100 comments

[ 3.0 ms ] story [ 147 ms ] thread
Element is FOSS and runs on Matrix. E2EE with stern verifications. Nice GUI. I think it's better than Jami and a good Discord alternative.

https://element.io/

I just set up my own homeserver, it's a breeze. I wonder how matrix would hold up in the linked comparison.
Yeah Matrix is great (I don't like the Vector/Riot/Element client much though, I wish the other clients were a bit comparable in terms of their development as Element seems to take up most of the attention). It's not very efficient with screen space, if you have a LOT of chats open (many bridges!) it's hard to find what's what.

But the E2E verifications I do find troublesome. I constantly have to re-verify contacts, it's way too much in the way of smooth communication. I wish there was a way to auto-enable (but warn of a key change) them like Whatsapp does. It's not as secure, but you really have to be a crypto geek to constantly compare fingerprints whenever they change or get added. I often log in to different devices (different browsers on machines at home, work, test phones etc). And everything has to be validated. Whatsapp and Signal handle this way way better. This way it just won't make it to the mainstream. I can't expect my contacts to click buttons every time I log into a new browser or clear my cookies.

In the end I just got sick of all these crypto warnings and I ended up switching to something else again. I re-try Matrix every once in a while but it's still not there. Also, for me E2E crypto is not a major thing as I run my own server anyway (which I trust). But some of my friends want it switched on as they also use it on other chat apps.

PS: Not trying to blast Matrix here, but I do find this a problem for adoption. Otherwise I think it's way better than any other chat app.

In the latest versions you can now have one key backup and use that on a new machine to auto verify all.
Ah see, that's a good start! That's why I keep trying Matrix periodically ;) But it's been 6 months ago again.

But the problem was not really for myself.. I know where to click, even though it annoys me. The problem was with the other family members that have to verify every time when I add a new browser to the mix.

And if they don't I don't see all the chats which makes it unreliable.

Also, I don't like the way it exposes that complexity: Why do the other channel users need to know exactly which devices I log into :) They should just know it's me. This is what most other apps do right but Matrix doesn't.

'More' independent overview:

https://www.securemessagingapps.com/

i recommend Wickr Me. Its free, Privacy friendly and (almost) stable.

Why isn't Keybase included in most of these matrices? Is it related to some kind of "messaging" definition?
While I put high hopes in Keybase and the chat was solid, it's a zombie app at this point. The project came to a halt when they got acquired by Zoom, as evidenced by [1].

[1] https://github.com/keybase/client/graphs/contributors

The writing was on the wall the moment the acquisition was announced, and we all grieved about it, but it still makes me very sad to see such a graph. I miss Keybase.
What's with Wickr? I never heard of it until yesterday, when a message out of the blue on Reddit asked me why am I not using it (with the excuse that I said I didn't like it, which is false), and now this poster with no comment history.

Probably confirmation bias so I'll bite. It's not open source, collects some data, it's a for-profit company. Why would I use it?

The only time I've seen it used has been by people looking to buy drugs. It's so closely related that a single "wickr?" post on social media is basically synonymous with drug deals.
This post is actually the first time I've heard about wickr online. I have seen it spray painted everywhere in my city tho, something like: "wickr: randomusername HQ 420"
well, there are some reasons for [1][2], it also was on HN before too [3]. I came up to it as i was looking for an alternate which is free, real end-to-end encryption (not just to the server) and doesn't need your or any phone number to create an account. There is a payed Version (obviously for professional occasions) and also a Desktop Version. So all in all a great Package. I suppose it makes money through it payed Version. (havn't checked that, just assume it) It promisses not to steal data and says its not possible by design.[4]

[1] https://www.militarytimes.com/flashpoints/2020/01/23/deploye... [2]https://www.securemessagingapps.com/ [3]https://news.ycombinator.com/item?id=22129436 [4]https://medium.com/cryptoblog/the-untrusted-server-19aff573c...

While I love all these open source, privacy centered efforts, the fragmentation across all these alternatives isn't helping with the already horrible network effects amongst friends.

Barely any of my friends use these other apps making all of them pretty useless. Seems like a lot of apps will enjoy really high initial install numbers, but gravity may just pull everyone straight back to WhatsApp.

