ᗪᗩᗰᑎ

Last I checked Threema was at least just as good as Signal. Unfortunately Threema is a paid app, which makes it really difficult to for me to recommend as there are many opposed to paying for apps for various reasons. I stick with Signal and even being free (I do donate monthly) I’ve struggled to get people to switch. I find Signals approach of being donation funded to be more equitable and accessible.

loops is still very early in development. people need to tamper their expectations.

deals with Microsoft or any other competitor who may want to silence alternatives.

XMPP only does message encryption. Signal has spent tons of engineering time and effort to minimize the collection of metadata, not just encryption of message content.

Privacy and security is all about threat modeling. Signal meets 100% of the security needs of everyone I communicate with in my region of the world. There’s no need (especially now that you can hide phone numbers) for the added security benefits of SimpleX.

Additionally, my experience in using SimpleX over the last year+ is that message delivery is not reliable yet. This has forced me and the few people I’ve been testing it with to fall back to Signal multiple times. Because of these reliability issues and lacking UX, I don’t feel comfortable pushing it on others, knowing the tolerance level is low for message delivery failures and UX that isn’t yet up to par with other messaging apps.

You’re right! not sure why I thought SimpleX was a fork, it’s definitely just using the Signal protocol. Thanks for the clarification. That said, I would objectively state the UX needs some work to get to where Signal is at. SimpleX is oddly both easy to use but confusing and unreliable. I’ve been using it for a little over a year now and very often messages just stop getting delivered or received, forcing a fall back to Signal.

SimpleX is still very promising and more secure than Signal if your threat model necessitates it, but I continue to champion Signal for its ease of use, reliability, and security compared to more mainstream messengers.

keep spreading FUD, my guy 😎

The day security researchers say Signal is bad is the day I’ll stop using it. Until then, it’s the best option we have that both provides both great privacy and UX. The only thing that comes close - and it still has a ways to go - is SimpleX, but it’s basically a signal fork and it’s devs still support Signal.

With your first sentence, I can say you’re wrong.

except i’m not wrong. the model they ran is 4 orders of magnitude smaller than even the smallest “mini” models that are generally available, see TinyLlama1.1B [1] or Phi-3 3.8B mini [2] to compare against. Most “mini” models range from 1 to about 10 Billion parameters, which makes running them incredibly inefficient on older devices.

That doesn’t mean it can’t run it. It just means you can’t imagine that.

but I can imagine it. in fact, I could have told you it would have needed a significantly smaller model in order to run at an adequate pace on older hardware. it’s not at all a mystery, its a known factor. i think it’s absolutely cool that they did it, but lets not pretend its more than what it is - a modern version of running Doom on non-standard hardware.

[1] https://huggingface.co/TinyLlama/TinyLlama-1.1B-step-50K-105b

[2] https://ollama.com/library/phi3:3.8b-mini-128k-instruct-q5_0

[3] https://www.thirtythreeforty.net/posts/2019/12/my-business-card-runs-linux/

but the hardware is not capable. it’s running a miniscule custom 260k LLM and the “claim to fame” is that it wasn’t slow. great? we already know tiny models are fast, they’re just not as accurate and perform worse than larger models, all they did was make an even smaller than normal model. this is akin to getting Doom to run on anything with a CPU, while cool and impressive, it doesn’t do much for anyone other than being an exercise in doing something because you can.

Checkout Notesnook. I’ve tried most of the ones you’ve listed and have been really enjoying how well it works compared to the competition considering its end-to-end encrypted.

A few features:

• Clients and server are open source.
• End-to-end encrypted note syncing.
• You can publish public notes.
• You can publish privates notes that require a password to view.
• You can self-host the sync server.
• You can self-host the publishing server.
• Full offline mode.
• At rest encryption.
• Multi-platform clients with feature parity (Android, iOS, Linux, Windows, MacOS, Web).
• Most if not all of the general features you’d expect from a notes taking application.

