P2P-Messenger

- Reading time: 7 minutes / whole rubric: 35 minutes -

In addition to the systems listed in system comparison, there are many other interesting projects, a few of which are listed here. Even though little information has been collected on some of these, they should not be neglected.

Again and again “P2P” and “anonymous” will jump in the eye in the following - in addition the following explanations: P2P / Anonymity.

In general:

  1. Mesh/P2P systems can usually be used without costs (don’t forget donations/development orders!).
  2. battery consumption on mobile devices is higher than with server-based systems
  3. multi-device capability is extremely difficult to realize in P2P systems without additional servers as intermediate stations
  4. delivery of offline messages is not possible without an additional intermediate station (“mailbox”)

In the following overview, a German website is rated as positive and a lack of German-language information as negative. Why? It would be arrogant to assume that “everyone” understands English or even to demand basic knowledge. Information should be understood by every native speaker and unnecessary misunderstandings due to insufficient translations should be avoided. Good translations make a product in general (here: Messenger) interesting and accessible to the masses, because you save many interested people/users unnecessary translation effort. They are enormously helpful and therefore worth their weight in gold.

Overview

Oversec

Regardless of the solution used, the app “Oversec” can also be used on Android devices. This app virtually overlays others and encrypts/decrypts inputs before they are in the actual messenger. Sounds crazy, but it’s not and works great. So security-minded people should definitely take a look at this app!

Download: at F-Droid (external) or directly as APK: https://www.oversec.io/#download (external)
Project page: https://www.oversec.io (external)
Note: Oversec is probably not actively developed anymore since 2019 / it does not respond to Github-issues anymore.


Anonymous Messenger

  • decentralization: direct, uses TOR (P2P, no separate servers)
  • positive: some anonymity
  • positive: uses Signal protocol for encryption
  • negative: the protocol (external) is not yet properly documented!
  • negative: only available for Android
  • negative: NO german project page

Source code: https://git.anonymousmessenger.ly/dx/AnonymousMessenger (external)
Project page: https://anonymousmessenger.ly (external)

Bitmessage

pyBitmessage (Bitmessage)

Sends to ALL participants, only the recipient can decrypt and read message (no sender/recipient address).

  • decentralization: direct/mesh (P2P, no separate servers).
  • positive: some anonymity
  • negative: NO German project page/help
  • negative: ONLY usable on PC/laptop - NOT on smartphones

Source code: https://github.com/Bitmessage/PyBitmessage (external)\
Project page: https://bitmessage.org/wiki/Main_Page (external)

Briar

  • decentralization: direct, uses TOR (P2P, no separate servers)
  • positive: some anonymity
  • negative: NO german project page

More information: >> here <<

Echo-Protokoll

The Echo protocol is used by Goldbug (desktop client) or Smoke (Android client), for example, and is the main component of the “Comparison of the big 7 (open source) messenger systems”. The project is entirely volunteer-driven and is not paid for by third parties.

In a nutshell: Very interesting, comprehensive, coherent. Unfortunately, however, many special and technical terms; many abstract and also strange designations in the explanations (molecules, …); seems confusing and complicated for nominal users at first sight. So far no contact to German contact person possible / no German forum.

  • decentralization: direct/mesh (P2P, no separate servers)
  • positive: some anonymity
  • positive: german user manual
  • negative: NO german project page

More information: >> here <<

Jami

Name development: “SFLphone” -> “Ring” -> “Jami”.

Originally developed for telephony (audio / audio and video / audio and video in groups, depending on the operating system), but text messaging is also possible; text-based chat rooms are being worked on.

Jami enables secure text, voice and video communication over the Internet. It also allows teleconferencing and videoconferencing, but strangely no text-based chatrooms yet, as the developers are trying to make these fully decentralized. Jami is a good choice for secure phone calls over the Internet, as long as the people on the call are also using Jami. Jami is a peer-to-peer system; it does not rely on or require central servers.

Jami is cross-platform, with versions for Android, FreeBSD, iOS, iPhone, Linux, Microsoft Windows, and OS X. There is (as of March 2020) no version for the Pinephone.

It is both a peer-to-peer voice-over-IP client program and a custom protocol for service discovery using a distributed hash table (DHT). It uses SRTP to transfer communication data.

P2P with server?

We keep saying that Jami’s most distinctive and innovative characteristic is the fact that it doesn’t require a server to relay data between users. There are many advantages associated with that, including increased privacy, light infrastructure, high scalability, no bandwidth restriction (other than that of your Internet connection), no size limit for file transfers, and more. This is all true, but while servers are not required, they are still used in five specific cases: push notifications, the OpenDHT proxy, bootstrap, name server, and TURN. … >> more << (external)

Description: https://linuxreviews.org/Jami (external; English)
Security questions and answers from a developer: stackexchange.com (external)
Using GIT for messages (‘swarm’): jami.net (external; english)
Also available via F-Droid and thus without tracker: https://f-droid.org/en/packages/cx.ring (external)

  • Decentrality: direct (P2P with support of separate servers)
  • positive: some anonymity
  • negative: The project page also integrates third party services (transifex): webbkoll (external)
  • negative: NO german project page

Source code: https://jami.net/contribute/ (external)
Project page: http://jami.net (external)

Katzenpost

Traffic analysis resistant messaging - We write mix network protocol libraries. What is a mix network? It is an anonymous communications system… however the word anonymous is problematic because some government authorities equate anonymity with terrorism. We prefer to instead call it “network security” because you can feel more secure when you communicate using traffic analysis resistant communications protocols. …

This project has received funding from the “European Union’s Horizon 2020 research” and innovation programme”, the “Samsung Next Stack Zero grant” and “NLnet and the NGI0 PET Fund paid for by the European Commission”.

