I wish the definitions were spelled out. It says Signal isn't "anonymous", which I assume means "uses a phone number to find peers". And it has the usual feature matrix problem: sure XMPP "does E2E". But what does that mean? It supports S/MIME. Do you want S/MIME? (You don't.) It supports OTR, TS and SCIMP too: but you need to be an expert in messaging schemes to understand how those are different. None of them implement double ratchets. None of them implement even close to the privacy features Signal has implemented. But on this diagram it is clearly better because there is more green and less red.
Another example: "open server" and "on-premise" says nothing about whether or not you really want to run one of those instances. It just says that hypothetically one could.
In terms of errors: the linked "E2E audit" for Telegram did not audit E2E at all, and in fact only cites sources saying that it's probably fucked. Wire has a real audit that isn't listed. WhatsApp uses Signal, just with fewer of the.
Use WhatsApp to talk to normal people. Use Signal for nerds, and... probably Matrix for group collab? Or maybe stop caring about secure messages for group collab so much :-)
Please make comments on individual cells for improvements to be seen/added more easily. This is obviously big research undertaking that got thrown together last weekend :)
> Another example: "open server" and "on-premise" says nothing about whether or not you really want to run one of those instances. It just says that hypothetically one could.
I know a number of people that run matrix.org servers for personal use and companies. The entire French government runs on riot.im/matrix.org.
When security and really privacy matters, you don't want a third party being able to push updates to your clients/servers at any time without warning.
> None of them implement even close to the privacy features Signal has implemented. But on this diagram it is clearly better because there is more green and less red.
What features specifically? Happy to add more columns if signal really has anything unique to offer here.
The things Signal gets red marks on are pretty fair though imo, and things others do better.
> Use WhatsApp to talk to normal people.
I think you will find many options above WhatsApp on the list in terms of security and privacy that have clients that are every bit as simple to use.
Other than their (very) effective marketing advantage, -why- would you encourage people towards these respective walled gardens instead of more open alternatives listed?
Your points are valid but you didn't mention that OMEMO [1] implements Double Ratchet for XMPP. You can find a list of clients which support OMEMO on https://omemo.top
Requiring a phone number means you have to disclose your identity (in many countries, for example in Russia) and your physical location (everywhere). This is the opposite to privacy and anonimity.
Imagine, one of your contacts is captured; attackers get his contact list that includes you; then they get your phone number from Signal; then they get your location and put you to all kinds of black lists, extremists lists, no fly lists, watch lists and so on.
Signal is nothing better than Telegram. They should be on the same position.
Typo correction, but I can no longer edit: WhatsApp uses the Signal protocol, just with fewer of the privacy tweaks in the implementation. The criteria don't seem to consider those. They're important, but the two should be equivalent.
Signal using phone numbers is almost as anti-anonymous as you can possibly get. A phone number leaks nearly everything about you to anyone who has access to the right data sources. Most people would be more anonymous providing a SSN than a phone number in practice.
That's always a problem with comparison charts when used to survey they field. The flip side is if they compare a bunch of features you don't care about at all, there's a bunch of red on some which makes no difference to you in real life, but now you either need to know what each esoteric feature means so you can ignore it, or just accept that the one with more red is probably worse and avoid it, even if overall it's a better fit for your needs. The extreme ends of this are simple charts where someone just tells you "good" or "bad" on one end, or pointlessly complex ones where someone adds bullshit fields like "experienced developers" or something like it.
I'm not sure what the solution is, besides much more interactive and thorough presentation of features in a way that allows classification of how advanced they are or likely you are to need them, but that's a lot of work. Until then, a comparison like this will always suffer from rarely matching exactly what the reader is looking for. They do work well as quick references though.
> Use WhatsApp to talk to normal people. Use Signal for nerds.
This has been my go-to advice for a while now too! The key driving point is that amazing crypto is 100% useless if the person you're talking to doesn't use it, or uses it incorrectly.
