Like the title states looking for E2EE apps (Android and iOS) without going into much details or needs to be robust enough and easy to use for anyone and stable for operations that are susceptible to constant electronic warfare. I did some research and thought about replacing Signal with Molly and wondering if it will still work if Signal leaves the EU, but am also worried about its updates to patch vulnerabilities in a timely manner. I appreciate the help I am a “Jack of all trades and master of none” when it comes to these types of programs, but am also the go to currently in my unit since I am somewhat knowledgeable about exploits and attacks that can compromise systems would be great if there was an desktop as well (like Signal) and would also be nice if it was FOSS and auditable ( I know that’s kind of redundant ) I know it’s a tall order to ask but figured I would try. I really appreciate the help so much and hope I did things by the rules here and don’t get flamed if this has already been covered ( I searched but my skills with searching the fediverse is low

  • Orbituary@lemmy.world
    link
    fedilink
    arrow-up
    86
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Can you please link an article or something explaining what you’re going on about? When was this announced?

    Edit: guessing it’s related to this. https://cyberlaw.stanford.edu/blog/2023/06/eu-member-states-still-cannot-agree-about-end-end-encryption

    If so, banning E2EE because of CSAM is like cutting off your hand because you stubbed your toe. Banning E2EE won’t stop child porn nor will it prevent the use of E2EE.

  • Ludwig van Beethoven@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    68
    ·
    1 year ago

    Pretty sure signal won’t be forced to do anything:

    Encryption plays an essential role in securing communications. The international human rights law test of legality, necessity and proportionality should be applied to any measures that would affect encryption. Both the UN Commissioner for Human Rights[1]and the European Data Protection Supervisor[2]have concluded that the EU’s proposal for a regulation on child sexual abuse material fails this test[3].

    this is from May this year, when Spain proposed this. How in the everliving fuck the EU can get away with violating human rights?

    So yeah I’ll eat my hat unsalted if this actually will break encryption

    • DirigibleProtein@aussie.zone
      link
      fedilink
      arrow-up
      31
      ·
      1 year ago

      If they actually ban E2EE, I’d like to see all banks, for a start, and most web sites, downgrade https to http. See how long the ban will last then.

      “I was just following the law!”

    • miss_brainfart@lemmy.ml
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Well, they don’t need to break encryption, since the scanning of messages is supposed to happen client-side.

    • blkpws@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      It’s not encryption, all goes end-to-end. They will force app clients to add a “leak” request that sends the hash of each image you send to compare if it matches with child porn. It’s explained on another post on Lemmy and it looks so hard and so impossible to be implemented that I doubt it will actually work. The chat is still end-to-end.

      • Hazel@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        They want to also check them with ai. Hash alone would be bad. But ai is worse. Ya got/are young looking gf. Well if ya send nudes some cop will most likely see your nudes if chat controll really comes.

        Source: the new law proposal

          • Hazel@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Yes.

            They will check their own images and police themselves lol (actually there will be an extra committee for this so just joking)

        • blkpws@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          They want to also check them with ai.

          Do you have the source link of this pls? thx!

          • Hazel@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            https://eur-lex.europa.eu/resource.html?uri=cellar:13e33abf-d209-11ec-a95f-01aa75ed71a1.0001.02/DOC_1&format=PDF

            Here. On page 52, Article 10 3.a

            The technologies shall be: (a) effective in detecting the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable;

            They are explicitly talking about known or new material. Even though they don’t state the technology, AI is the only possible one (maybe there are more but they WILL have the same issue, ai has)

            They also go indepth in a centralized db, where all this shit will be stored, to retrain this model.

            Yea it is fucked up.

            • blkpws@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              But AI is too expensive to use it on any text sent by any European citizen/bot.

              • Hazel@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I would guess it rather refers to images. But it doesn’t matter if it is too expensive. Ai is the only thing that can do the stuff they want.

                • blkpws@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Are you sure? Using AI for any text and image that any European citizen (742,083,786 people if I’m not wrong) is pretty heavy… They will need to spend too much money for AI usage if this is the stuff they want or the only thing they can do.

                  EDIT: Sorry, if you mean only about images is still very heavy, no AI needed here, they said it’s a client side implementation and still sending random hashes… any hacker can just send random hashes and block database request with a DoS… and they will get many false positives… Not viable.

          • Hazel@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            The hash one has the one issue of you could simply put political shit in the db and find out your political opponents, but the hash one is debatebal.

  • Ihnivid@feddit.de
    link
    fedilink
    arrow-up
    60
    ·
    1 year ago

    I’d just like to point out that if Signal leaves the EU, it will most likely just mean that it’s not available through the official app stores. With Signal updating itself, it’s just a little inconvenient to install it on a new device, though, they even said that they’ll try to make it as easy as possible.