One thing I really like about the project is how open they are about what they’re doing, why they’re doing it and what the future holds. It’s been great seeing their roadmap (https://notesnook.com/roadmap/) and seeing promised features land with new ones being added, and I’ve only been using it for less than a year now!

did they comment (maybe I missed it) on why they’re ending development?

they think because he inherited a recovering economy, that he himself had some major part in it.

nor any evidence of them selling or allowing anyone access to their servers and recent headline news backs this up

The entire point is that you shouldn’t have to put your trust that a third party (Telegram or whoever takes over in the future) will not sell/allow access to your already accessible data.

There’s no evidence that MTProto has ever been cracked, nor any evidence of them selling or allowing anyone access to their servers and recent headline news backs this up

Just because it’s not happening now does not mean it cannot happen in the future. If/when they do get compromised/sold, they will already have your data; it’s completely out of your control.

Google, on the other hand, routinely allow “agencies” access to their servers, often without a warrant

Exactly my point. Google are using the exact same “security” as Telegram. Your data is already compromised. Side note - supposedly RCS chats between Android is E2EE although I wouldn’t trust it as, like Telegram, you’re mixing high/low security context, which is bad OPSEC.

WhatsApp - who you cite as a good example of E2E encryption - stores chat backups on GDrive unencrypted by default

1. Security is about layers. E2EE is better than not having E2EE. Same as transport layer encryption is better than none. Would you prefer anyone on the wire can read your messages just because it’s not perfect in every single use case? No, and for that same reason, E2EE is better.
2. Backups can be made E2EE [1]. Is this perfect? No. But its significantly better than Telegram.
3. I’m only pointing out that Whatsapp is better for privacy than Telegram - I still don’t personally use or recommend it.

… can you be sure the same is true for the people on the other end of your chats?

Valid concern, but this threat exists on almost every single platform. Who’s to stop anyone from taking screenshots of all your messages and not storing them securely?

[1] https://www.tomsguide.com/news/whatsapp-encrypted-backups

Signal is completely open source and auditable by anyone: https://github.com/signalapp

if you were to create your own clone, it would not interoperate with the real one.

The FBI can’t just force them to add malicious code. A bad actor could try to contribute bad code, but Signal’s devs would likely catch it.

Lacking end-to-end encryption does not mean it lacks any encryption at all, and that point seems to escape most people.

Not using end-to-end encryption is the equivalent of using best practice developed nearly 30 years ago [1] and saying “this is good enough”. E2EE as a default has been taking off for about 10 years now [2], that Telegram is going into 2025 and still doesn’t have this basic feature tells me they’re not serious about security.

To take it to its logical conclusion you can argue that Signal is also “unencrypted” because it needs to be eventually in order for you to read a message. Ridiculous? Absolutely, but so is the oft-made opine that Telegram is unencrypted.

Ridiculous? Yes, you’re missing the entire point of end-to-end encryption, which you immediately discredit any security Telegram wants to claim:

The difference is that Telegram stores a copy of your chats that they themselves can decrypt for operational reasons.

Telegram (and anyone who may have access to their infrastructure, via hack or purchase) has complete access to view your messages. This is what E2EE prevents. With Telegram, someone could have access to all your private messages and you would never know. With E2EE someone would need to compromise your personal device(s). One gives you zero options to protect yourself against the invasion of your privacy, the other lets you take steps to protect yourself.

the other hand, if you fill your Telegram hosted chats with a whole load of benign crap that nobody could possibly care about and actually use the “secret chat bullshit” for your spicier chats then you have plausible deniability baked right in.

The problem here is that you should not be mixing secure contexts with insecure ones, basic OPSEC. Signal completely mitigates this by making everything private by default. The end user does not need to “switch context” to be secure.

[1] Developed by Netscape, SSL was released in 1995 - https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0

[2] Whatsapp gets E2EE in 2014, Signal (then known as TextSecure, was already using E2EE) - https://www.wired.com/2014/11/whatsapp-encrypted-messaging/

Telegram, for all their security claims, is basically not actually encrypted at all.

anything specific you can call out for those of us who have zero interest in moving to another centralized platform?