  • decentralization: direct/mesh (P2P, no separate servers).
  • positive: some anonymity

Source code: https://github.com/katzenpost (external)
Project page: https://katzenpost.mixnetworks.org (external; Englisch)

Mesh-Chat

  • decentralization: direct/mesh (P2P, no separate servers)
  • positive: some anonymity
  • negative: NO german project page/help

Source and project page: https://github.com/neuravion/mesh-chat-protocol (external; englisch)

Retroshare

  • decentralization: direct/mesh, uses TOR (P2P, no separate servers)
  • positive: some anonymity
  • negative: NO German project page

Documentation: https://retrosharedocs.readthedocs.io/en/latest/ (external; english)
Source code: https://github.com/RetroShare (external)
Project page: https://retroshare.cc (external; english)

Ricochet Refresh

Ricochet Refresh is a maintained and up-to-date fork of the former Ricochet project.

  • decentralization: direct, uses TOR (P2P, no separate servers)
  • positive: some anonymity
  • negative: NO German project page/help

Source code: https://github.com/blueprint-freespeech/ricochet-refresh (external)
Project page: https://www.ricochetrefresh.net (external)

Scuttlebutt

The protocol “SecureScuttlebut /SSB (short: Scuttlebutt)” has a likewise very interesting approach and also relies on decentralization.

  • Decentralization: direct (P2P, no separate servers required)
  • positive: some anonymity
  • positive: ingenious concept (specialized in offline functionality)
  • positive: built-in support for TOR
  • negative: NO german project page/help
  • negative: in the beginning you have to download very large amounts of data
  • negative: maximum of 7 participants in “closed groups”

More information: >> here <<

Silence

Federated via TC providers and works on the basis of SMS.

  • decentralization: direct (P2P, no separate servers required)
  • negative: mobile number required (SMS sending/receiving)
  • negative: Messenger only for Android

Source code: https://git.silence.dev/Silence/Silence-Android/ (external)
Project page: https://silence.im (external)

SimpleX

SimpleX Chat is a messenger (with Android client and terminal client for desktop) with the promise:

The most private and secure chat and applications platform.

… and wants to be better than other solutions. On the project page is an interesting Comparison to other protocols (external) and also in the FAQ (external) there is information about this:

How is it different from Matrix, Session, Ricochet, Cwtch, etc., that also don’t require user identites?
Although these platforms do not require a real identity, they do rely on anonymous user identities to deliver messages – it can be, for example, an identity key or a random number. Using a persistent user identity, even anonymous, creates a risk that user’s connection graph becomes known to the observers and/or service providers, and it can lead to de-anonymizing some users. If the same user profile is used to connect to two different people via any messenger other than SimpleX, these two people can confirm if they are connected to the same person - they would use the same user identifier in the messages. With SimpleX there is no meta-data in common between your conversations with different contacts - the quality that no other messaging platform has.

But:

SimpleX Chat is a work in progress – we are releasing improvements as they are ready. You have to decide if the current state is good enough for your usage scenario.

For delivery of offline messages (more info on this at Github (external)):

SimpleX stores all user data on client devices, the messages are only held temporarily on SimpleX relay servers until they are received. …
You can use SimpleX with your own servers and still communicate with people using the servers that are pre-configured in the apps or any other SimpleX servers. …

  • decentralized: direct (P2P, no separate servers required - but possible)
  • positiv: good anonymity
  • negativ: still work in progress (external)
  • negative: NO german project page/help
  • negative: yet no external security audit (external)

Comparison with other protocols: Github (external)
Current status/planning: Roadmap (external)
Source code: https://github.com/simplex-chat (external)
Project page: https://simplex.chat (externa)

TinfoilChat (TFC)

If you think you are really being targeted by secret services, you should take a look at the hardware-supported chat solution TinfoilChat (TFC). They seem to be serious and this is one step more “extreme” than e.g. Briar:

Tinfoil Chat (TFC) is a FOSS+FHD peer-to-peer messaging system based on a highly secure hardware architecture to protect users from passive collection, MITM attacks, and most importantly remote key exfiltration. TFC is designed for people with one of the most complex threat models: organized criminal groups and government hackers who bypass the end-to-end encryption of traditional secure messaging apps by hacking the endpoint.

  • decentralized: direct, uses TOR (P2P, no separate servers required)
  • positive: best possible anonymity / extremely “secure”
  • negative: separate hardware required
  • negative: NO german project page/help

Source and project page: https://github.com/maqp/tfc/ (external; unfortunately only english; really exciting to read!)

Tox

Audio and video calls are possible and there are different clients with graphical as well as text-only user interface.

  • decentralization: direct, also via TOR (P2P, no separate server required)
  • positive: some anonymity
  • negative: Note at the project page (download section): “Tox is still under heavy development — expect to run into some bugs”
  • negative: NO German project page

Field report: https://herrdoering.de/de/sicheres-messenging-mit-tox-chat/ (external)
Usage with TOR: https://wiki.tox.chat/users/tox_over_tor_tot (external)
Raspberry Pi for offline messages (external; english)
Possible clients: qTox, uTox, Toxygen, Toxic, aTox (external), Trifa (external)
Client functions: https://wiki.tox.chat/clients#features (external)
Source and project page: https://tox.chat (external)

Vuvuzela

Also an interesting project - but currently no active further development anymore (last change to the source code was in September 2019).

  • decentralization: direct (P2P, different servers)
  • positive: some anonymity
  • positive: wants to obfuscate unnecessary metadata
  • negative: concept only, no changes to source code since 2019
  • negative: NO german project page/help

Interview with one of the developers: netzpolitik.org
Source code: https://github.com/vuvuzela/vuvuzela (external)
Project page: https://vuvuzela.io (external, unfortunately only English)