Online communication is one of the most ubiquitous activities on all of the internet. From newsletters, corporate emails and even down to instant messaging with friends, its spread cannot be denied. With such wide reach, it would seem very important to protect these communication channels, yet this is almost an after-thought for most mainstream messengers. Platforms with millions of users market their services with the latest buzz words yet close-source their protocols leaving users with a "trust me bro". With so many options to choose from how can we best decide which app to use? In this article we'll compare a few options (Telegram, Signal and SimpleX) to see how their technical details stack up and determine which is best for easy private chats.
Telegram is a very popular messaging app that boasts close to 1 billion active users worldwide. With support for massive chatrooms, Telegram is almost more akin to social media than to a traditional messaging app. Many companies offer news, updates, and support through their official Telegram channels making it a very convenient place for users to stay up to date with various interests. Due to its strong stance on free speech, Telegram built a reputation for not cooperating with law enforcement investigations. However, after the arrest of CEO Pavel Durov in part relating to Telegram's refusal hand over user data in lawful orders, Telegram changed their privacy policy to say they may share user phone numbers and IP addresses and indeed have done so. Telegram supports E2EE but this is not enabled by default, which is probably its most significant drawback.
Signal is a champion for user freedom and its state-of-the-art security is the foundation upon which other chat applications are built. Signal is very intuitive to use, supporting all of the usual text/image/voice/video/etc features that users expect. Unlike Telegram, Signal is E2EE by default and the only information it knows about users are their phone number and time of registration. Numerous court orders have solidified how Signal has nothing else to hand over to law enforcement. The phone number requirement for SMS verification, while concretely a drawback if not acquired anonymously, is an intentional decision for Signal's target audience (normies) as everyday users can be notified if other stored contacts join Signal.
SimpleX is a relative newcomer on the scene and has a unique angle in that there are no user identifies of any kind. As such, users can create unlimited profiles (and even hidden profiles to improve plausible deniability) and connect with others anonymously. Unlike Signal, SimpleX supports native onion routing as well as the ability to self-host servers. Because of its default E2EE, servers are not able to see message contents and self-hosted servers can be shared with others, contributing to decentralization and thus making SimpleX more resilient. SimpleX's founder, in an interview, implied that SimpleX sees no information about its users but since it is new, it remains to be seen how they would respond to actual court orders. SimpleX has received some criticism for its reliance on Venture Capital to establish itself while it works to develop a business model.
A comparison from privacyspreadsheet.com has a breakdown of all the technical details.
When selecting a messaging app, certain OPSEC criteria should be considered.
Privacy:
1. The application is free and open source (FOSS).
2. The application is end-to-end-encrypted by default (E2EE).
3. The application allows self-hosting our own servers (Decentralization).
Anonymity:
1. The application supports Tor servers out of the box (Onion Routing).
2. The application requires no sign-up information (Emails, Usernames, Phone Numbers).
3. The application allows joining chatrooms without revealing our identity (Incognito Mode).
Deniability:
1. The application allows disappearing messages (Plausible Deniability).
2. The application allows creation/deletion of multiple profiles (Plausible Deniability).
3. The application allows hidden profiles (Plausible Deniability).
From the above comparison, we can see that only SimpleX meets all of the criteria. While we only focus on Privacy in this article, it doesn't hurt to have the other benefits of Anonymity and Plausible Deniability.
To start using SimpleX, we will start by installing it from F-Droid. Search for the app and then click Install. Navigate through the setup process, choose a username and click Create your profile.
With your profile complete, it's time to create a private group chat. Click on the pencil icon at the bottom of the screen and select Create group. Give your group a name and click Create group. Finally, skip inviting members for now.
Click on the group name to see some options. Click on Create group link. Finally, share the group link with your friends out-of-band.
Once your friends connect, you can start messaging.
Out of the box, SimpleX works perfectly fine. However, more advanced users may wish to tweak a few settings or self-host their own servers.
1. A VPS running Debian 12 (or Ubuntu 22.04)
2. A domain name (or subdomain)
To start, we will need a domain name. A subdomain such as a free one obtained from https://freedns.afraid.org will also work. Create A record entries for smp.yourdomain.tld and xftp.yourdomain.tld and point them at the IP address of your VPS.
We will SSH into our VPS and set up our environment.
~ ❯ torsocks ssh root@145.223.79.150
The authenticity of host '145.223.79.150 (145.223.79.150)' can't be established.
