https://www.sciencedirect.com/science/article/pii/S2666281722001287
https://www.sciencedirect.com/science/article/pii/S2666281725000058
These articles also demonstrate that cloud chats have weak forensic protection. Only secret chats offer decent protection against message recovery, but files can still be restored, and secret chats are not available in the desktop client. I added these articles to the wiki (If Patrick approves my changes)
I am not sure forensic protection is a fair criteria.
Which messengers do have anti-forensics?
Then we can also exclude issues on mobile operating systems, Windows and macOS - because Whonix is Linux based and a mobile version is not in sight at time of writing. (Whonix Mobile Operating System)
Except, perhaps if the mobile client is mandatory is mandatory for sign-up. But then we can already generally recommend against it as per chapter Avoid (Mobile) Phone Verification (Use only with caution).
Okay. Then I will only add the first link to the section about MTProto criticism (the article compares encryption protocols and Telegram lags behind its competitors).
I think on this page Phone Number Validation vs User Privacy we should change ‘For this reason alone, alternative options like Gajim, and Tox’ to ‘Simplex, Swtch, and Gajim / Dino’. I don’t see an edit button on this page. Update it when you have some free time. Thank you
Actually, I don’t want to maintain different lists of recommendations in different places as recommendations may change over time. Easier to just point at the main documentation.
Therefore, I’ve removed just now.
like [[Chat#Gajim|Gajim]], and [[Chat#Tox|Tox]]
The sentence reads now:
For this reason alone, alternative options should be investigated instead; see Instant Messenger Chat for further information.
It’s reachable from the Super Menu.
Super Menu → Edit.
I made some edits to the wiki on this page based on this forum Messengers in wiki - Website - Kicksecure Forums. I also edited the Signal page, adding information about this issue https://eprint.iacr.org/2021/626.pdf, which is still dangerous for Whonix.
Tomorrow I will edit this table - I will add SimpleX and Cwtch Instant Messenger Chat
Done! Patrick, could you please check? Instant Messenger Chat and Send Signal Messages over Tor with Whonix ™ and Whonix Documentation If I write something incorrectly or inaccurately, please correct.
I got in touch with the lead developer of Simplex to clarify some details for the table. I also noticed that the Cwtch code page is unavailable – I had to use an internet search with reviews.
Additionally, I edited the messengers section in Kicksecure Software Recommendations – I added links to the original websites (you can copy the messenger pages to Kicksecure wiki, and then I’ll replace links).
Thank you!
There are a lot of inaccuracies. So review will take time.
Why OnionShare has no verifiablity?
Signed source code?
For example, cwtch git commit 0ff9e507ab04edcb3f7517d790afeb216bc18c6b at time of writing is not signed.
Reproducible builds?
Signed source code and reproducible builds need references. Either own testing or statements from the project website.
Signal:
Serious security issues were also found in the Sesame protocol when using multi-device.https://eprint.iacr.org/2021/626.pdf
Sesame is not anonymity specific? If so, it’s in the wrong wiki chapter.
If security relevant only, belongs into the Kicksecure wiki.
Cryptography specialist Soatok
Not self-refereed as that and not refereed as that by any third-party. So we shouldn’t invent this terminology.
cwtch
security audit
Yes, protocol/crypto (Radically Open Security: 2016)
This is later contradicted by.
Not undergone an independent security audit at the time of writing.
Could you please recheck the comparison table and add references?
[quote=“Patrick, post:47, topic:21561”]
cwtch
Audited protocol/crypto/client No (It seems you’ve confused with Dino)
Yes, it’s about message security
For SimpleX:
SimpleX Team’s response:
• Signed application releases
Yes
Yes, for reproducible (or for mandatory signed mobile) binaries. We don’t sign binaries that we can’t reproduce yet and that are built on GItHub.
• Signed source code
Yes
Yes, for release commits
e.g.: Release v6.3.2 · simplex-chat/simplexmq · GitHub or Release v6.3.1 · simplex-chat/simplexmq · GitHub
• Reproducible builds
Reproducible: servers, CLIs for all platforms. Linux Desktop app will be reproducible from the next release.
No yet: mobile apps, desktop apps for other platforms.
I will fix the rest in the wiki and add links. Thanks
Patrick, if an XMPP client supports a feature with plugins only, is a {{Yes}} or a {{No}}? I think {{No}}
If only some commits are signed, is a {{Yes}} or a {{No}}?
Section ‘Build’ on GitHub/GitLab?
I will clarify these features with OnionShare developer. I emailed him
Can use parentheses (with plugin) or separate row.
We need public references for verification (anyone else should be able to check sources).
I asked him for the links (maybe it exist).
I added the links to the sections you requested (releases, commits, build). Please check.
corrected
Avoid Matrix (shadey relations to Amdocs) and Avoid Telegram (e.g Telegram reads your computer model saves this to account amoung others SMS verification required)
Another thing is it should be mentioned about in wiki is which messengers enable automatic previews by default and how to disable them in settings. Automatic previews has been used to exploit zero days in iMessage and even private messengers. The other thing about this is if “Automatic previews” or the equvilent is turned on this means any group chats that your are actively in will automatically download the files shared in a chat to your cache. This means that if someone spams something illegal, well now you have those illegal bytes on your PC.
Link previews are disabled by default in the recommended desktop messengers at the time of writing - none of the links had a preview on my computer.
Patrick I added sections about the messengers Briar and Session - this is now a review of all popular chats on this wiki page. I also added a section to the “message panding” in table. And a small change to the Kicksecure wiki Software Recommendations. Please check. Thank you
Padding OMEMO:
Mentions padding.
I am not sure if that’s a different kind of padding and if that is enough to say “OMEMO has no padding”?
The table for Dino IM still states
Audited protocol/crypto/client
Yes, protocol/crypto (Radically Open Security: 2016)
I cannot find that. Copy/paste error?
Signed source code:
No/Partially
There’s no need for all git commits to be signed. It’s sufficient if the git head is signed by a developer. Or the availability of signed git tags is even better.
cwtch (and similar cases) we could just say “no” instead of “partial” unless:
I’ve requested signed git tags from a number of projects in the past. See web search:
site:github.com "adrelanos" "signed git tags"
Maybe something you’d like to look into and send feature requests to projects that don’t sign git tags yet?
This is an audit of Conversations, but it pertains to OMEMO (at that time, many XMPP clients did not exist). Therefore, I specified “protocol/crypto”.
Alright, I will fix it
Done
Maybe later. For now, let’s finish and confirm the ready edits 
I think your idea of referencing source code links is very good, and any user will always be able to study the up-to-date information if this wiki page becomes outdated in a year or two.
And I found information about verifiability in Onionshare - it uses E2EE authentication of Onion services:
When a user visits a particular onion, they know that the content they are seeing can only come from that particular onion. No impersonation is possible, which is generally not the case.
When the client receives the signed descriptor, they verify the signature of the descriptor using the public key that is encoded in the onion address. This provides the end-to-end authentication security property, since we are now sure that this descriptor could only be produced by that Onion Service and no one else.
And I changed “No risks introduced for hosting an Onion Service” for Cwtch, as it uses its own encryption protocol and uses tor for transport
p.s. If you don’t like my phrasing - please change it to more correct text
Tommaso “Tomgag” Gagliardoni
(Feb 18th, 2025) Battle of Instant Messengers: my view on Signal VS Matrix VS XMPP/Jabber VS others.