Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
johnisgood a day ago

Differences between Cwtch, and SimpleX? Which are you leaning towards to and why?

According to https://github.com/simplex-chat/simplexmq/blob/stable/protoc...:

> identify that and when a user is using SimpleX.

Does this apply to Cwtch?

Also, is it not possible to obfsucate this traffic? Tor with obfs4?

Related:

#1 - https://security.stackexchange.com/questions/241730/traffic-...

#2 - https://github.com/simplex-chat/simplex-chat/issues/4300

#3 - https://github.com/tst-race/race-docs/blob/main/race-channel...

heavyset_go a day ago | parent [-]

> Which are you leaning towards to and why?

Heavily sandboxed SimpleX that's firewalled to block any non-Tor traffic. Chose this one because it allows for offline message sending/receiving, despite privacy implications, and because it has clients people will actually use.

Cwtch doesn't let you send messages when the recipient is offline by virtue of how it works, which is more secure, but inconvenient.

When evaluating Cwtch, I think I read somewhere it might send identifying metadata to your recipient, or something similar, but I might just be making that up. I'll have to look up what I was reading.

> > identify that and when a user is using SimpleX.

> Does this apply to Cwtch?

With Cwtch you're running two hidden services, one on either end of the chat, and that happens over Tor with no middleman service, so no. A passive network observer can tell when you're connecting to Tor, but you can attempt to obfuscate that with transports.

johnisgood a day ago | parent [-]

> obfuscate that with transports.

Such as obfs4, I presume.

I read about RACE just now, seems interesting:

- https://github.com/tst-race/race-quickstart?tab=readme-ov-fi...

- https://github.com/tst-race/race-destini

Have you heard about it, or have you used it before?

> Cwtch doesn't let you send messages when the recipient is offline by virtue of how it works, which is more secure, but inconvenient.

I agree. How much more secure is that? In the case of Ricochet, this only applies to friend requests. You have to be online to be able to receive friend requests, which I am fine with.

maqp 16 hours ago | parent | next [-]

>How much more secure is that?

It's much more secure wrt metadata. There is no third party server that's able to amass metadata about the two users conversing. SimpleX doesn't hide your IP-address from the server, and given that there's exactly two parent companies hosting ALL of the official servers, it's not too hard for Akamai or https://runonflux.com/ or anyone who compromises their OOBM systems to perform end-to-end correlation between two users.

https://discuss.privacyguides.net/t/simplex-vs-cwtch-who-is-... has a lot of discussion about Simplex vs Cwtch.

heavyset_go 15 hours ago | parent [-]

Agree with your post, but do want to point out that using private message routing on SimpleX theoretically hides your IP address from the server[1].

Similarly, built-in routing over Tor can make performing correlation attacks difficult for some adversaries, and if you elect to use your own .onion servers instead of the official ones, it adds another layer of obfuscation.

[1] https://github.com/simplex-chat/simplexmq/blob/stable/protoc...

johnisgood 6 hours ago | parent [-]

What do you mean by "own .onion servers" here specifically? It is ambiguous for me. Your own hidden service? Your own bridge? As for hidden services, that would be up to SimpleX to do so (just like how Ricochet does it), otherwise I have no idea how one would do it with SimpleX or configure SimpleX to use "mine". You would need Orbot on Android to begin with to use SimpleX with Tor, and I do not know if there is such an option to "use own hidden service", as hidden services do not work this way at all.

How do you configure SimpleX on Android to use your own SMP servers BTW?

heavyset_go 17 hours ago | parent | prev [-]

> Such as obfs4, I presume.

Yep, but the author of obfs4 says not to use it, there are more modern transports with less flaws.

At the end of the day, the transport lists are public, but sharded, so it's truly just obfuscation no matter what transport protocol you use. Someone observing your connection with the resources to map out transport relays can tell if you're using Tor.

> Have you heard about it, or have you used it before?

I haven't, but it looks interesting. It seems they're doing a similar mixnet approach to SimpleX.

> I agree. How much more secure is that?

If you don't to rely on a third party to queue and relay your messages when your recipient comes online, it's one less party that you're sharing information with.

I also believe it opens you up to Tor correlation attacks, like what happened with Ricochet. Maybe an overlay mixnet can add some further obfuscation, as with SimpleX and RACE, but I assume those overlays are vulnerable to correlation attacks, as well.

johnisgood 17 hours ago | parent [-]

> Yep, but the author of obfs4 says not to use it, there are more modern transports with less flaws.

Such as?

heavyset_go 16 hours ago | parent [-]

Check out https://torproject.github.io/manual/circumvention/ and https://obfuscation.github.io/

johnisgood 5 hours ago | parent [-]

I know about those, but scramblesuit and meek and snowflake came before obfs4 I believe and they do not achieve the same thing obfs4 does, so I do not see a better obfs4 alternative here.