" section aka Advanced?
However, over in the voip section, I would list signalapp first, and wireapp second, and Linphone as third (with RiotIM only as "worth mentioning" or maybe just Jitsi as it is now because of the severe beta-stage-codebase-blues for Riot cryptocalling nowadays).
it may be best to just drop the trackers
I'd rather just drop anything with a tracker, and highlight (in bright yellow) anything that HAS a tracker. The assumption should be, zero trackers, right? Can we drop Kontalk from WorthMentioning (per Crashlytics), and replace it with something else perhaps... Briar maybe? I think Briar supports too few platforms though.
still recommend removing [threema] from being associated with the likes of Facebook Messenger
I don't know why threema was added to that list. They are closed-source, and they charge money, and I would argue that signalapp-with-a-burner-num is a better option. Wireapp is arguably NOT a better option than Threema though, because of the server-side metadata... if you pay with cryptocurrency for your Threema identifier, anyways, so that your payment-details are not linked to your hashnum. See also https://community.signalusers.org/t/threema-messenger/7789/6 discussion about whether privacyToolsIO is correct to list Threema that way.
I think we should make a separate sentence, and say "if you are using X Y Z then switch to these actually-privacy-respecting options PERIOD if you are using threema or wickerMe we recommend you switch to these libre-licensed projects with better business-models." Or something along those lines. The admixture of threema with fbMsgr is a wee bit jarring
that Zom could changed from XMPP to Matrix
They are though... "new Zom 2 app built on Matrix protocol..."
p.s. Related, is the idea of a Pros And Cons list being added to each of the recommendation-cards. I made some samples up for signalapp and wireapp == https://github.com/privacytoolsIO/privacytools.io/issues/882#issuecomment-487787033
I would not list threema nor wickr, because they have the wrong business-model compared to the top3 options, but I would be "capable of being convinced" that they were worthMentioning
The main advantage of these is no need to provide any personal information like phone or email to signup. Also Threema does not store messages permanently on a server.
So my advice is that we have one "mobile-but-with-desktop-extensions" app in the top3 which is signalapp, and two mobile-n-desktop-apps which are riot-with-own-homeserver and wireapp. Signalapp is the best-vetted crypto and easiest to use of the three, so it should be listed first (if the goal of privacyToolsIO is to help everyday endusers
Yes I think this is a good set of recommendations. I also recommend Signal as a first step for anyone, it is a familiar concept like SMS and doesn't cut you off from existing contacts.
They are though... "new Zom 2 app built on Matrix protocol..."
So what happens to all your xmpp contacts, they just disappear one day when you update the app? I am not really seeing anything about this on their website. Seems very strange. Or will they have concurrent versions for xmpp and Matrix??
Trying to discuss this in the pull request is getting very confusing 😄 Replies aren't showing up in order.
@five-c-d Thanks for linking #534. Interesting discussion. It seems that there are reasons to have both Riot/Matrix and Wire listed as recommendations based on their different use cases. Instead of debating whether Riot or Wire be listed, I think a better option would be to list both and drop Ricochet, which is no longer maintained and requires more advanced knowledge to use. Also Riot and Synapse are now out of beta status.
Keybase might be another contender for a recommendation instead of Wire, however I think it would be a little more confusing for normal users than Wire is.
I'm on vacation now but I can do another pull request soon with modifications. Other areas that could be changed based on our discussions here:
Combine XMPP clients into one list. Remove OTR link.
If Richocet is demoted to worth mentioning, perhaps it is worth replacing it with Cwtch which is the follow-up project by the developer. Ricochet is no longer maintained.
Remove all mention of Threema.
@Perelandra0x309 I wouldnt list cwtch yet, its alpha quality software and rather unstable, Briar would be more suiting for now.
Riot and Synapse are now out of beta status
This is true, but the crypto therein (Olm+MegOlm) is still "officially late beta" per the devs. It is also not on-by-default, though if you run your own homeserver I believe(?) you can configure it to force that.
