Ask HN: Recommendations for a Secure Messaging App?

[BerislavLopac]

With Keybase being owned by Zoom now, I'm looking for a good alternative to exchange messages securely. Ideally, I would like to find something that has as many of the following features:

  * strongly encrypted
  * open source
  * distributed, or at least not requiring a hosted service

Any good suggestions?

[brudgers]

I don't know your risk profile. I do know that the most experienced security professionals work for nation states and are motivated by patriotism and money and professional pride. Because the stakes are as high as stakes get, they have the biggest budgets too.

Assuming that cryptographic math claims of widely used algorithms are true, as a basic matter of professional competence, these security actors have incentives to compromise implementations. It's tanks against crossbows. At best.

If you are asking, it's probably more like tanks against a reader of books on crossbows. Being clever enough to thwart a lone wolf in a hoodie doesn't scale to actors who can compromise hosted services in ways that the service stays up and the service doesn't discuss the compromise.

When push comes to shove those professionals apply wrenches. All ordinary security is theater. But ordinarily theater is enough and anyway that's all ordinary people can afford. Good luck.

[cranberryturkey]

Signal

[eimrine]

> not requiring a hosted service

[delduca]

Matrix

[tapeloop]

Matrix got ripped apart a couple of years ago and there are some questionable aspects https://securitycryptographywhatever.com/2022/11/02/Matrix-w...

[Arathorn]

fwiw, the ripping-apart here consisted of some legit implementation vulns in the ~8 year old first-gen clients (which were fixed prior to disclosure, obviously) - and one protocol question: should you warn users if a malicious server adds unauthorised devices/users to a conversation, or should you stop it from being possible in the first place (which is Hard, given it means group membership has to be controlled by the E2EE protocol, rather than the communication signalling protocol).

https://matrix.org/blog/2022/09/28/upgrade-now-to-address-en... has our take on it, fwiw.

Fwiw, I believe Matrix (or possibly an XMPP+OMEMO setup) is the only current solution which fits the requirements of the OP.

[eimrine]

Tox