<p>I'd really appreciate your feedback, criticism and suggestions on the open-source idea I was slowly working on since early 2020. I recently made the demo server for the low-level message queue protocol (&quot;simplex messaging protocol&quot;) and the website to try to explain the chat idea that would use this protocol.</p>
<p>In short, the protocol defines a minimalist set of commands and server responses (just 7 commands and 5 responses sent over TCP) to operate encrypted message queues with in-memory persistence - the implementation uses STM.</p>
<p>If anything, it was definitely helping to get to know Haskell types etc. much deeper than before :)</p>
<p>Any criticism would be great - thank you in advance!</p>
<p>Originally published at <a href="https://www.reddit.com/r/haskell/comments/jg6uh4/simplex_chat/">https://www.reddit.com/r/haskell/comments/jg6uh4/simplex_chat/</a></p>
<p>For the last six months <a href="https://github.com/epoberezkin">me</a> and my son Efim have been working to bring you a working prototype of SimpleX Chat. We're excited to announce SimpleX Chat terminal client is now available <a href="https://github.com/simplex-chat/simplex-chat">here</a> on Linux, Windows and Mac (you can either build from source or download the binary for Linux, Windows or Mac from the latest release).</p>
<p>We’ve been using the terminal client between us and a few other people for a couple of months now, eating our own “dog food”, and have developed up to version 0.3.1, with most of the messaging protocol features we originally planned</p>
<li>End-to-end encryption with protection from man in the middle attack. The connection invitation must be passed out-of-band (see <a href="https://github.com/simplex-chat/simplex-chat#how-to-use-simplex-chat">how to use SimpleX Chat</a> in the repo).</li>
<li>No global identity or any usernames visible to the server(s), ensuring full privacy of your contacts and conversations.</li>
<li>Message signing and verification with automatically generated RSA keys, with keys being unique per each connection.</li>
<li>Authorization of each command/message by the servers with automatically generated RSA key pairs, also unique per connection.</li>
<li>Message integrity validation (via passing the digests of the previous messages).</li>
<li>Encrypted TCP transport, independent of certificates.</li>
<li>You can deploy your own server, but you don’t have to - the demo SMP server to relay your messages is available at <a href="http://smp1.simplex.im:5223/">smp1.simplex.im:5223</a> (pre-configured in the client).</li>
</ul>
<h2 id="we-need-your-help" tabindex="-1">We need your help!</h2>
<p>We're building a new kind of chat network - the only network that lets you control your chat. We'd really appreciate your feedback, criticism and support - a star on the github repo, signing up to the mailing list or any contribution to the project will help. There is so much more to do!</p>
<p>Originally published at <a href="https://www.reddit.com/r/haskell/comments/naw6lz/simplex_chat_prototype_terminal_ui_made_in_haskell/">https://www.reddit.com/r/haskell/comments/naw6lz/simplex_chat_prototype_terminal_ui_made_in_haskell/</a></p>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter. <a href="https://github.com/simplex-chat/simplex-chat">SimpleX Chat</a> is our first application, a chat application built on the SimpleX platform that serves as an example of the power of the platform and as a reference application.</p>
<h2 id="what-is-simplex" tabindex="-1">What is SimpleX?</h2>
<p>We recognised that there is currently no messaging application which respects user privacy and guarantees metadata privacy -- in other words, messages could be private, but a third party can always see who is communicating with whom by examining a central service and the connection graph. SimpleX, at it's core, is designed to be truly distributed with no central server. This allows for enormous scalability at low cost, and also makes it virtually impossible to snoop on the network graph.</p>
<p>The first application built on the platform is Simplex Chat, which for now is terminal (command line) based with mobile apps in the pipeline. The platform can easily support a private social network feed and a multitude of other services, which can be developed by the Simplex team or third party developers.</p>
<h2 id="whats-new-in-v05" tabindex="-1">What's new in v0.5?</h2>
<p>We're exicted to announce that SimpleX Chat now supports group chat and file transfer!</p>
<p>To create a group use the <code>/g &lt;group&gt;</code> command. You can then invite contacts to the group by entering the <code>/a &lt;group&gt; &lt;name&gt;</code> command. Your contact(s) will need to use the <code>/j accept</code> command to accept the invitation to the group. To send messages to the group, simply enter <code>#&lt;group&gt; &lt;message&gt;</code>.</p>
<p><strong>Please note:</strong> Groups are not stored on any server; they are maintained as a list of members in the app database. Sending a message to the group sends a message to each member of the group.</p>
<p>Sharing files is simple! To send a file to a contact, use the <code>/f @&lt;contact&gt; &lt;file_path&gt;</code> command. The recipient will have to accept before the file is sent.</p>
<h2 id="were-always-looking-for-help" tabindex="-1">We're always looking for help!</h2>
<p>We'd really appreciate your comments, criticism and support - a star on the GitHub repo, downloading and testing the chat or any contribution to the project will help a lot – thank you for all your support!</p>
<p><strong>Please note:</strong> SimpleX Chat is in early stage development: we are still iterating protocols, improving privacy and security, so if you have communication scenarios requiring high security, you should consider some other options for now.</p>
<p>Our goal is to create a new kind of chat platform that lets you control your chat!</p>
<p>Originally published at <a href="https://www.reddit.com/r/selfhosted/comments/poal79/simplex_chat_an_opensource_decentralized_chat/">https://www.reddit.com/r/selfhosted/comments/poal79/simplex_chat_an_opensource_decentralized_chat/</a></p>
<p><strong>Published:</strong> Dec 08, 2021</p>