The only sticking point with the above advice is the nerds who think they understand crypto but don't and insist on you using some crazy app :/
As there's pretty obvious bias showing in the values, some methodology would be good to accompany this sheet.
e.g.
- Telegram: E2E Private: TRUE
- WhatsApp: E2E Private: CLAIMED
These are either both "true", or both "claimed". Pick one.
In particular, what's the definition of the "Open Spec" column? Signal's GPL spec gets a FALSE here so I'm presuming the definition is something along the lines of "Spec produced by one ofa group of arbitrarily approved bodies of which Open Whisper is not a member"
There is no mention of Mumble (client) or Murmur (server). [1] From a privacy perspective, I find it superior to everything else. End-to-end voice encryption with PFS. As much or little server logging as you wish. Super easy to set up and scales to large numbers of people. I have a few of them running on VM's with 1GB ram. Only downside for me: It is not as happy-clicky (frictionless) as discord, yet.
Authentication can be tied into 3rd party apps (LDAP, phpBB, etc) but I have not tested this yet. [2]
If you try it, use their latest snapshot for server and client. Incredible sound quality. Nice UI/UX experience. Decent support for game overlays. Very low CPU usage.
Well, that is a protocol comparison. A client comparison would be much closer to the real world user experience. Don't get me wrong, I am a huge fan (and daily user) of XMPP, but the best protocol will not be of any use if the clients are too complicated or buggy to use.
So yes, XMPP supports audio and video calls but finding two different clients which work on the first try together can be a challenge. Sometimes I wish there would be some compatibility XEP which defines a common set of supported XEPs including a test suite to run it against.
We have the XMPP Compliance Suites 2018[0] providing an overview of protocol-level specifications that a modern client or server should implement, and there was recently a nice article[1] for some example use cases.
What is still missing is everything above the wire protocol level. The XSF, being the XMPP Standards Foundation, is guarding the protocols, and things like UX and client interoperability are considered as off-scope. However, there are people interested in these topics as well looking for fresh collaborators.
Funny how that works isn't it. Let's start out with Electron so we can get our new app on all platforms quickly, we'll build a proper native UX when we can afford to >> company grows and grows >> yeah, so screw UX, where are our customers going to go instead? Hipchat? lol, let's buy them instead.
Indeed, and for "compatibility" it doesn't really say anything about the quality of the software for that system. Signal, for example, doesn't have a native iOS app and it shows.
It's funny and sad that XMPP hits almost all of the points, has been around since 1999 and yet every year someone reinvents the wheel and makes another messenger system. There are what, about 60+ by now.
Granted XMPP is not a messenger it's a protocol and a bunch of standards but still it's hard not to laugh.
For me, the problem is how incredibly slow Riot is (and every other client I've tried has almost unusable bad UI, sometimes in combination with being slow).
IMO: Text chat with a few emojis and images here and there should not ever be among the things that slows your computer to a crawl.
EDIT: I'm speaking of the UI, not the network connection; the latter is sometimes slow too, but that's understandable
I won't argue any of your UI opinions other than to say that riot - which is only one of the many possible clients [1] over the matrix protocol - is still in early days, and is getting better with each version. That being said, as far as having to remember everyone's matrix id, I'm sure users had similar complaints back when email addresses were still novel. I'm sure conceptual address books will be a thing in future matrix clients - both riot as well as others. Failing that, you can always submit a feature request! [2]
Yes. I think it's brilliant but the UI/UX needs a big update. Also from a techie point of view it's cool but from a normal user, there are too many options in group chats. Esp when people change phones etc.
Not just the UI but it's still rough around the edges in some cases. I ran into a couple bugs, I realize now I shoulda reported / researched further into, but my use for it is minimalist.
Are there any good XMPP clients that provide a "modern" messenger experience? For example seamlessly switching between online/offline mode, built in audio and video calls, sharing photos/videos.
A missing column among the Features is if a system allows automation (chatbots or other). Notable examples: Telegram and FB Messenger do, WhatsApp doesn't (there are workarounds but they're mostly against the Terms of Service.)
