SimpleX Chat(simplex.chat)
22 pointsby Cider99865 hours ago7 comments
  • uniq75 hours ago
    It is a red flag that in the "SimpleX Roadmap to Free Internet" section they refer to 2024 as "Now" and they explain their expansion plans for 2025 as something in the future. It is weird that this is in the home page of their official web site.
  • embedding-shape4 hours ago
    > World's Most Secure Messaging

    Very strong claim, and the link takes you to https://simplex.chat/messaging/ which again has a lot of strong claims, but where is the evidence of this? Where is the evidence of this being "more secure" (for who? For what threats?) than say Signal or even Telegram or Whatsapp? Signal themselves provide evidence of their claims, where are SimpleX providing their evidence?

    • Cider9986an hour ago
      >Where is the evidence of this being "more secure" (for who? For what threats?) than say Signal or even Telegram or Whatsapp?

      the threat model is on this page. https://simplex.chat/security/.

      > where are SimpleX providing their evidence

      There have been two security audits and a third is coming this year.

  • jryio4 hours ago
    It's exhausting to make this comment every time... but here we go.

    Key revocation is table stakes for secure messaging. I need a trusted way to relay that my contact's key has been revoked and I should stop trusting it.

    Neither P2P, TLS, client-server, or any choice of key curve gives you this. Read the whitepaper, no mention of revocation. Correct me if I missed something.

    • lxgr4 hours ago
      I feel like key revocation is usually solved via key replacement in most secure instant messengers.

      Every implementation that I know (which does not include SimpleX) offers some way to recover from complete key loss, at which point other parties receive a "the key for this contact has changed" notification, and that new key is then untrusted by default until verified out-of-band. (This does trust the server operators to not censor your re-registration, but that seems no different from most other centralized revocation mechanisms.)

      Do you have a scenario in mind where this would not be sufficient?

    • ranger_danger4 hours ago
      Can't this be accomplished with a CRL for client-side certificates?
  • john_strinlai5 hours ago
    >World's Most Secure Messaging

    immediate eye roll. marketing thinks it is doing a favor here, but for anyone who really cares, this is just produces sighs.

    https://simplex.chat/security/ at least has Trail of Bits audits from 2022 & 2024. but then they say "We are planning implementation security assessment in early 2025." which is not linked, so it is unclear if it was never done or the security page has not been updated in a year.

    either case is bad.

    >To hide your IP address from the servers, you can connect to SimpleX servers via Tor.

    thats one hell of a caveat to sneak into the last sentence of a "learn more" popup

    >"SimpleX has no identifiers assigned to the users -- not even random numbers"

    which is later revealed to be pairwise pseudonymous identifiers. oh, and apparently your ip address, unless you use tor.

  • thisisauserid5 hours ago
    I heard that Simplex-2 will go even more viral.
  • rickcarlino4 hours ago
    I’ve been using SimpleX for a small circle of friends and it has been pretty easy to use. I am surprised it has not seen wider adoption. Writing scripts for it is also straightforward.
    • lxgr4 hours ago
      I tried to figure out its identity model and failed, and I consider myself somewhat familiar with encrypted IM protocols. How should non-technical users ever figure this out?

      And if they don't need to, and it just works as a regular encrypted messenger: Why should somebody use this over any of the many alternatives?

      Other than that, its "advantages" page looks highly disingenuous, e.g. by describing Signal as "Possibility of MITM: Yes", but itself as "No - Secure", with a footnote of "Verify security code to mitigate attack on out-of-band channel". How is that different from verifying a Signal verification code!?

      • ranger_danger4 hours ago
        > Why should somebody use this over any of the many alternatives?

        - no phone number

        - no account

        - p2p via onion routing and public relay servers

        - public and private file sharing systems via XFTP

  • jayd165 hours ago
    Can you chat in both directions or is simplex uni-directional?
    • ranger_danger4 hours ago
      How does one have a unidirectional chat?
    • 4 hours ago
      undefined