<h2 id="simplex-chat-is-the-first-chat-platform-that-is-100percent-private-by-design-simplex-no-access-to-your-connections-graph" tabindex="-1">Simplex Chat is the first chat platform that is 100% private by design - SimpleX no access to your connections graph</h2>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter. <a href="https://github.com/simplex-chat/simplex-chat">SimpleX Chat</a> is our first application, a chat application built on the SimpleX platform that serves as an example of the power of the platform and as a reference application.</p>
<h2 id="what-is-simplex" tabindex="-1">What is SimpleX?</h2>
<p>We recognised that there is currently no messaging application which respects user privacy and guarantees metadata privacy -- in other words, messages could be private, but a third party can always see who is communicating with whom by examining a central service and the connection graph. SimpleX, at it's core, is designed to be truly distributed with no central server. This allows for enormous scalability at low cost, and also makes it virtually impossible to snoop on the network graph.</p>
<p>The first application built on the platform is Simplex Chat, which for now is terminal (command line) based with mobile apps in the pipeline. The platform can easily support a private social network feed and a multitude of other services, which can be developed by the Simplex team or third party developers.</p>
<h2 id="whats-new-in-v05" tabindex="-1">What's new in v0.5?</h2>
<p>Users can now create long-term chat addresses that they can share with many people (e.g. in email signature, or online), so that any chat user can send them a connection request.</p>
<p>This is an ALPHA feature, and we have not yet added any protection against spam contact requests. However, if the address you created starts receiving spam connection requests, you can simply delete it without losing any of your accepted connections and create another address - as many times as you like!</p>
<h2 id="we-need-your-help" tabindex="-1">We need your help!</h2>
<p>We'd really appreciate your comments, criticism and support - a star on the GitHub repo, downloading and testing the chat or any contribution to the project will help a lot – thank you for all your support!</p>
<p><strong>Please note:</strong> SimpleX Chat is in early stage development: we are still iterating protocols, improving privacy and security, so if you have communication scenarios requiring high security, you should consider some other options for now.</p>
<p>Our goal is to create a new kind of chat platform that lets you control your chat!</p>
<p>Originally published at <a href="https://www.reddit.com/r/haskell/comments/rc0xkn/simplex_chat_the_first_chat_platform_that_is_100/">https://www.reddit.com/r/haskell/comments/rc0xkn/simplex_chat_the_first_chat_platform_that_is_100/</a></p>
<p><strong>Published:</strong> Jan 12, 2022</p>
<h2 id="the-most-private-and-secure-chat-and-application-platform" tabindex="-1">The most private and secure chat and application platform</h2>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter. <a href="https://github.com/simplex-chat/simplex-chat">SimpleX Chat</a> is our first application, a messaging application built on the SimpleX platform.</p>
<h2 id="what-is-simplex" tabindex="-1">What is SimpleX?</h2>
<p>There is currently no messaging application which respects user privacy and guarantees metadata privacy - in other words, messages could be private, but a third party can always see who is communicating with whom by examining a central service and the connection graph. SimpleX, at it's core, is designed to be truly distributed with no central server. This allows for enormous scalability at low cost, and also makes it virtually impossible to snoop on the network graph.</p>
<p>The first application built on the platform is Simplex Chat, which for now is terminal (command line) based with mobile apps in the pipeline. The platform can easily support a private social network feed and a multitude of other services, which can be developed by the Simplex team or third party developers.</p>
<h2 id="whats-new-in-v1" tabindex="-1">What's new in v1?</h2>
<p>All releases from v1 onwards will be forwards and backwards compatible.</p>
<h3 id="message-encryption-has-been-completely-re-engineered-to-provide-forward-secrecy-and-recovery-from-break-in" tabindex="-1">Message encryption has been completely re-engineered to provide forward secrecy and recovery from break-in.</h3>
<p>SimpleX Chat v1 now uses:</p>
<ul>
<li><a href="https://www.signal.org/docs/specifications/doubleratchet/">double-ratchet</a> E2E encryption using AES-256-GCM cipher with <a href="https://www.signal.org/docs/specifications/x3dh/">X3DH key agreement</a> using 2 ephemeral Curve448 keys to derive secrets for ratchet initialization. These keys and secrets are separate for each contact, group membership and file transfer.</li>
<li>in addition to double ratchet, there is a separate E2E encryption in each message queue with DH key exchange using Curve25519 and <a href="https://nacl.cr.yp.to/index.html">NaCl crypto-box</a> - separate E2E encryption has been added to avoid having any cipher-text in common between message queues of a single contact (to prevent traffic correlation).</li>
<li>additional encryption of messages delivered from servers to recipients, also using Curve25519 DH exchange and NaCl crypto-box - to avoid shared cipher-text in sent and received traffic (also to prevent traffic correlation).</li>
</ul>
<h3 id="improved-user-and-server-authentication-and-transport" tabindex="-1">Improved user and server authentication and transport</h3>
<p>SimpleX now uses ephemeral Ed448 keys to sign and verify client commands to the servers. As before, these keys are different per message queue and do not represent a user's identity.</p>
<p>Instead of ad-hoc encrypted transport we now use TLS 1.2+ limited to the most performant and secure cipher with forward secrecy (ECDHE-ECDSA-CHACHA20POLY1305-SHA256), Curve448 groups and Ed448 keys.</p>
<p>Server identity is validated as part of TLS handshake - the fingerprint of offline server certificate is used as a permanent server identity which is included in server address, to protect against MITM attacks between clients and servers.</p>