I have yet to find any tangible difference b/w Wire, Element, Threema, and Jami. And whatever FSF-approved apps people use, too.
tbh, I love the fragmentation. I have only one contact in Threema so for all intents and purposes that app icon is her. On most other platforms I also chat disproportionately with a single person and I find it somewhat annoying when someone else contacts me on them, because I expect the Facebook Messenger notification to be that person, the Threema notification to be another and the Instagram notification to be yet another. The biggest wildcard is Whatsapp – could be work, could be my mom.
like Microsoft browser we can use that to launch others always. Just use it to install chrome.
Comparison matrix is inaccurate about Telegram in few rows:

> Service runs its own server [no]

Telegram uses own servers

> GDPR compliance [no]

There is @GDPRbot, https://telegram.org/faq#q-what-about-gdpr

(comment deleted)
> Telegram uses own servers

Is there any official documentation about this? I checked, and could only find a note about their servers in the EU (Netherlands).

>Service runs its own server

They mean it as "the service provider operates and runs all servers, and there are no cloud or hosting services (such as Amazon AWS or Google Cloud) involved"

I'm not sure if it's really an advantage or a weakness.

Telegram runs both own and hosted servers, and also allows volunteers to host relaying proxies to circumvent censorship.

How are any of the others violating GDPR?
Same question. Especially relating to Signal
I believe this is saying that they run it on hardware that they own rather than a cloud provider.

However if they have good e2e encryption this should be a very minor benefit as I'm not trusting the operator anyways.

XMPP sadly is not part of the comparison.
Exactly.

XMPP:

* supports three encryption methods (OMEMO, OpenPGP, OTR);

* has a great amount of clients [1];

* and also of servers [2];

* it is federated;

* the protocol [3] and the most established clients and servers are open;

* there are already several online services available to use [4].

And as a bonus, the famous "XMPP's myths & legends" [5].

[1]: https://xmpp.org/software/clients.html

[2]: https://xmpp.org/software/servers.html

[3]: https://xmpp.org/extensions/

[4]: https://list.jabber.at/

[5]: https://xmpp.org/about/myths.html

You can actually use whatsapp without address book access. I use it like that today
Not a fee app will be disadvantage of Threema. I cannot be convince my friends, my family switch from Signal, since we are happy with it.
(comment deleted)
The comparison will be outdated soon. With recent surge of Signal, expect some features which are most commonly asked.

Signal team did an AMA in last few days [1]

[Few of the Q/A]

Q: Is there any plans to make user ID system, so that we can add friends without knowing the phone numbers?

Ans: Yeah, we're working on it!

Q: Hi, is it possible to backup chat history?

Ans: Thanks, we know this is a big deal and think about it a lot. We're working on ways to do it that would be privacy preserving...

Q: These things would really make the experience for my family and I complete

Support for backups and transfer on Android. Not manual, but automatic like iOS

Support for ChromeOS via Android Tablet support

Support for simple markdown like bold, strike through etc.

Ans: Great list, we're working on all of these!

[1] https://www.reddit.com/r/technology/comments/kt91qk/signal_p...

I don't think the sudden increase in users will accelerate the implementation of new features. These things must be planned and coded.

They did right in stating so soon in the exodus that expected features are planned and coming.

The sudden uptick should create some sense of urgency, else they will loose out to other apps. I can imagine how pumped-up the folks at signal will be (atleast I hope so)

There are lot of low-hanging fruits which are quality of life improvement e.g #1 ask from my non-technical family members: Background wallpaper :)

Another feature: WhatsApp migration

+ Its open source, if they are willing to accept PRs things could accelerate

> The sudden uptick should create some sense of urgency, else they will loose out to other apps.

It seems like you’ve never followed Signal closely (or what happens with feedback and requests). Signal is not one to worry about losing out to other apps. If that had been the case, it would be a lot more feature rich by now than what it is. Signal moves at a glacial pace compared to its competitors.

