24
Potential issues with Simplex Chat (German but can be translated mostly with FF translate)
(www.kuketz-blog.de)
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
English attempt via Google translate:
without Identifier
I tested the SimpleX messenger for a few days . I would like to give my impressions below.
SimpleX can be obtained via the App Store, Google Play, directly from the GitHub project page or your own F-Droid repository . The project only started at the beginning of the year - but is currently in version 4.2.2. SimpleX is promoted as follows:
How the messenger works without an identifier and which crypto is used is explained in the white paper.
For testing purposes, I obtained and installed SimpleX from the GitHub page. There are two ways to get in touch with someone:
I decided to distribute my SimpleX contact address (QR code) via Mastodon. Anyone who scanned this QR code could add me to SimpleX or start a chat with me. Basic functions such as writing messages and sending images/files are implemented. But audio and video calls are also possible. Notifications of new messages occur via a background service that is always active by default. You can also configure this as follows:
Most people will probably leave the default to be notified immediately when new messages arrive. However, this standard setting comes with a disadvantage: battery consumption. This may vary from device to device, but for me the battery consumption was significantly higher than that required by messengers such as Signal, Threema or Element.
Using the setting,
Netzwerk & Server
SimpleX can be configured to route all communication over the Tor network. In combination with the missing (unique) identifier and the Simplex Messaging Protocol (SMP), in my opinion, anonymous use is possible, which makes it difficult or impossible to find out who is in contact with whom using metadata. And yet: Unlike Briar , for example , a contact or device does not have to be permanently online to receive a message. These are temporarily held on the SimpleX relay servers until they can be received. By the way, these SimpleX relay servers are federated – anyone can run one.In October, Trail of Bits conducted a security audit of SimpleX and published the report in November 2022 . The focus of the audit:
The result: two moderate and two light vulnerabilities. Except for one moderate vulnerability (Keys are stored in unpinned memory and not cleared after their lifetime), the exploitation of which will soon be made more difficult/prevented by using the secure memory library , all were fixed promptly. However, you should know that the audit had a limited focus and was not a full audit that checked the entire client and server code base including all protocols.
I find the lack of verification options for chat partners problematic. Sure, you can send an invitation link/QR code to someone via a secure channel. However, it is currently not possible to authenticate your communication partner in SimpleX. If you do not authenticate your counterpart, you can never really be sure whether you are actually exchanging messages with the desired communication partner or possibly with an unknown third party.
Senden Sie Fragen und Ideen
I then contacted the main developer Evgeny Poberezkin directly using the internal SimpleX function and confronted him with the missing verification option.Ask :
Answer :
Ask :
Answer :
We then exchanged ideas and chatted about SimpleX's rating in the messenger matrix . Bottomline: Overall, I think the messenger is good
eingeschränkt empfehlenswert
, this is due in particular to the lack of verification options for contacts, the high battery consumption, client instabilities and a full audit that is still pending. Work is already underway on all of the points mentioned.Overall, SimpleX focuses very much on privacy, as the list under Privacy: technical details and limitations makes clear. Ultimately, everyone has to decide for themselves whether the messenger is an option.
I used Firefox Translate and it translated most of the words.