<p>SimpleX also uses <a href="https://datatracker.ietf.org/doc/html/rfc5929#section-3">tls-unique channel binding</a> in each signed client command to the server to protect against replay attacks.</p>
<h3 id="changes-in-protocol-encoding" tabindex="-1">Changes in protocol encoding</h3>
<p>We switched from inefficient text-based low level protocol encodings, that simplified early development, to space and performance efficient binary encodings, reducing protocol overhead from circa 15% to 3.7% of transmitted application message size.</p>
<h2 id="learn-more-about-simplex" tabindex="-1">Learn more about Simplex</h2>
<p>Further details on platform objectives and technical design are available <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">here</a>.</p>
<p>SimpleX Chat client can be used in the terminal on all major desktop platforms (Windows/Mac/Linux) and also on Android devices with <a href="https://github.com/termux">Termux</a>.</p>
<p>SimpleX also allows people to host their own servers and own their own chat data. SimpleX servers are exceptionally lightweight and require a single process with the initial memory footprint of under 20 Mb, which grows as the server adds in-memory queues (even with 10,000 queues it uses less than 50Mb, not accounting for messages).</p>
<h2 id="we-look-forward-to-you-using-it" tabindex="-1">We look forward to you using it!</h2>
<p>We look forward to your feedback and suggestions - via GitHub issues or via SimpleX Chat - you can connect to the team with <code>/simplex</code> command once you run the chat.</p>
<p><strong>Published:</strong> Feb 14, 2022</p>
<h2 id="private-and-secure-chat-and-application-platform-public-beta-is-now-available-for-iphones-with-ios-15" tabindex="-1">Private and secure chat and application platform - <a href="https://testflight.apple.com/join/DWuT2LQu">public beta is now available</a> for iPhones with iOS 15.</h2>
<p>Our new iPhone app is very basic - right now it only supports text messages and emojis.</p>
<p>Even though the app is new, it uses the same core code as our terminal app, that was used and stabilized over a long time, and it provides the same level of privacy and security that has been available since the release of v1 a month ago:</p>
<li>separate keys for each contact.</li>
<li>additional layer of E2E encryption in each message queue (to prevent traffic correlation when multiple queues are used in a conversation - something we plan later this year).</li>
<li>additional encryption of messages delivered from servers to recipients (also to prevent traffic correlation).</li>
</ul>
<p>You can read more details in our recent <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html">v1 announcement</a>.</p>
<h2 id="join-our-public-beta" tabindex="-1">Join our public beta!</h2>
<p>Install the app <a href="https://testflight.apple.com/join/DWuT2LQu">via TestFlight</a>, connect to us (via <strong>Connect to SimpleX team</strong> link in the app) and to a couple of your friends you usually send messages to - and please let us know what you think!</p>
<p>We would really appreciate any feedback to improve the app and to decide which additional features should be included in our public release in March.</p>
<p>Should it be:</p>
<ul>
<li>images,</li>
<li>link previews,</li>
<li>or maybe something else we couldn't think of.</li>
</ul>
<p>Please vote on the features you think are the most needed in our <a href="https://app.loopedin.io/simplex">app roadmap</a>.</p>
<h2 id="what-is-simplex" tabindex="-1">What is SimpleX?</h2>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter.</p>
<p>We aim to provide the best possible protection of messages and metadata. Today there is no messaging application that works without global user identities, so we believe we provide better metadata privacy than alternatives. SimpleX is designed to be truly distributed with no central server, and without any global user identities. This allows for high scalability at low cost, and also makes it virtually impossible to snoop on the network graph.</p>
<p>The first application built on the platform is Simplex Chat, which is available for terminal (command line in Windows/Mac/Linux) and as iOS public beta - with Android app coming in a few weeks. The platform can easily support a private social network feed and a multitude of other services, which can be developed by the Simplex team or third party developers.</p>
<p>SimpleX also allows people to host their own servers to have control of their chat data. SimpleX servers are exceptionally lightweight and require a single process with the initial memory footprint of under 20 Mb, which grows as the server adds in-memory queues (even with 10,000 queues it uses less than 50Mb, not accounting for messages). It should be considered though that while self-hosting the servers provides more control, it may reduce meta-data privacy, as it is easier to correlate the traffic of servers with small number of messages coming through.</p>
<p>Further details on platform objectives and technical design are available <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">in SimpleX platform overview</a>.</p>
<title>SimpleX announces SimpleX Chat mobile apps for iOS and Android</title>
<content type="html"><h1 id="simplex-announces-simplex-chat-mobile-apps-for-ios-and-android" tabindex="-1">SimpleX announces SimpleX Chat mobile apps for iOS and Android</h1>
<p><strong>Published:</strong> March 8, 2022</p>
<h2 id="simplex-chat-is-the-first-chat-platform-that-is-100percent-private-by-design-it-has-no-access-to-your-connections-graph" tabindex="-1">SimpleX Chat is the first chat platform that is 100% private by design - it has no access to your connections graph</h2>
<p>We have now released iPhone and Android apps to <a href="https://apps.apple.com/us/app/simplex-chat/id1605771084">Apple AppStore</a> and <a href="https://play.google.com/store/apps/details?id=chat.simplex.app">Google Play Store</a>, <a href="https://github.com/simplex-chat/simplex-chat/releases/latest/download/simplex.apk">APK for Android</a> is also available for direct download.</p>
