Summary: Simplex Chat uses a bit of battery and doesn’t have a way to visibly see a contact has changed.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    English attempt via Google translate:

    without Identifier

    I tested the SimpleX messenger for a few days . I would like to give my impressions below.

    SimpleX can be obtained via the App Store, Google Play, directly from the GitHub project page or your own F-Droid repository . The project only started at the beginning of the year - but is currently in version 4.2.2. SimpleX is promoted as follows:

    The first messenger without user IDs.

    Other apps have user IDs: Signal, Matrix, Session, Briar, Jami, Cwtch, etc. SimpleX does not, not even random numbers . This radically improves your privacy.

    How the messenger works without an identifier and which crypto is used is explained in the white paper.

    For testing purposes, I obtained and installed SimpleX from the GitHub page. There are two ways to get in touch with someone:

    • Create a one-time invitation link/QR code and then send it via another channel such as email
    • Share your own SimpleX contact address (QR code) - this enables multiple use

    I decided to distribute my SimpleX contact address (QR code) via Mastodon. Anyone who scanned this QR code could add me to SimpleX or start a chat with me. Basic functions such as writing messages and sending images/files are implemented. But audio and video calls are also possible. Notifications of new messages occur via a background service that is always active by default. You can also configure this as follows:

    • Runs when the app is open
    • Starts regularly

    Most people will probably leave the default to be notified immediately when new messages arrive. However, this standard setting comes with a disadvantage: battery consumption. This may vary from device to device, but for me the battery consumption was significantly higher than that required by messengers such as Signal, Threema or Element.

    Using the setting, Netzwerk & ServerSimpleX can be configured to route all communication over the Tor network. In combination with the missing (unique) identifier and the Simplex Messaging Protocol (SMP), in my opinion, anonymous use is possible, which makes it difficult or impossible to find out who is in contact with whom using metadata. And yet: Unlike Briar , for example , a contact or device does not have to be permanently online to receive a message. These are temporarily held on the SimpleX relay servers until they can be received. By the way, these SimpleX relay servers are federated – anyone can run one.

    In October, Trail of Bits conducted a security audit of SimpleX and published the report in November 2022 . The focus of the audit:

    • Does the implementation of the end-to-end encryption protocol comply with the Signal specification?
    • Is the implementation vulnerable to known cryptographic attacks?
    • Is the key material stored and processed in such a way that it is revealed as little as possible?
    • Do the code bases adhere to Haskell programming best practices?

    The result: two moderate and two light vulnerabilities. Except for one moderate vulnerability (Keys are stored in unpinned memory and not cleared after their lifetime), the exploitation of which will soon be made more difficult/prevented by using the secure memory library , all were fixed promptly. However, you should know that the audit had a limited focus and was not a full audit that checked the entire client and server code base including all protocols.

    I find the lack of verification options for chat partners problematic. Sure, you can send an invitation link/QR code to someone via a secure channel. However, it is currently not possible to authenticate your communication partner in SimpleX. If you do not authenticate your counterpart, you can never really be sure whether you are actually exchanging messages with the desired communication partner or possibly with an unknown third party. Senden Sie Fragen und IdeenI then contacted the main developer Evgeny Poberezkin directly using the internal SimpleX function and confronted him with the missing verification option.

    Ask :

    Is it possible to validate a contact? Right now you can only send a qr code or link out-of-band.

    Answer :

    Not yet, we have it in the plan for the next serveral months. I assume you mean passing some other link or code via some other channel (or additional qr code scan) to validate that the first link wasn’t substituted.

    Ask :

    Does a user get a notification if another contacts fingerprint changes? Is there anything like a fingerprint at all?

    Answer :

    No, contacts do not have anything that identifies them, and what Signal refers to »security code / device change« is Double Ratchet re-initialization.

    We then exchanged ideas and chatted about SimpleX’s rating in the messenger matrix . Bottomline: Overall, I think the messenger is good eingeschränkt empfehlenswert, this is due in particular to the lack of verification options for contacts, the high battery consumption, client instabilities and a full audit that is still pending. Work is already underway on all of the points mentioned.

    Overall, SimpleX focuses very much on privacy, as the list under Privacy: technical details and limitations makes clear. Ultimately, everyone has to decide for themselves whether the messenger is an option.