Developer of ArcaneChat (https://arcanechat.me/)
Not me, but someone on the signal forums helpfully compiled many of them; there are a lot more than I thought! https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243
ok I read it, these are no real security audits but academic reviews of protocol properties etc.
Matrix isn’t ready for the general public and I’m doubtful it ever will be, so in the meantime Signal is the next best thing.
yeah, it is too complex etc. take a look at https://arcanechat.me/ and https://delta.chat/ (I contribute to these open source projects) they are probably the decentralized messengers that are more on pair with WhatsApp etc. super easy to use, no phone numbers or any private data required
Not me, but someone on the signal forums helpfully compiled many of them
thanks for sharing!
It’s serverless though, right?
no, and in fact the cost of running it is really high because the server infrastructure they need to pay, they even say it themselves "Signal is expensive" https://signal.org/blog/signal-is-expensive/
it would be possible just to fork and use a “European” version of it
in theory yes, in practice no one has done it, and then you should not use Signal but the european fork which will not be compatible/federated with signal
It is a us based non profit that doesn’t store any information about you
still it runs in AWS, Microsoft, etc servers, and as any centralized service policy and interests can change at any time in the future, which would be pretty bad when you have several countries fully depending on them, just look the current situation with whatsapp, you can not be resilient/sovereign like that
has been independently audited like four times.
could you provide source pointing to the security audits?
take a look at ArcaneChat https://arcanechat.me/
I don’t trust this one bit.
you don't need to trust, you can self-host your own server and read/modify the code, unlike in a centralized server where you don't even know what is actually running on the server, which is well know from the past to not match the actual released code for the case of Signal
They don’t mention anywhere what they use for encryping your chats
all this is documented inside the app in the offline help/FAQ that comes with it, the app is targeted to end users that don't know or care about such topics so it is avoided to talk too much about encryption up-front
Their code is not documented at all.
ArcaneChat is a fork of DeltaChat client, DeltaChat has been audited several times, you could also use the official Delta Chat client: https://delta.chat/
because it is a centralized service from US company, registration requires phone numbers so it is easy to know from what country you are, the server is running in Amazon Web Services, etc, while ArcaneChat can be used with your own infrastructure, for total technological sovereignty
for iOS and desktop you can use Delta Chat which is fully compatible with ArcaneChat
As alternative to WhatsApp, there is also ArcaneChat that is more user-friendly for normies: https://arcanechat.me/
Maybe I'm confused, do the DeltaChat and ArcaneChat clients only work with DeltaChat/ArcaneChat servers?
The "ArcaneChat/DeltaChat servers" are just normal email servers with some default configurations and tweaks for privacy/security and speed
Edit: forgot to mention I can see the sender & recipient addresses (Signal uses sealed sender to minimize this metadata leak)
Signal needs to "seal sender" to be able to send messages anonymously since their service is not anonymous and you login with your phone number, in ArcaneChat it is like you are "sealed sender" from the very beginning, you don't register with phone number or any private data, you log in anonymously always, currently you have an static anonymous identity, and have to manually change it over time if you are the most paranoid person in town, but in the future the app might implement anonymous identity rotation
I can also see what time the message was sent this is the kind of metadata Meta collects through Whatsapp even though they also encrypt message content.
Nothing that the server doesn't know, the server knows the time at which you try to send a message because well you are asking it to do so at that time. But I agree this is a problem with stored messages if the server gets audited at a later point, by default with a single device messages are deleted immediately and otherwise after 20 days so still it is limited what they could get, but this can be improved, the header doesn't need to have a real date could be whatever fixed date while the real date is protected in the encrypted part, this needs to be done 👍
It doesn't seem - although maybe it now does - that DeltaChat nor ArcaneChat support key ratcheting, so if someone's intercepting messages they can decrypt all future + past messages.
This is a pretty theoretical situation, first the attacker needs to get control of your chatmail provider/server and start collecting your messages, secondly you need to happen to be using disappearing messages since otherwise when they get access to your phone to get the key they can as well just get all your messages that are available already decrypted in the app, since you need the messages to be ephemeral, in that case you can as well create a temporary profile, ex. For some protest or activism and delete it after the operation is finished, and you get the same results of "forward secrecy" without sacrificing the usability of the app, ex. In ArcaneChat it is possible to have your account in as many devices as you want all well synchronized and every device is totally independent, if your phone dies you can keep using it in other devices or add it back to a new phone without losing a single message
Hey, how do you know she is named Nancy!? And that she smokes a bit too much! 😱
When you send ANY message (it doesn't matter if it is just text, image or other attachment) it is end-to-end encrypted and on the server it all looks the same, encrypted blobs, it is only visible in your devices.