<p><strong>Please note</strong>: the current version is only supported on iPhone 8+ and on Android 10+ - we are planning to add support for iPad and older devices very soon, and we will announce it on our <a href="https://www.reddit.com/r/SimpleXChat/">Reddit</a> and <a href="https://twitter.com/SimpleXChat">Twitter</a> channels - please subscribe to follow our updates there.</p>
<h2 id="what-is-simplex" tabindex="-1">What is SimpleX</h2>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter.</p>
<p>We aim to provide the best possible protection of messages and metadata. Today there is no messaging application that works without global user identities, so we believe we provide better metadata privacy than alternatives. SimpleX is designed to be truly distributed with no central server, and without any global user identities. This allows for high scalability at low cost, and also makes it virtually impossible to snoop on the network graph.</p>
<p>The first application built on the platform is Simplex Chat. The platform can easily support a private social network feed and a multitude of other services, which can be developed by the Simplex team or third party developers.</p>
<p>Further details on platform objectives and technical design are available <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">in SimpleX platform overview</a>.</p>
<h2 id="why-we-are-building-it" tabindex="-1">Why we are building it</h2>
<p>Evgeny (SimpleX Chat founder): I have been working on this platform for a long time to provide a place where all people can communicate freely with each other, without fear of persecution because of what they said and who they are connected with. Not sharing information about your connections is very important, particularly for people living in oppressive regimes. Because of the terrible conflict between Russia and Ukraine, people of both countries – I have friends and family there – could be at risk when sharing their opinions or just from being connected to people who were prosecuted. Every messenger app that knows who you are can end up sharing all of your connections with undesirable third parties, either as a result of a court order or as a result of attack - so even Signal, which has strong encryption, cannot protect your connection graph. I hope our messenger can help people living in the oppressive regimes to express their opinions without fear and risk of prosecution.</p>
<h2 id="huge-thanks-to-our-testers" tabindex="-1">Huge thanks to our testers!</h2>
<p>Thanks a lot to everybody who helped testing and improving the apps!</p>
<p>If you have a <a href="https://testflight.apple.com/join/DWuT2LQu">TestFlight version</a> installed you can continue using it.</p>
<p>We plan to keep it as stable as we can, and it will give you access to all new features 1-2 weeks earlier - it's limited to 10,000 users, so you can grab it while it's available. You can still communicate with people who use a public version – we are committed to maintaining backwards compatibility.</p>
<p>You can always migrate from a public App Store version to a TestFlight version. The opposite migration - from TestFlight to public version - is only possible when we have the same app versions released, as there are usually some database migrations that cannot be reversed. To migrate to public version you have to disable automatic updates on TestFlight, wait until public version catches up and then install it from App Store. In any case, it is safe installing the public version, but it might crash if you have a newer version from TestFlight - in this case you just need to re-install the app from TestFlight and install App Store version a bit later - you would not lose any of your data.</p>
<h2 id="its-not-all-new-our-core-code-has-been-used-for-a-long-time-by-a-few-thousand-people-in-our-terminal-app" tabindex="-1">It's not all new - our core code has been used for a long time by a few thousand people in our terminal app.</h2>
<p>The apps use the same core code as our terminal app, that was used and stabilized over a long time, and it provides the same level of privacy and security that has been available since the release of v1 earlier this year:</p>
<li>separate keys for each contact.</li>
<li>additional layer of E2E encryption in each message queue (to prevent traffic correlation when multiple queues are used in a conversation - something we plan later this year).</li>
<li>additional encryption of messages delivered from servers to recipients (also to prevent traffic correlation).</li>
</ul>
<p>You can read more technical details in our recent <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html">v1 announcement</a>.</p>
<p>A big thank you to <a href="https://github.com/angerman">@angerman</a> for making it possible to compile our Haskell code to mobile platforms and getting it approved on app stores - it has been a non-trivial project, and it is still ongoing.</p>
<h2 id="install-the-apps-and-make-a-private-connection" tabindex="-1">Install the apps and make a private connection!</h2>
<p>Once you install the app, you can connect to anybody:</p>
<ol>
<li>Create your local chat profile - it is not shared with SimpleX servers, it is local to your devices, and it will be shared with your contacts when you connect.</li>
<li>To make a private connection, you need to create a one-time connection link / QR code via &quot;Add contact&quot; button in the app. You can either show the QR code to your contact in person or via a video call - this is the most secure way to create a connection - or you can share the link via any other channel - only one user can connect via this link.</li>
<li>Once another user scans the QR code or opens the app via the link (they also should create their profile first) the connection will be created and you can send e2e encrypted messages privately, without anybody knowing you are connected.</li>
</ol>
<h2 id="new-features-and-improvements-that-are-coming-soon" tabindex="-1">New features and improvements that are coming soon</h2>
<ul>
<li>push notification server. Currently the apps load messages in the background periodically, that can be quite infrequent on iOS if you don't open the app regularly. With push notifications you would know about the new messages instantly.</li>
