cwtch vs simpleX-chat ? #520

New Issue

icwtch · 2022-08-10T15:00:51Z

icwtch commented

2022-08-10 15:00:51 +00:00

Hi, just stumbled upon "the first messaging platform that has no user identifiers (not even random numbers)". The latest version allows to bootstrap to Tor in order to connect to their server.
https://www.reddit.com/r/selfhosted/comments/wjcyt8/simplex_chat_the_first_messaging_platform_that/
https://github.com/simplex-chat/simplex-chat#readme
On the first link (Reddit) the dev compares it to cwtch.
What would you guys' take be on his comparison to cwtch and on the app itself?

Hi, just stumbled upon "the first messaging platform that has no user identifiers (not even random numbers)". The latest version allows to bootstrap to Tor in order to connect to their server. [https://www.reddit.com/r/selfhosted/comments/wjcyt8/simplex_chat_the_first_messaging_platform_that/](https://) [https://github.com/simplex-chat/simplex-chat#readme](https://) On the first link (Reddit) the dev compares it to cwtch. What would you guys' take be on his comparison to cwtch and on the app itself?

sarah commented

2022-08-10 18:11:34 +00:00

In an earlier thread they made some claims about cwtch and v3 onion services that were simply wrong: https://www.reddit.com/r/selfhosted/comments/s2hil6/comment/hsp09it/?utm_source=reddit&utm_medium=web2x&context=3

I'm glad to see that they have corrected some of their misunderstandings, but they appear to have many more.

The quote "The fundamental difference of SimpleX design is that we are always trying to avoid having meta-data instead of figuring out how to protect it" is one of those "not even wrong" kind of statements.

There is always metadata in a system, because communication requires information transfer. There are only 3 known ways to make protocol surveillance resistant:

Onion Routing (somewhat expensive to global passive adversaries, fairly cheap to operate)
Mixnet (very expensive for global passive adversaries, expensive to setup and operate)
Homomorphic Encryption / PIR (requires an active adversary to exploit, so expensive to run and operate that it practically doesn't exist yet)

SimpleX appears to planning "none of the above" (they readily admit in your linked thread that their system isn't secure right now, but they plan to make it stronger in the future - "dual server address", "message mixing" and "using separate tcp addresses per queue to prevent any server-level correlation of the traffic" none of which are effective mitigations against metadata attacks on their own or combined)

the literature is long and full of bad protocols.

In an earlier thread they made some claims about cwtch and v3 onion services that were simply wrong: https://www.reddit.com/r/selfhosted/comments/s2hil6/comment/hsp09it/?utm_source=reddit&utm_medium=web2x&context=3 I'm glad to see that they have corrected some of their misunderstandings, but they appear to have many more. The quote "The fundamental difference of SimpleX design is that we are always trying to avoid having meta-data instead of figuring out how to protect it" is one of those "not even wrong" kind of statements. There is always metadata in a system, because communication requires information transfer. There are only 3 known ways to make protocol surveillance resistant: * Onion Routing (somewhat expensive to global passive adversaries, fairly cheap to operate) * Mixnet (very expensive for global passive adversaries, expensive to setup and operate) * Homomorphic Encryption / PIR (requires an active adversary to exploit, so expensive to run and operate that it practically doesn't exist yet) SimpleX appears to planning "none of the above" (they readily admit in your linked thread that their system isn't secure right now, but they plan to make it stronger in the future - "dual server address", "message mixing" and "using separate tcp addresses per queue to prevent any server-level correlation of the traffic" none of which are effective mitigations against metadata attacks on their own or combined) the literature is long and full of bad protocols.

icwtch commented

2022-08-11 08:00:23 +00:00

thx for the feedback.
For some reason i missed the earlier reddit thread you linked me to. I see that the dev left you a reply and an invite to discuss it further. Maybe their latest update with their new claims might be an occasion to do just that for the benefit for the general public ? The dev is willing to do so, he just stated on the Reddit thread, and he also addressed your observations at the same time.

thx for the feedback. For some reason i missed the earlier reddit thread you linked me to. I see that the dev left you a reply and an invite to discuss it further. Maybe their latest update with their new claims might be an occasion to do just that for the benefit for the general public ? The dev is willing to do so, he just stated on the Reddit thread, and he also addressed your observations at the same time.

sarah added the

question

label 2022-08-26 17:13:53 +00:00

sarah closed this issue

2022-09-06 17:04:18 +00:00

Sign in to join this conversation.