XMPP is a protocol meant for building chat services; some of these others are chat services themselves so eg. it doesn't make sense to say that XMPP is not e2e by default (of course it's not, it's a protocol which may or may not be used to build an e2e encrypted chat service). Maybe that should be changed to "Jabber" which is what a lot of people call the public, federated network of servers built on XMPP these days? (The term has all sorts of other historical baggage and some people use XMPP/Jabber as synonyms, but mostly I think people use Jabber to refer to the public network these days and XMPP to the protocol, rather like email and SMTP).
There still isn't a popular messaging and voice call platform that supports private end-to-end encryption by default. How terrible is this? I mean it would be so trivial to establish a secure and private communications standard. Europe and North America has a population of almost a billion people combined. If 500 millions of those live in first-world conditions and only 1% cares about privacy, with $1/year worth of giving a fuck we could have a budget of $5M/year, or close to 50 top notch developers to pull this off. Obviously a lot more could be spend, but even with this minuscule spending we could still have a viable, standardized alternative to Facebook and Google.
We literally had better privacy when we had analog phone lines that anyone could tap into. That's just terrible.
WhatsApp does but the author of this sheet has chosen to list it as "claimed", despite other also-unverified clients like Telegram getting a "true" for their (non-default) e2e support.
FWIW I believe Riot/Matrix are planning e2e by default as soon as their implementation stabilises. Theirs is more complex/powerful than WhatsApp's though since they have multidevice support (which WhatsApp lacks). They've avoided making it default sofar due to bad UX and the possibility of losing access to conversations across devices, but it's improving rapidly.
There is no way that an open IM platform will be able to guarantee E2E by default on all clients simply because someone/somewhere will produce a client that doesn't or doesn't do it properly. It is probably better to start with the E2E encryption system (in my example OMEMO) and then see where you can get it.
What do you mean by “private” so as not to have WhatsApp and iMessage fit this description ? Because as far as I understand, they do. Especially the telephone lines bit; iMessage and WhatsApp offer more privacy than telephone lines did, already at the operator level, but definitely at the tapping level.
Someone will correct me if I'm won't but I believe Apple Messages are end to end encrypted by default. I'm not sure if FaceTime audio/video is encrypted.
With categories emphasizing security, open standards, and audited code, I'm surprised SpiderOak's Semaphor isn't on this list: https://spideroak.com/semaphor/
[+] [-] lvh|7 years ago|reply
I wish the definitions were spelled out. It says Signal isn't "anonymous", which I assume means "uses a phone number to find peers". And it has the usual feature matrix problem: sure XMPP "does E2E". But what does that mean? It supports S/MIME. Do you want S/MIME? (You don't.) It supports OTR, TS and SCIMP too: but you need to be an expert in messaging schemes to understand how those are different. None of them implement double ratchets. None of them implement even close to the privacy features Signal has implemented. But on this diagram it is clearly better because there is more green and less red.
Another example: "open server" and "on-premise" says nothing about whether or not you really want to run one of those instances. It just says that hypothetically one could.
In terms of errors: the linked "E2E audit" for Telegram did not audit E2E at all, and in fact only cites sources saying that it's probably fucked. Wire has a real audit that isn't listed. WhatsApp uses Signal, just with fewer of the.
Use WhatsApp to talk to normal people. Use Signal for nerds, and... probably Matrix for group collab? Or maybe stop caring about secure messages for group collab so much :-)
[+] [-] lrvick|7 years ago|reply
> Another example: "open server" and "on-premise" says nothing about whether or not you really want to run one of those instances. It just says that hypothetically one could.
I know a number of people that run matrix.org servers for personal use and companies. The entire French government runs on riot.im/matrix.org.
When security and really privacy matters, you don't want a third party being able to push updates to your clients/servers at any time without warning.
> None of them implement even close to the privacy features Signal has implemented. But on this diagram it is clearly better because there is more green and less red.