<li>e2e encrypted audio and video calls via WebRTC.</li>
<li>export and import of the chat database.</li>
<li>&quot;reply to message&quot; - feature allowing you to quote the message you are replying to.</li>
<li>localization - we will let you know once you can contribute the translations to your languages.</li>
<li>configuring your servers in the apps - this will be released this week, both for iOS and Android. By default the apps are using SimpleX Chat servers, but you will be able to configure your own and still be connected to other users who use our app with our servers.</li>
<li>user profile images.</li>
<li>sending images and files - image preview will be sent via the servers, so it can be asynchronous, and large files/full resolution images via WebRTC, so both devices will have to be online.</li>
</ul>
<p>Please let us know what else you think is important and if you find any bugs.</p>
<title>Instant notifications for SimpleX Chat mobile apps</title>
<content type="html"><h1 id="instant-notifications-for-simplex-chat-mobile-apps" tabindex="-1">Instant notifications for SimpleX Chat mobile apps</h1>
<p><strong>Published:</strong> April 04, 2022</p>
<h2 id="simplex-chat-is-the-first-chat-platform-that-is-100percent-private-by-design-it-has-no-access-to-your-connections" tabindex="-1">SimpleX Chat is the first chat platform that is 100% private by design - it has no access to your connections</h2>
<p>Since we released SimpleX Chat mobile apps couple of weeks ago we've had a lot of excitement from our users - nearly 2000 people downloaded the app after <a href="https://simplex.chat/blog/20220308-simplex-chat-mobile-apps.html">the announcement</a>!</p>
<p>Huge thanks to everybody who downloaded and connected to us via the chat - there were many great questions and suggestions, and on some days I spent most of the time chatting to our users :)</p>
<p>Since we released the app, we've added and released:</p>
<li>message replies, editing and deletion.</li>
<li>profile images.</li>
<li>and, most importantly, private instant message notifications on Android devices - more on that below.</li>
</ul>
<h2 id="install-the-apps-and-make-a-private-connection" tabindex="-1">Install the apps and make a private connection!</h2>
<p>Once you install the app, you can connect to anybody:</p>
<ol>
<li>Create your local chat profile - it is not shared with SimpleX servers. It is local to your devices, and it will be shared with your contacts only when you connect.</li>
<li>To make a private connection, you need to create a one-time connection link or a QR code via the &quot;Add contact&quot; button in the app. You can show the QR code to your contact in person or via a video call - this is the most secure way to create a connection - or you can share the link via any other channel. Only one user can connect via this link.</li>
<li>Once another user scans the QR code or opens the app via the link the connection will be created and you can send end-to-end encrypted messages privately, without anybody knowing you are connected.</li>
</ol>
<p>See <a href="https://youtu.be/rZeVhsv_JAY">demo video</a> that shows how two users connect and send the first messages.</p>
<h2 id="why-we-are-doing-it" tabindex="-1">Why we are doing it</h2>
<p>We are building SimpleX Chat because we believe that privacy is a fundamental human right, and that protecting our personal network of contacts is even more important than the content of the messages - sharing this network can lead to various adverse consequences, from manipulating us into buying goods we don't need, manipulating election processes, and in some cases, prosecuting innocent people. For example, <a href="https://en.wikipedia.org/wiki/Mohamedou_Ould_Slahi">Mohamedou Ould Salahi</a> was detained in Guantanamo prison for 15 years after a single &quot;wrong&quot; phone call. His story is told in his memoir and in The Mauritanian movie.</p>
<h2 id="problem-users-expect-to-be-instantly-notified-when-messages-arrive" tabindex="-1">Problem - users expect to be instantly notified when messages arrive!</h2>
<p>Our first users realized that what we take for granted in messaging apps - instant message notifications - is missing in our first release of SimpleX Chat apps. Quite a few people thought that it was a bug, rather than a missing feature. Sorry to disappoint!</p>
<h2 id="why-cant-we-just-do-what-messenger-x-does" tabindex="-1">Why can't we just do what messenger X does?</h2>
<p>SimpleX Chat is the first and the only messenger we know of that operates without user identities of any kind. There are no phone numbers, emails, usernames, public keys, or any other addresses or identifiers to uniquely identify the users to the network or servers. That is why we say it is 100% private by design, and fundamentally different than other chat platforms.</p>
<p>Instead, SimpleX Chat assigns these identifiers to unidirectional message queues. What looks to SimpleX Chat users like contacts and groups [1], to SimpleX servers looks like an unorganized and unrelated collection of unidirectional message queues. Our servers do not know which queues belong to which users, contacts or groups. Even a single conversation can happen via two different servers (one for sent and another for received messages). This makes our personal network of contacts invisible to the servers.</p>
<p>But it also creates a problem for instant notifications - all push notification services require having a device token.</p>
<p>So, how can we operate without identities and still have instant notifications?</p>
<p>[1] yes, we have groups in our terminal app, and the UI to manage them is coming to mobile apps soon. Some users have already firgured out how to <a href="https://medium.com/@vsevolod.mineev/how-to-collaborate-across-multiple-devices-whilst-protecting-your-metadata-371af87d0ba0">create groups via chat console</a>.</p>
<h2 id="weve-cracked-it-for-android" tabindex="-1">We've cracked it for Android!</h2>
<p>After some research into how push notifications work on Android, and open-source alternatives to Google push notifications, we discovered how to avoid sharing device tokens with any servers.</p>
