Very strong claim, and the link takes you to https://simplex.chat/messaging/ which again has a lot of strong claims, but where is the evidence of this? Where is the evidence of this being "more secure" (for who? For what threats?) than say Signal or even Telegram or Whatsapp? Signal themselves provide evidence of their claims, where are SimpleX providing their evidence?
And if they don't need to, and it just works as a regular encrypted messenger: Why should somebody use this over any of the many alternatives?
Other than that, its "advantages" page looks highly disingenuous, e.g. by describing Signal as "Possibility of MITM: Yes", but itself as "No - Secure", with a footnote of "Verify security code to mitigate attack on out-of-band channel". How is that different from verifying a Signal verification code!?
- no phone number
- no account
- p2p via onion routing and public relay servers
- public and private file sharing systems via XFTP
Key revocation is table stakes for secure messaging. I need a trusted way to relay that my contact's key has been revoked and I should stop trusting it.
Neither P2P, TLS, client-server, or any choice of key curve gives you this. Read the whitepaper, no mention of revocation. Correct me if I missed something.
Every implementation that I know (which does not include SimpleX) offers some way to recover from complete key loss, at which point other parties receive a "the key for this contact has changed" notification, and that new key is then untrusted by default until verified out-of-band. (This does trust the server operators to not censor your re-registration, but that seems no different from most other centralized revocation mechanisms.)
Do you have a scenario in mind where this would not be sufficient?
john_strinlai•1h ago
immediate eye roll. marketing thinks it is doing a favor here, but for anyone who really cares, this is just produces sighs.
https://simplex.chat/security/ at least has Trail of Bits audits from 2022 & 2024. but then they say "We are planning implementation security assessment in early 2025." which is not linked, so it is unclear if it was never done or the security page has not been updated in a year.
either case is bad.
>To hide your IP address from the servers, you can connect to SimpleX servers via Tor.
thats one hell of a caveat to sneak into the last sentence of a "learn more" popup
>"SimpleX has no identifiers assigned to the users -- not even random numbers"
which is later revealed to be pairwise pseudonymous identifiers. oh, and apparently your ip address, unless you use tor.