I really don't think Signal is going to dramatically improve on their feature set any time "soon". The gap between any feature Signal copied from Telegram is 2-3 years, they haven't exactly been known to be quick to respond to UI fixes and feature requests.
You mean features like encryption?
No, features like a good desktop client.
Good desktop client might not be absolutely necessary IMHO. WhatsApp does not have one right?
It has a web client. And yes, that's a massive disadvantage for me. I don't want to chat, share files, and make (video) calls exclusively via my phone.
I chat, share files and make calls with Signal's desktop client. What am I missing?
Message delivery is quite unreliable sometimes, it's a bloated electron app, search doesn't really work for me, it has no message forwarding, etc. Video calls don't work at all, I just tried it a couple of minutes ago. It's just not nearly as good as it could be or as alternatives such as matrix are.

Edit: In fact, I just had to kill the desktop client because it stopped working and the UI froze while attempting to start a video call.

Features that the masses actually care about, features like stickers, voice and videos messages and calls, disappearing messages, groups that you can manage membership and channels... wait forget about that last one.
What us the business model behind Signal? Just everything for free is seems to nice to be true.
What's the business model behind SSH?

Signal is supported by a non-profit foundation https://signalfoundation.org/

I had this exact discussion in another thread here on HN less than 24 hours ago. Being supported by a non-profit is great, but how is that non-profit funded? They still need to pay their bills. Wikimedia get around $120 million in donations each year, can Signal get close to that?

According to Telegram's Pavel Durov, "A project of our size needs at least a few hundred million dollars per year to keep going." [0]. Telegram has close to 500 million monthly users, how will Signal pay for their operations when they approach the same numbers, which I assume is the goal? A business model will be needed, Telegram only recently started talking about how to bring in money from other sources than the personal savings of the founder.

Edit: Is it really relevant to compare to SSH? Does SSH have user signups or servers that handle large amounts of real time communication? How many developers does SSH have employed?

[0] https://t.me/durov/142

Telegram stores everything. You can send GBs videos and it will be stored and downloadable on any device from anywhere. It's like on a Dropbox or Drive. This costs a lot of money.

On the other hand, I think Signal doesn't store anything once it has been delivered and any backup will have to be made on separate via some DropBox or Drive.

So the cost should be far far less than Telegram

Signal does store stuff if you have desktop clients logged in. It doesn't rely on the mobile client to forward it like Whatsapp Web. But it only stores it until they have all retrieved it, or they have timed out. I don't know how long Telegram keeps stuff.
Desktop client or phone client or tablet client, Signal will store the messages on its servers for several days or until they’re delivered, whichever is earlier.
So Telegram stores files at a cost of a few hundred million dollars each year? It sounds a bit unbelievable that a big majority of their operating cost is simply storage, but I really don't know. Anyway, sounds like a great feature that others should have as well.
SSH you run on your own server, not theirs..
There’s no way Signal is bringing these features, which have been requested for years and resisted a lot (by Signal), anytime soon. If someone’s waiting for these, it’s going to be a long wait, especially if they want to jump ship from WhatsApp this year.
Yep, it's not like Signal is eager to include features. They have shown that again and again.
surge LOL it's not even drop in number of whatsapp users

I used for years combo signal+whatsapp, main reason is much better photo quality on signal and I like simpler UI, but I moved my family including parents away from Signal after they started to nag everyone with creating PIN I don't want

and don't get me started un unreliable message delivery if you often switch between wifi and mobile network, whatsapp will deliver messages without any issues, it takes very long time for signal to switch to correct network

so I installed tyo my parents and wife Google messages as backup option with chat feature, but that's not option for me without GMS

looking forward to some IM app with SMS support to replace mine Pulse (which also got into hands of shady company, so it has now blacklisted updates)

also they are talking about those features for years and introducing nonsense instead bringing basics, heck it took them years to be able to send multiple photos at same time, you had to send it one by one until like 2018, I think that speaks volumes about priorities/skills of Signal devs

While this (Threema) is Open Source, I feel it does not align with the spirit of FOSS.

See the commits here for example: https://github.com/threema-ch/threema-android/commits/main

It's one commit per version. Contributions go to a private email instead of a public mailing list. All development happens in private and pushed to the public in a version bump with no changelog.