    • tVxUHF@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      Yup. At most, Signal gets removed from the Play Store. There’s no meaningful way to block Signal, especially now that big CDN providers are starting to rollout Encrypted Client Hello.

      • freebee@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        “If it’s not allowed in the play store and we need to click away a Google warning or 2, maybe it’s dangerous and we shouldn’t use it” - average Joe. Next step: “… suspect was using signal, so we decided to …” yada yada yada same as it already is perceived in general for tor and even with VPN in some countries. Just the fact you’re not using the thing most other people use makes you stand out.

        • blkpws@lemmy.ml
          link
          fedilink
          arrow-up
          11
          ·
          1 year ago

          Yes, I wanted to mean Moxie, sorry. The one that said “NO SIGNAL ON F-DROID REPOS”… hahaha blaming f-droid was insecure and that’s why we should use Google services.

          • barryamelton@lemmy.ml
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            He didn’t want Signal on FDroid because surprise surprise he just wanted to roll their own crypto coin with insiders knowledge. You can’t do that with open source so easily. There’s a reason they didn’t publish code for years. That people still support those crooks, who have lost all credibility, for a privacy app, baffles me.

            Thank god we have Matrix now.

  • SirEDCaLot@lemmy.fmhy.net
    link
    fedilink
    arrow-up
    38
    ·
    1 year ago

    Much has been said about the idea of ‘signal leaving UK or EU’. Little has been said about how exactly that would happen.

    AFAIK, Signal has no business presence in the UK or EU. IE, no offices, no registered corporate entities. Thus, they (arguably) have no more requirement to comply with UK’s or EU’s regulations than, say, Iran’s or China’s or any other jurisdiction where they do not do business and have no presence.

    Signal’s leadership has a record of giving any regional restrictions the middle finger, so I doubt Signal would voluntarily block EU countries. So that means the EU would either pressure Google and Apple to delist Signal (easily worked around, at least on Android, and soon on Apple too as EU is trying to force sideloading) or they’d pressure ISPs to block connections to Signal (more or less impossible).

    If EU tried to do that, it’d just create a giant game of whack-a-mole. And people doing real CSAM shit would just move to even more private distributed systems.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    1
    ·
    1 year ago

    I would still use Signal. By ignoring bad laws you are turning the EU government into a laughing stock

  • Daydream8714@lemmy.today
    link
    fedilink
    arrow-up
    33
    arrow-down
    1
    ·
    1 year ago

    How about Session or SimpleX?

    Both are E2EE. Unlike Signal, they also have the benefit of not requiring a phone number, so your account isn’t linked to you that way. In my experience, Session feels more mature, having apps on more platforms and more reliable notifications. However SimpleX has some really nice features, like the ability to have multiple profiles (including hidden profiles).

    • FarLine99@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      2
      ·
      1 year ago

      SimpleX is definetly THE solution. One year from now and it will be truly awesome product!

      • Squeak@lemmy.world
        link
        fedilink
        arrow-up
        19
        arrow-down
        3
        ·
        1 year ago

        What an awful name though. Why would you name a messaging app after herpes?

        • deepdive@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          I’m sure you prounce also those words wrong:

          • F.B.I and not fbi
          • L.E.D and not led
          • SpaceX and not spacex
          • SimpleX and not simplex

          Hope this helps 🙏

        • Joe Bidet@lemmy.ml
          link
          fedilink
          arrow-up
          3
          arrow-down
          3
          ·
          1 year ago

          What an uneducated red herring! Simplex is not named “Herpes”… in “Herpes simplex”, “Simplex” is an adjective…

          “Dude! why would you name a messaging app after a latin adjective dude!”…

          Now can we resume talking about messaging protocols, and why Simplex is one of the most promising, way much better than Signal when it comes to privacy, as it enables communications without disclosing identity?

          • Squeak@lemmy.world
            link
            fedilink
            arrow-up
            5
            arrow-down
            2
            ·
            1 year ago

            The word simplex is not common in normal everyday English, unless you happen to be talking about the Herpes Simplex Virus.

            The association between Simplex and Herpes is not a hard one to make, as noted by all the other comments.

            I’d rather not discuss Simplex vs Signal with someone who tries to give off ‘big brain’ energy instead of realising the social norms of holding conversations.

            Not everything is literal my dude.