<p>We have implemented message reception as a background service (in Android terminology, a &quot;foreground service&quot; showing a notification icon when the service is running) following the same design as <a href="https://github.com/binwiederhier/ntfy-android">ntfy.sh</a> created by <a href="https://github.com/binwiederhier">Philipp Heckel</a>, who, in turn, credits the design to <a href="https://robertohuertas.com/2019/06/29/android_foreground_services/">the blog post by Roberto Huertas</a>. Big thanks to them!</p>
<p>How does it work? When the app is first started on an Android device, it starts the background service that keeps the TCP connections to the messaging servers open with almost no traffic (only doing periodic checks that connections still exist). It consumes only a few percents of battery per day, depending on how stable your internet connection is, and delivers message notifications as soon as messages arrive.</p>
<p>This service continues running when the app is switched off, and it is restarted when the device is restarted even if you don't open the app - so the message notifications arrive instantly every time. To maximize battery life, it can be turned off by switching off &quot;Private notifications&quot;. You will still receive notifications while the app is running or in the background.</p>
<p>So, for Android we can now deliver instant message notifications without compromising users' privacy in any way. The app version 1.5 that includes private instant notifications is now available on <a href="https://play.google.com/store/apps/details?id=chat.simplex.app">Play Store</a>, in our <a href="https://app.simplex.chat/">F-Droid repo</a> and via direct <a href="https://github.com/simplex-chat/simplex-chat/releases/latest/download/simplex.apk">APK</a> downloads!</p>
<p>iOS is much more protective of what apps are allowed to run on the devices, and the solution that worked on Android is not viable on iOS.</p>
<p>We already have background refresh in the iOS app that periodically checks for new messages, and if you use the app every day it delivers notifications within 10 or 20 minutes. It is not instant, but it may be usable for some. If you use the app infrequently, however, this delay can become several hours, or your phone may stop checking for the new messages completely. This is not ideal!</p>
<p>The only solution known to us is using Apple's push notifications service (APN) to deliver push notifications.</p>
<p>We planned for it, so we added to <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html">v1 of SMP</a> (the protocol used by our servers) an extension allowing the client to subscribe to notifications from message queues, via separate queue addresses, and using separate cryptographic keys for each queue. This has to be enabled by the client for each queue separately. We haven't used this extension so far, and now we are building a SimpleX notification service based on it.</p>
<p>If the user enables push notifications, then for each contact the app would enable a notification subscription and pass credentials to the notification server together with the device token required to deliver push notifications to user's device.</p>
<p>The notification server will subscribe to these notifications from SMP servers. The notifications do not include any message content, only the signal that a message has arrived to the server. Notification server is only allowed to send 2-3 hidden notifications per hour to the device. The notification is end-to-end encrypted and contains information about which server has a message, so that the client can connect to the server, retrieve and decrypt the message, and show the notification to the users including sender name and the message content. None of this information is shared with any server.</p>
<p>If the user receives more than 2-3 messages per hour, the notification server can send additional visible notifications that would simply say &quot;you have a new message&quot;, and the user will have to open the app to receive and see these messages. We are also investigating whether we can use &quot;mutable-content&quot; notifications that allow doing some processing when the notification arrives before showing it to the users.</p>
<p>It is a substantial amount of development, we are aiming to release it later this month.</p>
<p>This design is a compromise between privacy and convenience. The notification server will have to have a device token to deliver notifications. Several things we did (or plan to do) to improve this compromise:</p>
<ol>
<li>The notification server will only store device tokens and queue addresses in memory, making it more complex for a potential attacker to access. If server has to be restarted, they would lose all configured notification subscriptions and the clients would have to create them again. We will program the clients to periodically check for the existence of notification subscriptions on the notification server.</li>
<li>The notificaiton server will not know the addresses of the messaging queues used to receive or send messages. A different address is used to subscribe to notifications. So while the notification server would have the knowledge of how many queues your device has (and on which servers), it still won't know who is sending you the messages.</li>
<li>We are also planning to split the logic of notification subscriptions and delivering notifications to the devices to two different servers. The server that subscribes to the notifications could be self-hosted, allowing you full control of how you deploy it. Only this server would know which messaging servers you use or how many messaging queues you have. The server that delivers notifications to the devices will be managed by SimpleX Chat as we have to authorize it with Apple's push notification service. This split will not be available in the first release. We plan to add it a bit later.</li>
</ol>
<p>So, with the notification servers added, our network design will look like this:</p>
<pre><code> User's iOS device Internet Servers
<title>SimpleX Chat v2.0 - sending images and files in mobile apps</title>
