Discussion

BeFree

thisisauserid: I heard that SimpleX-2 will go even more viral.

john_strinlai: >World's Most Secure Messagingimmediate eye roll. marketing thinks it is doing a favor here, but for anyone who really cares, this is just produces sighs.https://simplex.chat/security/ at least has Trail of Bits audits from 2022 & 2024. but then they say "We are planning implementation security assessment in early 2025." which is not linked, so it is unclear if it was never done or the security page has not been updated in a year.>"Unlike other messaging networks, SimpleX has no identifiers assigned to the users."a few sentences later>"To deliver messages SimpleX uses pairwise anonymous addresses"which links to "Pairwise Pseudonymous Identifier"... so, they use identifiers?

jayd16: Can you chat in both directions or is simplex uni-directional?

rickcarlino: I’ve been using SimpleX for a small circle of friends and it has been pretty easy to use. I am surprised it has not seen wider adoption. Writing scripts for it is also straightforward.

embedding-shape: > World's Most Secure MessagingVery strong claim, and the link takes you to https://simplex.chat/messaging/ which again has a lot of strong claims, but where is the evidence of this? Where is the evidence of this being "more secure" (for who? For what threats?) than say Signal or even Telegram or Whatsapp? Signal themselves provide evidence of their claims, where are SimpleX providing their evidence?

jryio: It's exhausting to make this comment every time... but here we go.Key revocation is table stakes for secure messaging. I need a trusted way to relay that my contact's key has been revoked and I should stop trusting it.Neither P2P, TLS, client-server, or any choice of key curve gives you this. Read the whitepaper, no mention of revocation. Correct me if I missed something.

lxgr: I tried to figure out its identity model and failed, and I consider myself somewhat familiar with encrypted IM protocols. How should non-technical users ever figure this out?And if they don't need to, and it just works as a regular encrypted messenger: Why should somebody use this over any of the many alternatives?Other than that, its "advantages" page looks highly disingenuous, e.g. by describing Signal as "Possibility of MITM: Yes", but itself as "No - Secure", with a footnote of "Verify security code to mitigate attack on out-of-band channel". How is that different from verifying a Signal verification code!?

lxgr: I feel like key revocation is usually solved via key replacement in most secure instant messengers.Every implementation that I know (which does not include SimpleX) offers some way to recover from complete key loss, at which point other parties receive a "the key for this contact has changed" notification, and that new key is then untrusted by default until verified out-of-band. (This does trust the server operators to not censor your re-registration, but that seems no different from most other centralized revocation mechanisms.)Do you have a scenario in mind where this would not be sufficient?

ranger_danger: > Why should somebody use this over any of the many alternatives?- no phone number- no account- p2p via onion routing and public relay servers- public and private file sharing systems via XFTP

ranger_danger: How does one have a unidirectional chat?

jayd16: https://en.wikipedia.org/wiki/Duplex_(telecommunications)#Si...