If you have a single device the encrypted blobs are deleted immediately after downloading them, if tyou have more than one device, the blobs are stored up to 20 days in the server to give you the chance to sync your devices, if you use "disappearing messages" option or manually select and delete messages or use the "clear chat" option, then you have more fine control when it is removed.
About your friend being offline, the same rules apply, they will be able to download the images and other messages you send to them as soon as they come back online within 20 days :)
Of course, if you host your own server you can tweak it to your needs if the defaults of arcanechat.me don't suit you
This is simply not correct, the page you link is talking about problems of email as a network of different clients and servers. With ArcaneChat and arcanechat.me server there is no metadata leak, the article talks about leaking subject which is simply not leaked in ArcaneChat since it is moved to the encrypted part as many other headers, the To and From headers are needed by the server to know to whom send the message, this is the same in virtually all other messaging platforms, like XMPP, Matrix, WhatsApp, etc. So why is it listed as a flaw of email?
Here you can see what someone can see in a message sent with chatmail servers, tell me exactly what metadata you got from this message as the server operator:
That kind of "no no you can't use email in a secure way" is a so outdated urban legend
They are not totally the same tho, for example "Delete messages on device of recipients" says "no" for Delta Chat but it is already available in ArcaneChat (will come to DeltaChat "soon")
Also "Minimal metadata" says "no" while there is no personal data at all required to use ArcaneChat, accounts are fully anonymous hence what metadata and from whom?
so the table is getting outdated quickly 😄
it is pointless to talk in theory without actually trying things out, besides the app doesn't have to do only email, in fact it already has p2p support for real-time that can be used for now inside the https://webxdc.org/ mini-apps, and might be used for calls in the future, or just use WebRTC for calls, one of the mini-apps in the store "Live Chat" already has typing indicators btw. The app already has Jitsi Meet invitations integration.
Chatting in Delta Chat with chatmail feels just as fast as WhatsApp, Telegram etc. sometimes even faster depending on the chatmail server you use
Delta chat is basically email.
and how is that exactly a problem? the protocol is email, but email done right is actually good and fast, as it can be tested if you actually try out the app. The new chatmail servers are optimized for chatting, the main reason classic email providers suck is because they have to deal with spam and arbitrary decisions like gray-listing etc
and the thing is: Telegram having a proprietary server feels more opensource and open to 3rd party clients and developers (ex. bots, mini-apps etc) than Signal, Signal's issue tracker has a bot auto-closing stale issues and several people are completely ignored, never receive a reply
I highly recommend you to give a try to https://arcanechat.me/ (I am the developer) it is heavily inspired by Telegram, if you want to test it you can join this community group: https://i.delta.chat/#6CBFF8FFD505C0FDEA20A66674F2916EA8FBEE99=&a=invitebot%40nine.testrun.org&g=ArcaneChat+Community&x=3KvvQZfzU4t-9u5s0PF3USGp&i=AQKH9_8x0R0&s=dbGW9xOhRQX
Threema is paid (registration tied to payment is already bad for privacy, most people will not register with some crypto-coin etc) and centralized, any centralized service is vulnerable to enshitification, none of them start evil, also it is easier to block by authoritarian governments and can't be used in a sovereign/independent way (ex. own independent server in a local community)
Session: it has been a long time since I last used Session, at the time my impression was that it was a bit hacky and it was draining my battery and using a lot of mobile data, more importantly Session doesn't seem to have multi-account support, also doesn't seem to support using your own independent server "off-the-grid". Session groups have a limit of only 100 members while in ArcaneChat groups can have 1000 members for now (or even more depending on the server you use, ex. your own)
none of them have in-chat collaborative/interactive apps (ex. collaborative editor, calendar, shopping lists, split bills, polls, etc.) and games that can be used even while offline
I like SIP and XMPP, but in practice I don't have any contacts to use it and the apps are lacking a bit compared to ArcaneChat/DeltaChat, besides the problem of losing groups because the XMPP server went down etc. there are some downsides but yes, if I was not satisfied with ArcaneChat I would use XMPP and SIP, or anything that is open source, decentralized and doesn't require a phone number
does that one has security audits? thanks in advance