<content type="html"><h1 id="simplex-chat-v20-sending-images-and-files-in-mobile-apps" tabindex="-1">SimpleX Chat v2.0 - sending images and files in mobile apps</h1>
<p><strong>Published:</strong> May 11, 2022</p>
<h2 id="new-in-version-20-sending-images-and-files-privately" tabindex="-1">New in version 2.0 - sending images and files privately</h2>
<p>To send image and files SimpleX Chat uses privacy-preserving system components, both in iOS and Android apps. We do not ask for permission to access multiple or selected files, as, for example, Signal and Telegram do - it compromises either privacy or convenience.</p>
<p>How does it work? The gallery and files are accessed from a system provided dialogue that runs in a separate process, and provides a temporary URI to access only one file selected by the user, only until the app is restarted.</p>
<p>To make file and images work for mobile apps we made a breaking change in SimpleX Chat core. The current version can exchange files with the previous version 1.6 of the terminal app, but not with the version before that.</p>
<p>In the mobile app, to send and receive files both devices must have version 2.0 installed - so please check it with your contacts. Receiving images works in the previous version, so even if your contacts did not yet upgrade the app, they should be able to receive the images.</p>
<h2 id="the-first-messaging-platform-without-user-identifiers" tabindex="-1">The first messaging platform without user identifiers</h2>
<p>To protect identities of users and their connections, SimpleX Chat has no user identifiers visible to the network – unlike any other messaging platform.</p>
<p>Many people asked: <em>if SimpleX has no user identifiers, how can it deliver messages?</em></p>
<p>To deliver mesages, instead of user IDs used by all other platforms, SimpleX has identifiers for message queues, separate for each of your contacts. In the current version of the protocol each queue is used until the contact is deleted. Later this year we plan to add queue rotation to the client protocol, so that even conversations don't have long term identifiers visible to the network. This design prevents leaking any users metadata on the application level.</p>
<p>You define which server(s) to use <strong>to receive</strong> the messages, your contacts – the servers you use <strong>to send</strong> the messages to them. It means that every conversation is likely to use two different servers - one for each message direction.</p>
<p>Only client devices store user profiles, contacts, groups, and messages sent with <strong>2-layer end-to-end encryption</strong>.</p>
<p>Read more in <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">SimpleX whitepaper</a>.</p>
<h2 id="how-to-connect-with-your-contacts-in-simplex-chat" tabindex="-1">How to connect with your contacts in SimpleX Chat</h2>
<p>Once you install the app, you can connect to anybody:</p>
<ol>
<li>Create your local chat profile - it is not shared with SimpleX servers. It is local to your devices, and it will be shared with your contacts only when you connect.</li>
<li>To make a private connection, you need to create a one-time connection link or a QR code via the app. You can show the QR code to your contact in person or via a video call - this is the most secure way to create a connection - or you can share the link via any other channel. Only one user can connect via this link.</li>
<li>Once another user scans the QR code or opens the app via the link the connection will be created and you can send end-to-end encrypted messages privately, without anybody knowing you are connected.</li>
</ol>
<img src="https://simplex.chat/images/conversation.png" alt="Make a private connection" width="594" height="360" />
<p><strong>Published:</strong> May 24, 2022</p>
<h2 id="new-in-version-21-clearing-conversations-without-deleting-contacts" tabindex="-1">New in version 2.1 - clearing conversations without deleting contacts</h2>
<p>In this version you can irreversibly delete individual messages after they were deleted by a sender, and also completely clear the conversation.</p>
<p>The only way to do it before this version was by deleting the contact, now you can keep the connection when you clear the conversation.</p>
<p>See <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html">v1 announcement</a> for information on how SimpleX protects the security of the messages.</p>
<p>See <a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html">v2 announcement</a> for more information about SimpleX platform and how it works.</p>
<p>Read about SimpleX design in <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">whitepaper</a>.</p>
<title>SimpleX Chat v2.2 - the new privacy and security features</title>
<content type="html"><h1 id="simplex-chat-v22-the-new-privacy-and-security-features" tabindex="-1">SimpleX Chat v2.2 - the new privacy and security features</h1>
<p><strong>Published:</strong> June 4, 2022</p>
<p>See <a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html">v2 announcement</a> for more information about SimpleX platform and how it protects your privacy by avoiding user identities of any kind in its design - SimpleX, unlike any other messaging platform, has no identity keys or any numbers that identify its users.</p>
<h2 id="new-privacy-and-security-settings-in-version-22" tabindex="-1">New Privacy and Security settings in version 2.2</h2>
<h3 id="protect-your-chats" tabindex="-1">Protect your chats</h3>
<p>To protect your chats you can enable SimpleX Lock. Every time you open the chat after it was in the background for 30 second, you will need to pass biometric or pin code authentication to use the app (provided it is enabled for your device).</p>
<h3 id="save-data-and-avoid-sharing-you-are-online" tabindex="-1">Save data and avoid sharing you are online</h3>
<p>In case you want to save your mobile data or to avoid showing to your contacts that you are online, you can disable automatic image downloads. For many users it is more convenient to have images downloaded automatically, so it is enabled by default.</p>
<p>Low resolution image previews would still be shown, the senders have no way to see if you received them or not.</p>