So yeah it has an AGPL License (which is good) and meets the minimum of FOSS requirements, but it gives of the feeling that they're following the letter, but not the spirit of FOSS.

I would definitely not use it or push any friend to use it.

That's... strange. Whats even the point of being on GitHub in this case, why not just distribute a source tarball with each release?
it used to be a paid app/service (quite an expensive one) it's only recently been open sourced.

Definitely not "FOSS-first", but it's something.

I paid €0.80 for the app in 2014. Yes, that was a temporary discount, normal price was €2.99, I think. It is €3.99 now, single payment. I still wouldn't call that expensive.
40:- SEK puts it in the top 10% of all iOS Apps.

Its contemporaries are free.

Ergo, it is comparatively expensive.

This is the cathedral style of development which was historically how GNU was developed, so I think it's perfectly in the spirit of Free Software.
I don't think that Signal which is refusing forks or third party clients is any better aligned with the FOSS spirit..

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

"You're free to use our source code for whatever you would like but you cannot use our servers" and they also refuse alternative servers or federation.

So basically you cannot create any fork or alternative client or make any change without their agreement.

They are very "Apple-like" in a way, "we known what's good for you, so just agree with us and don't try to go outside of what we want".

They also refuse to be on F-Droid for plainly false arguments. F-Droid offers double security : author signature + reproducible builds yet they keep pretending that you cannot sign apks on F-Droid and force you to download a non-externally verified apk on their website

Signal in itself is great but the people behind are not reassuring at all I think.

Threema has no forward secrecy outside of TLS, which is objectively worse than the others provided the comparison is with telegram's secret chats.
I like Threema because it has a business model that sounds viable and doesn't rely on donations or advertisement.

- Paid app for general public (one-time fee)

- Separate "Enterprise" solution (Threema "Work") with paid subscriptions

Didn't Whatsapp start out like that?
No one talks about King VIBER anymore?!
The name of this product, Threema, is going to be a significant detriment to its adoption.
And why would that be?
(comment deleted)
(comment deleted)
This is probably little known outside of Slovakia:

There is an still ongoing huge political and criminal scandal: a shady mafia-like figure (Marian Kocner) has (allegedly) ordered the murder of a journalist. The journalist and his girlfriend were shot and during the investigations Kocners phone(s) were found (or more exactly another shady person gave them to the police). Not only were undeleted Threema messages extracted, but also (allegedly) many deleted Threema communications were succesfully extracted and presented in court.

While Kocner was in that particular case exonerated in first instance (it's now in the Highest Court), the messages were leaked to the press and led to the abdication of the then prime minister (Robert Fico), the loss of the then ruling coalition in the next elections, and now because of those decoded messages, many judges, prosecutors, politicians, policemen etc are locked up and investigated - Marian Kocner directly gave them orders through Threema. The former head of police has even hanged himself in the prison a few days ago (because of a different, but connected, scandal). While this is more about the general state of affairs in Slovakia, it's interesting how the compromised security of an app they thought was "fully" secure has impacted the Slovakian political landscape.

Sources please.
First link: no mention of Threema

Second link: behind paywall

Third link: no mention of Threema

The Threema app was not breached. The "messages" themselves were not "extracted", it was a zip backup and password was most probably known. BTW the accomplice who handed it over had it in his custody for months, so it's weird it was even admitted as evidence.
Those details are not public AFAIK, so we don't know how the prosecutors got the "deleted" messages.
These comparisons speak like Telegram sometimes don't encrypt the messages which is false. It always does, difference it store them on the cloud.
Encryption in transit / at rest are arguably so common that they're not really worth mentioning as a differentiator. Are there any messengers that don't do this? I'd say the qualitative different to E2EE is quite major.
Well yeah you're right. But makes sense Telegram storing them in the servers. You can use the APP without an active Wifi connection thanks to that. Also, you can always choose to chat using end-to-end.
For me a problem is that Threema sounds nice on paper, but it feels unstable and a bit clunky. Worst for me os that the Read/Unread status is not replicated correctly between Threema Web and the iOS app, so I always have unread messages everywhere. This is unrelated to notifications, it is just the chat view that shows that some messages are unread, and the accompanying unread message count on the app icon.
> No address-book access required

> It’s not necessary to grant access to the address book in order to use the service.