What features specifically? Happy to add more columns if signal really has anything unique to offer here.
The things Signal gets red marks on are pretty fair though imo, and things others do better.
> Use WhatsApp to talk to normal people.
I think you will find many options above WhatsApp on the list in terms of security and privacy that have clients that are every bit as simple to use.
Other than their (very) effective marketing advantage, -why- would you encourage people towards these respective walled gardens instead of more open alternatives listed?
[+] [-] arendtio|7 years ago|reply
[1] https://en.wikipedia.org/wiki/OMEMO
[+] [-] codedokode|7 years ago|reply
Imagine, one of your contacts is captured; attackers get his contact list that includes you; then they get your phone number from Signal; then they get your location and put you to all kinds of black lists, extremists lists, no fly lists, watch lists and so on.
Signal is nothing better than Telegram. They should be on the same position.
[+] [-] lvh|7 years ago|reply
[+] [-] lawnchair_larry|7 years ago|reply
[+] [-] kbenson|7 years ago|reply
I'm not sure what the solution is, besides much more interactive and thorough presentation of features in a way that allows classification of how advanced they are or likely you are to need them, but that's a lot of work. Until then, a comparison like this will always suffer from rarely matching exactly what the reader is looking for. They do work well as quick references though.
[+] [-] Boulth|7 years ago|reply
Could you provide your source? I've never seen S/MIME used in XMPP. Client certificates for authentication sure but not for E2E security.
> It supports OTR, TS and SCIMP too: but you need to be an expert in messaging schemes to understand how those are different.
OTR is being rolled back from clients in favor of OMEMO for good reasons: https://conversations.im/omemo/
[+] [-] gaff33|7 years ago|reply
This has been my go-to advice for a while now too! The key driving point is that amazing crypto is 100% useless if the person you're talking to doesn't use it, or uses it incorrectly.
The only sticking point with the above advice is the nerds who think they understand crypto but don't and insist on you using some crazy app :/
[+] [-] lrvick|7 years ago|reply
Fixed
[+] [-] the_clarence|7 years ago|reply
[+] [-] lucideer|7 years ago|reply
e.g.
- Telegram: E2E Private: TRUE
- WhatsApp: E2E Private: CLAIMED
These are either both "true", or both "claimed". Pick one.
In particular, what's the definition of the "Open Spec" column? Signal's GPL spec gets a FALSE here so I'm presuming the definition is something along the lines of "Spec produced by one ofa group of arbitrarily approved bodies of which Open Whisper is not a member"
[+] [-] cbg0|7 years ago|reply
> Not possible to verify as application is closed source. Maintainer could compromise security at any time without detection.
I think it's useful to have this differentiation, even though technically you could say E2E is TRUE for both of these.
[+] [-] LinuxBender|7 years ago|reply
Authentication can be tied into 3rd party apps (LDAP, phpBB, etc) but I have not tested this yet. [2]
If you try it, use their latest snapshot for server and client. Incredible sound quality. Nice UI/UX experience. Decent support for game overlays. Very low CPU usage.
[1] - https://wiki.mumble.info/wiki/Main_Page
[2] - https://wiki.mumble.info/wiki/3rd_Party_Applications#Authent...
[+] [-] arendtio|7 years ago|reply
So yes, XMPP supports audio and video calls but finding two different clients which work on the first try together can be a challenge. Sometimes I wish there would be some compatibility XEP which defines a common set of supported XEPs including a test suite to run it against.
[+] [-] ge0rg|7 years ago|reply
What is still missing is everything above the wire protocol level. The XSF, being the XMPP Standards Foundation, is guarding the protocols, and things like UX and client interoperability are considered as off-scope. However, there are people interested in these topics as well looking for fresh collaborators.
[0] https://xmpp.org/extensions/xep-0387.html
[1] https://www.erlang-solutions.com/blog/21-xmpp-use-cases-and-...
[+] [-] pmlnr|7 years ago|reply
I'm getting so tired of this. Real world user experience is that the constantly changing interfaces are driving everyone mad.
