Using SimpleX over XMPP (OMEMO)

Should we consider using Simplex instead of the current default and by Whonix documentation preferred XMPP with OMEMO encryption?

I found following statements:

1. Metadata on XMPP chat
XMPP server can see your digital identity like your public key (this is important for the comparison); who is communicating with whom; when one is communicating (the precise timeframe); for how long the session goes; login-logout times; whole social graph; size of the messages; packet patterns; the encryption is quantum-nonresistant.

2. MITM attack XMPP chat
The XMPP server can act as a Man In The Middle and if the attack is successful, the server can read the messages of the communicating parties in the plain, unencrypted. The only protection is to check the fingerprints of the communicating parties through a separate secure channel.

Advantages of Simplex over XMPP

  • basically no metadata leaking to the servers
  • there are no identities, not even random numbers, server don’t have any way to identify a “user” because there are no “users” to spy on
  • multilayer connection padding where every message has the same size (this even improves on Tor), frustrating the adversarial message size attack. Servers and network observers cannot distinguish in between messages - all messages have precisely the same size.
  • all messages are mixed, so the order in which they were received is not the same order they were sent out (this even improves on Tor), frustrating the correlation attacks
  • the SimpleX uses quantum resistant NTRU as a very robust encapsulation mechanism combining the standard encryption with the PQC, battle-proved in the wild for many years instead of the KEM that seems to be sensitive to some attacks, because it is based on latices
  • you can have a unique connection to your every contact with the Incognito mode functionality, in a single app, using completely different channels and servers (that don’t see a shit) for every contact
  • it is MITM resistant, no need to manually prove anything
  • e2ee voice messages, voice calls, video calls
  • it has not only PFS but also the BIR (Break In Recovery) feature
  • it has the Unidirectional Message Queues, that frustrate the adversary analysis of packet direction flows
  • no need to check the fingerprint manually through a different secure channel - MITM is not possible
  • no identity to spy on, not even a temporary numbers
  • every single contact can be connected to you through a different channel - no social graph building possible
  • message padding - no size analysis possible
  • message mixing - all deanon attacks related to the order of the messages are dead. This even improves Tor anonymity.
  • PQ encryption for 10+ years of information protection lifetime

I could not find information about OMEMO and post-quantum security.

1 Like

SimpleX does sound interesting on paper but how is the client situation on desktop? A preliminary glance in the past did not exactly impress me.

SimpleX’s user interface on desktop sucks right now. Quite minimal, spartan, and also ugly (the UI elements are disproportionate, the look and feel is so much Apple-ish (for whatever the reason)). However, the chat functionality works without a problem.

That is unfortunate. However considering SimpleX seems rather solid from a technical perspective I hope others will see the merits and hopefully there will eventually be a better client built on memory-safe primitives.

I saw a recent Mental Outlaw video on SimpleX (https://youtu.be/0cRu98XSap0) (invidious- http://inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion/watch?v=0cRu98XSap0). It looks interesting. However, it looks like it connects people via onion addresses. If used in Whonix, would that cause a tor-over-tor situation?

I believe that Onionshare used to be included in Whonix by default (I saw a different youtube video with it included by default on an earlier version of Whonix). However, it does not appear to be so anymore. I do not know if it was causing a tor-over-tor situation or a stream isolation issue or something. But I presume the same could be the case for SimpleX.

edit- I looked at the documentation at http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/OnionShare , and I guess you can use it just fine in whonix as long as you configure it correctly.