This section incorrectly marks WhatsApp with an X, stating that it mandates it. The fact is that WhatsApp can very well be used without giving it access to the contacts or address book. This section should have a yes for all the services in the list.

WhatsApp behaviour without your address book is quite half-baked, perhaps intentionally to pressure you to giving it access.

If you don't grant it access, it won't let you associated any name with messages and conversations. Everything shows up with just its raw phone number, and the list of conversations is a list of raw phone numbers with messages, which makes it hard to know who messages are from.

A long time ago when first installing Whatsapp I tried denying it access to Contacts. It literally didn't work, only showed me white screen with no obvious way to start a chat with someone.
While all these other privacy-respecting messaging alternatives are getting more attention after WhatsApp's updated privacy policy, it would be prudent to note that most casual users will be clicking yes as soon as the new policy pops up.

Sometimes it's not a case of not knowing any better. The convenience of reaching almost any of your contacts directly from WA cannot be understated. This is what Signal & co. are up against. Most old folks won't be switching as WA just works for them.

It also doesn't help matters that data plans from ALL telecoms in my country come with FREE WhatsApp bundles.

I just spoke with someone who clicked "agree" recently to the WhatsApp updated policy, and said they didn't know what they were agreeing to, they just assumed it was one of those numerous minor tweaks to some obscure policy wording.

They didn't really have a choice though, because WhatsApp is now the only way they communicate with a family member, who doesn't have a phone any more.

They both use a Facebook Portal instead.

I think it should be illegal to put users in a position where they are pressured to agree to something without significant effects of agreeing being made clear.

And I think they should be able to return the Portals for a refund when something like this changes on them.

Excuse my ignorance but you've just educated me on the product Facebook portal. I've never been more terrified of a communications gadget. I shudder thinking of how many unaware users are actively giving Facebook their bio data, exact location & whatever info they give to them when they invite FB into their lives like this. Whew!

On policy agreements vis-a-vis user privacy, it is a bit of a conundrum that I don't see the normal consumer winning. WhatsApp/Facebook are doing nothing illegal by giving users these new terms. The major problem with such T&C is that the normal user cannot fully understand the contents of them. I will confess to being one of them. Most of them are written effectively to be nothing but legalese scapegoats. With jargons the average Joe cannot comprehend. This I see is the biggest obstacle to every day privacy & user data protection.

Bonus fact: it's not just Facebook knowingly doing this for profit. Many everyday services which we click & agree yes to are doing so. Someone above just pointed out that sometimes they click yes because they know big tech already have their data or will at some point obtain it, why delay the obvious outcome?

Though this shouldn't mean you cannot feed them fake data at any given point/excuse. Privacy battle is not for those who give up easy.

I click yes to new policy changes in most of the software. It is not possible to read and understand exact details of every forty page long agreement, especially because a lot of information is omitted for legal reasons or masked by a vague formulas. And it is also almost impossible to deny new changes, because it means that you need to stop using a service and most of the time it is required by outside forces, e.g. work or relatives, or a service is a monopoly, either legally monopoly or monopoly in spirit, where alternatives can't be used.

I just assume that all my information is already sold, regardless of the company brand. We lost this war for privacy.

> It also doesn't help matters that data plans from ALL telecoms in my country come with FREE WhatsApp bundles.

Is that a lack of net neutrality? Does your country have laws about it?

Net neutrality is a foreign concept in my land (am in East Africa). There are strong laws governing usage/misuse of internet by users but none on how ISPs can or cannot promote specific (legal) content/services.

Come to think of it. Facebook zero (0.facebook.com) offering users free access to FB was also a thing almost a decade ago and still is a thing today i.e Facebook usage that doesn't count against your data plan.

I presume this to be a commercial deal between Facebook and the carriers here. Given how popular Facebook, and more so, WhatsApp is here.

They forgot to mention one crucial thing - only Signal has an open-source backend.
Can someone make this comparison that doesn't have a biased viewpoint towards these products? This is promotional material, not a fair comparison