I can do another pull request soon with modifications
I think you should start as simply as possible, but no simpler
1. PR#A: swap places with wireapp and ricochet per 530 and 476 (plus adjust their verbiage to change wireapp from "experimental" to instead "metadata" -- plus decide whether to parenthetically note cwtch within the ricochet-blurb somehow). Split the how-to-upgrade-tor-so-ricochet-is-safe prose off into another page, and link to it from the IM page. No other changes, just yet: in particular, leave the question of whether wireapp should be 2nd and riotIM 3rd for another day. Once that is approved... or if you like, in parallel.... 2. PR#B: cleanup xmpp area, combine it into "one" entry of WorthMentioning, and consider which are best tools to mention and which to *not* mention. Link to omemo.top so people can see which things don't have OMEMO fully baked yet. Remove OTR. 3. PR#C. decide whether Threema is still "anti-recommended" explicitly, and if not drop it, and if so reword the prose (splitting into two sentences perhaps). Related: whether iMessages and WickrMe are discussed in the yellow-zone, as they have similar properties? 4. PR#D. decide **how many** tools we want in the WorthMentioning area, I'm hoping three to six, and then (counting xmpp as "one tool") have a debate about which of the following to add/retain/drop as the case might be: * xmpp (retain), * retroshare (retain?), * ricochet (assuming PR#A happened -- could retain as WM or drop all the way off), * kontalk (remove per crashlytics?), * statusIM (remove per experimental-and-lots-of-equivalent-options?), * jami (add? ...already on voip listing but does IM stuff as well and not yet listed), * keybase (add iff 740), * briar (add? but android-only), * threema (maybe iff PR#C), * wickrme (add?), * twinme (add??), * tungsten (add???), * etc Once we have those changes in place, we can do a final mop-up of whatever was missed.
My personal opinion, would be signal + riot + wire + xmpp + ricochet + keybase + retroshare + briar as top3&wm5, total of 8 listings. With more WM listings, I'd include rough-around-the-edges jami + partially-closed threema maybe, total of 9or10. Left out: partially-closed wickrMe + not-well-known twinMe + experimental tungsten. Dropped from WM listings: crashlytics kontalk + experimental statusIM.
As of a couple weeks ago, https://github.com/privacytoolsIO/privacytools.io/issues/948#issuecomment-497912251 , @Perelandra0x309 was thinking signal + wire + riot + keybase + briar + xmpp + wickrMe, which is seven, then separately ricochet + retroshare + maybeThreema is 9or10. Therefore we agree roughly on the total size of 7-to-9-ish, and on what the top3 ought to be (i.e. PR#A). We also roughly agree on what pair of tools to drop from extant listings: kontalk and statusIM.
Can other people please list their own ~Top10 tool-listings opinions, in ranked order for the target-audience readership, as well as how MANY total tools they think should be listed (and how many of those with recommendation-cards rather than just WorthMentioning).
That looks like a good way to split up the pull requests.
There hasn't been much discussion on Kontalk but I agree it is a candidate for removal. My primary reason would be that it depends on a SMS capable phone number to register and to lookup other users. It requests access to your contacts for lookup. Your actual ID is a hash of your phone number, which seems somewhat pointless since someone needs to know your phone number to look you up, so they get your ID back as a hash but they know your phone number anyway. We already have Signal which requires a phone number so having another app with that potential anonymity issue isn't ideal. Also it does have a Google tracker (optional crash reporting), photos from messages are saved in publicly accessible storage and although Kontalk does use XMPP it is not OMEMO yet and cannot communicate with other XMPP users outside of the Kontalk system. I don't really see what this offers over the better option of Signal.
Briar is looking promising, their new Briar Debug release allows adding of contacts remotely via Tor addresses. Sending of images in messages is also starting to be worked on according to their bug tracker.
If Ricochet is kept as worth mentioning then it might be good to note that it is no longer actively maintained and that the Cwtch project in alpha is expected to replace it in the future.
Interesting analysis here, I haven't been able to thoroughly read it all but I think it backs up my opinion that Riot can only be private for advanced users. https://forum.privacytools.io/t/notes-on-privacy-and-data-collection-of-matrix-org/904
Riot using it's default settings is not private: -Not encrypted by default -Rooms are synced to the home servers of all the participants -Bridges to IRC and other platforms are not encrypted -Use of an identity server -Cannot delete files, no ephemeral messages
Riot should be considered private only for advanced users when: -All participants use self-hosted servers -Encryption enforced by default -Don't use an identity server (I have to read up more about this) -Don't use bridges -Setup some type of message cleanup to remove messages after a set time period
So right now the PTIO IM page has one easy to use recommendation (Signal) and two that are only private for advanced users (Riot and Ricochet).
New pull requests: #992 #993 #997
Can we add GNU Jami please?
It seems to work now!
Hello all, I would recommend the IM page be updated with information and recommendations of some apps and I wanted to open a discussion about it before posting a pull request. There are some great security focused messengers that deserve some mention.
In looking at the 3 websites referenced (full disclosure- I run the securechatguide.org website) There are some apps that all websites agree provide good alternatives. I will attempt to make a table- 1 or .5 points is for a recommendation from the website, 0 for not recommended and blank is not reviewed.
Based on this I think we should add Wire, WickrMe and Threema as recommended apps for instant messengers.
There are some other apps I think worth mentioning, such as Briar, Keybase and TwinMe. We should also create a separate section for Experimental/Beta apps since these may be risky to use.
I have made a mockup locally of what I think are reasonable changes. Please make suggestions, and I can submit a pull request when ready.
Thanks for your time and effort on this site, it is a great resource!