ED25519 key fingerprint is SHA256:AGZHyLpidaSu+ZE3cLFZ3KWxQq3Mx9rDH+HLVNF/okc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '145.223.79.150' (ED25519) to the list of known hosts.
root@145.223.79.150's password:
Linux srv636770 6.1.0-26-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 20 21:05:02 2024 from 185.220.101.103
root@srv636770:~#
Once connected, we will follow the official instructions to install Docker. Run:
# Add Docker's official GPG key:
apt update
apt install -y ca-certificates curl gnupg openssl vim
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update
With the Docker apt repositories out of the way, install the Docker packages:
apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
OPTIONAL: You can test everything is working up to this point by a deploying a test container to see some output. Run:
docker run hello-world
We will now set up a docker-compose.yml file with all the build instructions:
vim docker-compose.yml
Copy/paste the following and change the ADDR fields to your domain.
HINT: It's p to paste in vim, then ESC :wq to write changes and quit the file.
networks:
simplex:
services:
simplex-smp-server:
image: simplexchat/smp-server:v6.0.6
container_name: simplex-smp
restart: unless-stopped
ports:
- "5223:5223"
volumes:
- ./simplex/smp/config:/etc/opt/simplex:Z
- ./simplex/smp/logs:/var/opt/simplex:Z
environment:
- ADDR=smp.xmronly.us.to
# - PASS=${SIMPLEX_PASSWORD} #for non public servers
networks:
- simplex
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
simplex-xftp-server:
image: simplexchat/xftp-server:v6.1.3
container_name: simplex-xftp
ports:
- "443:443"
restart: unless-stopped
volumes:
- ./simplex/xftp/config:/etc/opt/simplex-xftp:Z
- ./simplex/xftp/logs:/var/opt/simplex-xftp:Z
- ./simplex/xftp/files:/srv/xftp:X
environment:
- ADDR=xftp.xmronly.us.to
- QUOTA=10gb #change to set your own quota
networks:
- simplex
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
A note about versioning: at the time of writing, there was an open issue with the "latest" (v6.1.3) tag and HTTPS credentials for the SMP server. The most recent working version for the SMP server (v6.0.6) was definitively tagged here and the "latest" version for XFTP server (v6.1.3) was also definitively tagged to ensure working builds with the presented instructions. For reference, the "latest" version used in the HackLiberty documentation for June 1st, 2024 is v5.8.0-beta.6 which is now several security fixes behind.
Everything is now ready to be deployed. Run:
docker compose up -d
Run the following command to see the SMP and XFTP server addresses:
echo "smp://$(<simplex/smp/config/fingerprint)@$(awk -F '=' '/ADDR=/ {print $2}' docker-compose.yml | head -1)" && \
echo "xftp://$(<simplex/xftp/config/fingerprint)@$(awk -F '=' '/ADDR=/ {print $2}' docker-compose.yml | tail -1)"
You should see output similar to this and just like that your self-hosted SimpleX servers are now ready!
smp://IB2NJl4Pv3OSLUmnvipKkCuJKGkEDfgUNkYFiKIH_GY=@smp.xmronly.us.to
xftp://t_H_I_h5Iz7X-ChxA3nJeyw0s_2PJIFkfSK7Ng6UulU=@xftp.xmronly.us.to
To add the newly created self-hosted SimpleX servers to your client, click on your profile on the top left, followed by Settings. Click on Network & servers. We will modify both the Message servers (SMP) and the Media & file servers (XFTP).
Click on Message servers and scroll down to Add server. Select Enter server manually. Paste in your SMP server address from above, click Test server and receive a green check mark. Finally, tick Use for new connections.
With our self-hosted SMP server set, it's time to remove the default SimpleX servers. Click on each of the presets, then click Delete server.
With only our self-hosted SMP server remaining, click the back arrow, then save changes.
We will now repeat the process for Media & file servers. Scroll down to Add server. Select Enter server manually. Paste in your XFTP server address from above, click Test server and receive a green check mark. Finally, tick Use for new connections.
With our self-hosted XFTP server set, it's time to remove the default SimpleX servers. Click on each of the presets, then click Delete server.
With only our self-hosted XFTP server remaining, click the back arrow, then save changes.
It is possible to self-host onion servers as well, but since this article is focusing on privacy and not anonymity, that part of the setup has been omitted.
All new connections will automatically use your self-hosted SimpleX servers, but what about already existing connections that were made using the default Simplex servers? It turns out existing connections do not automatically update, so we will need to manually change them. Click on the group name and scroll down to the members section. Click on a group member and scroll down to servers. We can see that Larry is using the default SimpleX servers. Click on Change receiving address and confirm the change.
Repeat the process for Sam and you have now configured the group chat to use your self-hosted servers!
You can confirm this by clicking on the group chat name and clicking on any of the members.
In this article we saw how SimpleX compares to a few other popular instant messengers and some of its unique advantages. We saw how to easily install and start using it, and going the extra mile, how to self-host and use your own servers. With that knowledge in hand, you can easily make all your chats private!
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Donate XMR to the author: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3
Contact: nihilist@contact.nowhere.moe (PGP)
