Recommended private chats and social networks for Whonix

Patrick, I added a section Self-destruct passcode to the table - a false code for complete account and database destruction. I found this function only in Simplex and Briar.
This is the final change - the page has become more than informative. I will wait for your review and decision. Thank you

ps After a last update, Telegram sends the user’s personal data to the interlocutor to the chat: registration date, region of the phone number, common groups, and any changes to the name and avatar (if it have been changed in the past 30 days). I added this to the Telegram wiki.

image-2-768x378768×378 158 KB

Patrick Is everything okay? Should I send additional information or are you still reviewing my changes in the wiki?

It’s in review queue. Meaning I didn’t find time for this yet.

Thank you

Thank you!

Added new column for Quantum resistance but only as place holder. If you like you can fill these out with references.

Message padding
OnionShare
No

Might be wrong because Tor itself uses padding already so OnionShare doesn’t have to do that since it is using Tor?

Reset to ? for now so the page edit can be accepted earlier.

! <!-- feature --> Signed application releases
<!-- <del>Dino IM</del> --> <!-- <ins>SimpleX</ins> --> <ins>{{Yes}}<ref></ins>
*https://github.com/simplex-chat/simplex-chat/releases

The reference does not back that up. SHA sums aren’t signed releases. Only OpenPGP, signify, codecrypt or similar would be considered signed.

Please test actual release digital signature verification before claiming it’s supported.

If you never verified digital signatures, you cannot really judge if it’s provided or not.

Please recheck / fix or set to ?.

Same for signed source code. The “verified” badge on GitHub can look nice but be nonsensical. When you click it:

This commit was created on GitHub.com and signed with GitHub’s verified signature.

That’s not a “real” signature. Real is considered if developers create their own keys and use that sign git commits. Here also, please verify git commits before claiming they’re signed.

If signed by GitHub, that’s besides the point.

Why Gajim, dino-im doesn’t support multiple devices? Since it’s XMPP, multiple device usage is trivial, no?

How OnionShare supports multiple devices?

Gajim supports voice messages?

** Telegram sends the user’s personal data to the interlocutor to the chat: registration date, region of the phone number, common groups, and any changes to the name and avatar (if it have been changed in the past 30 days).

Please specify it’s “only” month and year. Not “date”.

Common groups and changes to name/avatar needs reference.

Offline Messages / Backlog

Why XMPP based clients get “no”? If conversation partner is offline, server will still deliver the message. The sender can send a message and go offline. Recipient will receiver it from the servers as soon as the receiver goes online. This feature often does not exist in serverless (decentralized, without a server) networks.

Audited protocol/crypto/client

Confusing. We’re comparing clients. So the client should be audited. If the client wasn’t audited, that’s a disadvantage.

The protocol/crypto can be amazing but the client might in theory implemented it wrong.

So this needs either different columns (for protocol / crypto / client) or a different table. Different columns probably preferable.

Could you also please add the references to the audits as they aren’t trivially found?

I thought that meant support for desktop and mobile versions.

Oh, sorry - I installed it in a Debian testing container, and that feature is available there.

I see what you mean, alright, I will fix

If it’s in testing, I guess it’s alright to mention it. (Useful to have a comment or footnote pointing out “Available since Debian trixie.”)

Sorry to distract you, I am a newbie to this. Is this release considered signed? Simplex signs every stable release Release v6.3.3 · simplex-chat/simplex-chat · GitHub
The GitHub release build is independently reproduced by:

Potentially, yes. But could be buggy. [1]

So actual digital signature verification is required. It’s not a checkbox.

“Signed”, green checkbox, cool feature .

Not like that. It’s only something that one can benefit from if it is performed.

For background, here are digital signature verification instructions for Whonix:

• Verifying Software Signatures
• Verify Whonix Images Software Signatures
• Verify Virtual Machine Images on Linux

Other projects often don’t have elaborate instructions for that. But might be providing digital signatures.

https://github.com/simplex-chat/simplex-chat/releases/download/v6.3.3/_sha256sums contains only 2 files

6992ce948022a3f7f9f2ce5fabffe0a9057c4ec638029676ef91df2acad4fb59  v6.3.3/simplex-chat-ubuntu-22_04-x86-64
03e8fac6c7ad98b08ce08f0dc406f8523e4b4c6ed852f41e0273557ec52ef513  v6.3.3/simplex-chat-ubuntu-24_04-x86-64

So it cannot be used to verify all their different release files for that version.

Okay. I will leave ‘?’ and a links to the releases and commits so that one can study the current versions for the presence of the key.
The other functions have been fixed - I tested it on Whonix and Kicksecure.
Please check

ps Comments on Cwtch - accounts have different IDs if it are created with the same data on different devices. But you can use multiple devices by exporting the account - account on two devices was online and had the same ID

Edit accepted.

Thank you!

Thank you! I am happy to be helpful. I greatly appreciate your work!

I have edited Matrix section: added FS issue, metadata leak problem and server security issues https://eprint.iacr.org/2023/485.pdf

We presented six attacks that together invalidated the funda-
mental security promises made by Matrix’ end-to-end encryp-
tion against a malicious server. In particular, the version of
Matrix as implemented in Element and analysed here neither
provided confidentiality nor authentication against such an
attacker.

And edited the all logos to a uniform style. Now, the Simplex and OnionShare logos do not encroach on adjacent sections in the wiki. Patrick, please upload the Cwtch logo Instant Messenger Chat I do not have the necessary permissions to upload images. Thank you

cwtch512×512 31.1 KB

This forum has opened my eyes to many things. I was foolish to use telegram and matrix. Patrick and Nani, thank you for the fantastic work. Whonix wiki is very interesting

Thanks for the meme!

Might need to expand that meme…

Patrick, I added the lack of reproducible builds for the client and Absence of digital software signatures in the ‘disadvantages’ section on the simplex page.

I can also clarify the relevance of this with the Simplex team. And with other messengers. I’m not quite sure how to determine this - the presence of a build? Or code signing and releases? (It seems that Simplex has release signing), Is this information published in some section of github or can it only be known by indirect signs or from the developers?

I added a new section to the table - Local builds on developer controlled machine (not using cloud infrastructure for builds)

Thank you.

Unfortunately, there’s no way to know this from the outside. It’s an implicit assumption, especially for security software. This can only be known based on statements by the projects itself and cannot be independently verified.

Okay. The Simplex team stated that verified builds for Linux desktop will appear in the next release. They are actively working on this now. They have already added reproducible builds for servers. Maybe we can wait for the release and then add a new section to the table? Otherwise, I can clarify this with the developers of other messengers, and they might hide the real information - since this can’t be verified. But if Simplex adds reproducible builds in the new release, then the section will have to be removed from the table. This can be left only on the Simplex page for now. It would be strange if a section with unverified information, written solely based on the developer’s words, appears in the table.

I also added information about the danger of connecting Signal through a mobile client (even if they replace the phone number with an email)