            • Joe Bidet@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Fine. Then Signal for the English-native-speaking dudes who think herpes is funny bro, lol…

              Simplex for the rest of us, who truly value our privacy, aonymity, and not having to trust Amazon for the safety of our meta-data, lol dude

            • shortwavesurfer@monero.town
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Simplex is also used in communication channels as a single client to be able to speak at once as in amateur radio. A lot of internet links are duplex, where multiple machines can speak at once, such as Ethernet.

      • TheProtagonist@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Although I doubt that Signal would leave the EU (or that this dangerous regulation would even become something that could ever be applied in practice), SimpleX looks very promising as a possible alternative.

        However, it would also mean that you have to convince all your contacts to make the move, too - which was already difficult when I told them to install Signal additionally to WhatsApp, which is virtually on almost every device.

        • FarLine99@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          it won’t be easy, yes. but I think that with Signal everything will be ok 🙂

    • ccx@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’m not convinced by Session’s decision to remove forward secrecy. I don’t care if it’s malice or incompetence, they shouldn’t be in business of encrypted messaging either way.

      And their lack of transparency on their share of underlying network and the associated costs for new entrants doesn’t make them smell like a cryptoscam any less.

      My personal advice is avoid. You’ll be far better off with simplex, or xmpp+omemo for something not paired with phone number.

  • gasull@lemmy.ml
    link
    fedilink
    arrow-up
    31
    arrow-down
    1
    ·
    1 year ago

    You can just continue using Signal. All the alternatives will disappear from the app stores too unless they spy on you.

    A recent alternative with even better privacy is SimpleX: https://simplex.chat/

  • sir_reginald@lemmy.world
    link
    fedilink
    arrow-up
    31
    arrow-down
    1
    ·
    1 year ago

    XMPP or SimpleX. It’s easy to block signal, given they require a phone number and the servers are centralized. But it’s quite hard, potentially impossible, to block the federated XMPP network or the decentralized relay structure of SimpleX

    • Natanael@slrpnk.net
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      You need to add encryption on top with OTR plugins or equivalent

      Or use Matrix where it’s on by default

      • ngn@lemy.lol
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        i would argue that matrix is not decentralized enough (almost everybody is on matrix.org)

        also all popular XMPP clients (conversations, gajim etc.) supports OMEMO and OpenPGP/PGP out of the box

        • EngineerGaming@feddit.nl
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          Also Matrix servers are way more resource-intensive than XMPP ones. Synapse one is probably not even possible to run on my low-spec VPS, idk about Dendrite or Conduit. And from what I’ve heard, the server is harder to manage.

          • ngn@lemy.lol
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            thats actualy one of the reasons i stopped using matrix - synapse kept crashing my server lol

            but i should also mention that XMPP servers have less documentation/tutorials, i spent an entire week just to get prosody to work as i wanted it to

            • Chobbes@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              In my experience prosody is pretty easy to set up, but there’s also Snikket now which is built on prosody and hopefully makes setup even easier (but I haven’t used it).

      • EngineerGaming@feddit.nl
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        AFAIK in Iran, the issue is that the real local phone numbers could not be accepted for registration due to sanctions, so it only ever worked for existing accounts. Another problem of such a system.

          • devfuuu@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            It’s a feature that keeps being said to be “almost ready”, but phone number for registration will continue to be required from what I understand. What they were working on was the ability to have usernames to connect to strangers and other people without the need to share the phone number.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            They could. If they wanted to. But they don’t want to. They could charge a little bit of money to initiate contact with somebody if you don’t have your phone number registered. To keep the spam down. They already have their own mobile coin, they could just ask initial contacts to send a penny for that contact. Something not too intrusive. They could do that, if they want to, but they don’t want to.

    • Kalcifer@lemm.ee
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      1 year ago

      I caution mentioning both Matrix, and Element as if they are synonymous – they are not (I’m quite certain that that wasn’t your intent, but the usage of the forward slash could be interpreted as such). It may lead to confusion for newcomers. It would essentially be the same as saying “I recommend ActivityPub/Thunder” to someone who you want to introduce to Lemmy. Matrix is the protocol, and Element is simply a client that interacts with the Matrix protocol.

      I personally think that it’s sufficient to recommend Matrix if one is mentioning chat-app alternatives. Of course, nothing is stopping one from also recommending a client, but I don’t believe that it’s entirely necessary.

    • XpeeN@sopuli.xyz
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Yep. One can even self host so no one can really force removing do something to e2ee

          • blkpws@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            As far as I know, it’s just about sending image hashes from client side, the chats and texts are still sent end-to-end encrypted, no chat leak or encryption backdoor. Or I am missing something?

