>>2887 not exactly the answer you're looking for, but email + gnupg through tor is practical and secure if you're not dealing with normalfags.
otherwise, I remain an xmpp + otr holdout (also over tor). it's a bit cumbersome and there doesn't seem to be single decent xmpp client out there (I use pidgin), but it does the job.
>>2888 Email and XMPP are both old and still have a lot of issues, and if you don't selfhost it's even worse.
Here's a few more:
- Ricochet - actually looks very nice, but the last release was in 2016.
- Tox and Telegram - uses home-made encryption.
- Signal - has shady devs and requires a phone number.
- IRC + OTR - don't know how secure it is, but having to remain connected to the server to receive messages is pretty annoying.
- Matrix + Riot - looks good, but I don't know much about it, so I'm curious what /g/ thinks.
I've been using XMPP with a third-party clearnet server over Tor, because Conversations (Android client) refuses to work with a .onion server - I assume it's because it forces TLS connection, and hidden services either use self-signed certificates or none at all. You could easily fork it and remove TLS requirement but then you lose out on the convenient F-droid updates.
I only tested it with securejabber's onion service so I might be wrong about that though. Suggest other XMPP servers that have hidden services because I don't know any others.
Ugly, buggy drop-in discord/slack replacement also trying to replace irc.
>>2888 It's kind of sad that the best xmpp client is on android(conversations).
Also why not omemo?
And why pidgin when there's irssi and profanity?
>>2890 > And why pidgin when there's irssi and profanity?
Irssi and profanity don't support omemo yet (https://omemo.top)
To my knowledge, the only tui client that does support it is finch, but it's the shittiest fucking program I've ever used
I've been reading more about Matrix/Riot, and unfortunately they look like a letdown.
Riot is the only good client because all the other actively maintained ones don't (fully) support end-to-end encryption, plus it's the only Android client.
Riot uses Cloudflare MITM on their main domain.
Selfhosting your own Matrix homeserver is the best option, but you can't use Tor hidden services (clearnet domain used over Tor is still possible though.)
>>2892 >why pidgin?
I use pidgin because I can use both otr and omemo, actually, and also because it can be setup to work with onion services without torsocks. irssi is a fine irc client, but I don't find it particularly pleasant to use for secure IM-type interaction.
>why not omemo?
omemo is promising, but omemo's implementation on many clients is pretty rotten and it's often difficult to verify that it is doing what it should be doing without peeking at debug logs and whatnot. until things improve, I'll stick with something that gives me clearer indication that a connection is negotiated and issues obvious signs when something isn't right (eg, garbage messages from the person I'm talking to, not just silently dropping them or even spewing some as plaintext as it seems omemo on many clients are known do occasionally). I also don't believe in multiple device support: it inevitably means someone left their phone running with logs being taken (see: Conversations per default). I honestly dislike otr too, but again: it does the job. And as cumbersome as the whole xmpp/otr thing is, I've seen no indication that it isn't secure: if it works, why be eager to change to something else?
>>2899 >Ricochet
>TorChat
promising, but development of both stalled years ago. torchat in particular is known to have a number of security issues with the implementation that probably will never be addressed. these are not presently safe to use imo.
has anyone tried keybase?
it looks it wants you to give it a lot of your information, to "strengthen your identity", so it doesn't seem very anonymous.
>>2923 >doesn't seem very anonymous
That's the point anon. If I send a real life friend a message they should be able to determine that it's actually me. If I post a message on nanochan, it doesn't matter who I am, or even if I'm the same person who made another post.
>>2926 Why do this when signing messages with PGP keys exists? Trusting any organization with your info might verify your identity but probably decreases your security overall.
>>2909 BitMessage doesn't require sign-up, it is somewhat similar to BitCoin but for sending messages, just don't use the centralized BitMessage proxies like https://bitmessage.ch
>>2894 I tried selfhosting my own Matrix server. The setup is way too complicated for what it is. You quickly realize your server won't be used if you don't host a riot instance, too, and that software is a PoS.
Use IRC and Mumble. Use encrypted mail when you want permanent messages.
There's nothing Riot solves that XMPP+OMEMO hasn't solved already. Without a gay ass phone-like retard interface either, use Gajim 0.16.X
That's the last release before they switched to gtk3
>What's the most secure messaging protocol/program?
If you want to get your message to a second party and you want to be secure, you better not rely on third party service.
But then again, you'd be in the very least signing in with your IP, unless you're routing your messages through TOR or using a VPN.
What's the most secure messaging protocol/program? Which one do you use?
Also, what do you think about pic related?