Stick to a thing and let people learn it.
[+] [-] giancarlostoro|7 years ago|reply
[+] [-] otabdeveloper1|7 years ago|reply
(Yeah Slack, I'm looking at you.)
[+] [-] rvanmil|7 years ago|reply
[+] [-] toxik|7 years ago|reply
[+] [-] rdtsc|7 years ago|reply
Granted XMPP is not a messenger it's a protocol and a bunch of standards but still it's hard not to laugh.
[+] [-] proaralyst|7 years ago|reply
Part of the problem is the inability to assign nicknames to contacts, so you have to remember everyone's Matrix ID.
[+] [-] electrograv|7 years ago|reply
IMO: Text chat with a few emojis and images here and there should not ever be among the things that slows your computer to a crawl.
EDIT: I'm speaking of the UI, not the network connection; the latter is sometimes slow too, but that's understandable
[+] [-] mxuribe|7 years ago|reply
[1] https://matrix.org/docs/projects/clients-matrix [2] https://github.com/vector-im/riot-web
[+] [-] secfirstmd|7 years ago|reply
[+] [-] giancarlostoro|7 years ago|reply
[+] [-] mahemm|7 years ago|reply
[+] [-] fyfy18|7 years ago|reply
[+] [-] Zash|7 years ago|reply
[+] [-] pmlnr|7 years ago|reply
Android (no audio/video): https://conversations.im/
Web: https://conversejs.org/
Web with extras: https://movim.eu/
Desktop (Mac): https://adium.im/
Desktop (Win): https://gajim.org/ (not sure about this)
Desktop (Linux): http://pidgin.im/ (needs extras: https://petermolnar.net/instant-messenger-hell/#extra-plugin... )
[+] [-] maufl|7 years ago|reply
[+] [-] CiPHPerCoder|7 years ago|reply
What https://signal.org/blog/the-new-textsecure/
[+] [-] swiftcoder|7 years ago|reply
[+] [-] akareilly|7 years ago|reply
The EFF doesn't do recommendations for all users - whether a messenger works for someone depends on their threat model. https://www.eff.org/deeplinks/2018/03/why-we-cant-give-you-r...
[+] [-] pmontra|7 years ago|reply
[+] [-] SamWhited|7 years ago|reply
[+] [-] turdnagel|7 years ago|reply
[+] [-] John_KZ|7 years ago|reply
We literally had better privacy when we had analog phone lines that anyone could tap into. That's just terrible.
[+] [-] lucideer|7 years ago|reply
FWIW I believe Riot/Matrix are planning e2e by default as soon as their implementation stabilises. Theirs is more complex/powerful than WhatsApp's though since they have multidevice support (which WhatsApp lacks). They've avoided making it default sofar due to bad UX and the possibility of losing access to conversations across devices, but it's improving rapidly.
[+] [-] enitihas|7 years ago|reply
[+] [-] stephen_g|7 years ago|reply
[+] [-] upofadown|7 years ago|reply
* https://omemo.top/
There is no way that an open IM platform will be able to guarantee E2E by default on all clients simply because someone/somewhere will produce a client that doesn't or doesn't do it properly. It is probably better to start with the E2E encryption system (in my example OMEMO) and then see where you can get it.
[+] [-] nothrabannosir|7 years ago|reply
Anonymous account creation? Open source? Audited?
[+] [-] __david__|7 years ago|reply
[+] [-] Peskier|7 years ago|reply
[+] [-] oropolo|7 years ago|reply
[+] [-] nolok|7 years ago|reply
Because LINE claims to support E2E by default ("Letter Sealing"), but only one of those two listing says "claimed" (the other say false).
[+] [-] bootlooped|7 years ago|reply
https://www.pcworld.com/article/2856452/kakao-talk-adds-secr...
https://techcrunch.com/2014/12/07/chat-app-kakao-talk-begins...
[+] [-] tanderson92|7 years ago|reply