    • RangerAndTheCat@lemmy.worldOP
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      That’s what I’m hoping some consideration considering it would undermine everything in regards to the lifes at risk. Currently using Proton but think Mullvad now it keeps coming up. Does it offer other services as well similar to Proton and if so how are they? Thank you for your reply.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        No mullvad is a vpn. For mail use some other providers not in your country, switzerland for example. For cloud I would say selfhost.

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            No maybe Dont do that!

            See any VPS provider you can pay by crypto. Access it over the Tor browser. Either do some Linode oneclick stuff or follow some setup to setup a server and wireguard VPN.

            I can help you if you want.

            Mullvad is easy to block, as every servers IP is known. Custom servers not so likely.

            If that fails, Tor network with bridges…

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Mullvad is a non-profit focused on privacy as a human right. They provide anonymous VPN services, you can pay with them with crypto, cash, a lot of different things that help distance you from the service. They also provide a Firefox fork, called mullvad browser which is like a mix of the tor browser, arkenfox with all the privacy respecting options set correctly out of the box

  • Hazel@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    3
    ·
    1 year ago

    Take a look at the matrix network. Its decentralized like lemmy and the cryptography is on point. And it cant really be cencored due to this reason.

        • library_napper@monyet.cc
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          Human error is possible. Happens to our users PGP emails all the time.

          As an org we dont allow any software where its possible to send unencrypted messages. It too much risk.

          • Hazel@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I completely agree. Though pgp emails usually have to be set up. At least when using element nothing has to be set up and it is enabled by default. But this doesnt change the point.

            As an org self hosting a matrix server would be an option. But the issue would still remain. So its a tradof

          • vitriolix@lemmy.ml
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            this seems easily fixable by choice of end user app, Element surely defaults to sending encrypted messages, if a user goes out of their way to figure out how to send clear text good on 'em

      • ptman@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yes, because for large public rooms it makes no sense as anyone can leak the message contents anyway and e2ee is expensive for large rooms.

  • SHITPOSTING_ACCOUNT@feddit.de
    link
    fedilink
    arrow-up
    21
    arrow-down
    4
    ·
    edit-2
    1 year ago

    The only alternative that’s FOSS and not centrally controlled is Matrix. By being decentralized, anyone can run their own server and good luck stopping that.

    There may be 200 other “alternatives”, but they’re irrelevant to the point where I consider then non-existent. Nobody has heard of them. Nobody is using them. Trying to push them on normal people will most likely result in them no longer talking to you as often or at all, and none of the other ones has any chance of reaching a critical mass. Matrix at least has some recognition among nerds and some, tiny amount of adoption outside.

    Stop pushing random niche shit, it does privacy a disservice.

    • zShxck@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      The only alternative that’s FOSS and not centrally controlled is Matrix

      That’s not true, there is also XMPP which is lighter and far more decentralized than Matrix

    • Fungah@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      I don’t understand why people think downloading s fucking app is so arduous. I truly don’t. Their stalwart refusal. To do it puzzles tf out of me.

      • SHITPOSTING_ACCOUNT@feddit.de
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        If I installed a different app for every friend I had, I’d have a homescreen full just of chat apps. What’s worse, those niche privacy friendly apps go under or out of favor often.

        You might be able to convince some of your friends to install an app just for you once, but by the time you’re telling them “this one now sucks, I’m on other app now” for the second time, they’ll just stop chatting with you, and if you ask them repeatedly, likely shun you even IRL because most people want to live their lives, not chase chat apps for their friends’ weird interests.

        And even if they do that, they’ll have one app that they use every day, and one that sits in the bottom of their app drawer. Guess who gets invited to do something on the weekend, the person who shows up on their main contact list, or the person that would show up if they dug out that dusty app? And guess what the phone is gonna do with that app once it hasn’t been opened for a week… it’s going to deprioritize it so it won’t even work properly, while their main daily-opened app always gets push notifications immediately.

        You don’t have to like it. You can pretend it’s not happening. But it will happen.

  • gaael@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    I’ve been using DeltaChat (available on F-Droid) for a few months now.

    What I like about it is that because it’s email based, it uses OpenPGP for encryption, making it easy to have compatibility with other email-based solutions.

    If you want to go the extra-secure route, you and your contacts can even self-host your emails - as long as you’re not going to send messages to people on Gmail or other big providers, you can avoid your messages being treated as spam.

    The multi-device support is still a bit rough around the edges, but has gotten better in the last few months since the app is under active development.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      deltachat uses autocrypt which apparently doesn’t support key verification yet. how secure is it if you can’t even verify that your messages aren’t being intercepted? I also didn’t see anything about rotating keys after every message like Signal does, so anyone sucking up your encrypted messages just needs one key to see your entire message history. that doesn’t sound very good.