<h3 id="avoid-visiting-websites-of-the-links-you-send" tabindex="-1">Avoid visiting websites of the links you send</h3>
<p>When you receive the links that include link previews, it is fully private - these previews are generated by the sender, and they do not expose your IP address in any way.</p>
<p>When you send the links, the app automatically downloads the link description and the picture from the website of the link. While it is convenient, it exposes your IP address to the website. To avoid it you can disable sending link previews.</p>
<h3 id="identify-any-lost-messages-in-the-chat" tabindex="-1">Identify any lost messages in the chat</h3>
<p>The app tracks the integrity of the messages you receive by cheching their sequential numbers and by validating that the hash of the previous message matches the hash included in the message – each conversation, effectively, is two blockchains that only you and your contact have access to.</p>
<p>In case some of the messages are lost, you would see it in the chat. It can happen because of one the following reasons:</p>
<ul>
<li>the messages have expired on the server after 30 days not being delivered.</li>
<li>the messages were removed when the server was restarted. We will add server redundancy later this year to avoid message loss in this case, for now if you see an indication that some messages were lost in the chat, you can check with your contact what it was.</li>
<li>some other app error. Please notify us via chat - we will investigate possible root causes.</li>
<li>the connection is compromised. This is very unlikely, but not an impossible scenario.</li>
</ul>
<h3 id="there-is-more" tabindex="-1">There is more</h3>
<p>You can discover additional features we are currently testing in Experimental Features - they will be announced later!</p>
<p>See <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html">v1 announcement</a> for information on how SimpleX protects the security of the messages.</p>
<p>Read about SimpleX design in <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">whitepaper</a>.</p>
<li><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#instant-notifications-for-ios">instant notifications for iOS</a></li>
<li><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#database-export-and-import">database export and import</a></li>
<li><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#protocol-privacy-and-performance-improvements">protocol privacy and performance improvements</a></li>
<p>I wrote previously about <a href="https://simplex.chat/blog/20220404-simplex-chat-instant-notifications.html#problem---users-expect-to-be-instantly-notified-when-messages-arrive">our design for iOS notifications</a> - this is now released. The app will offer to migrate the database when updated, and then you need to choose notifications mode – instant or periodic push notifications, or previously available periodic background refresh that does not use push notifications.</p>
<p>To deliver the notifications to iOS devices we use our notification server, as there is a single private key that Apple issues for the app. This server has minimal amount of information about your chat activity:</p>
<ul>
<li>it does not have the addresses of messaging queues used to send and receive messages - there is an additional address used for notification server to receive notifications from the messaging servers.</li>
<li>notifications themselves do not include message content or contacts, even in encrypted form - they only contain end-to-end encrypted metadata about the server and the queue that has available messages - so Apple servers cannot access the information about how many contacts you have or how frequently each of them messages you - they can only see the total number of notifications your device receives.</li>
<li>message senders do not connect to the notification server, so it cannot in any way correlate sent and received traffic across multiple devices.</li>
<p><strong>Please note</strong>: for periodic notifications to work the app has to be in the background - if the app is completely stopped (removed from the recent apps), it will not check the new messages and you will not receive notifications. Instant notifications work even when the app is completely stopped.</p>
<p>You can now call your contacts via WebRTC, connecting via SimpleX Chat relay servers or peer-to-peer, and in the near future you will be able to configure your own STUN/TURN servers used to establish the connection. The calls are end-to-end encrypted - the key is negotiated via the connection you already have with your contact in the chat, that is also used as a signalling layer for WebRTC - in most cases only three messages in total have to be sent by your and your contact's clients for the call to start, including the initial call invitation.</p>
<p>The calls are still quite limited, especially on iOS, - for example, you cannot continue the call while the app is in the background.</p>
<h3 id="database-export-and-import" tabindex="-1">Database export and import</h3>
<p>Quite a few users asked - <em>how can I move my chat profile to a new device</em>? SimpleX Chat v3 has a solution for that - you can now export chat database from one device and import it into another - even to another platform, e.g. you can move chat database from Android phone to iOS or to the terminal (console) client.</p>
<li>you cannot run the same chat profile from two devices, neither at the same time nor in turns. You should only use the latest database version - every time you want to move it to another device you need to export a new chat archive from the device that was the latest to use it, and import it to the device where you want to use it next.</li>
<li>we plan to add internal database encryption soon, but currently it is stored on the device without encryption, and the exported archive is also not encrypted. You should store it securely, and encrypt it if you store it in the cloud or send via email.</li>
</ul>
<p>This feature can be useful in some other scenarios:</p>
<ul>
<li>managing multiple chat profiles - it's not very convenient, and a better support of multiple profiles is coming soon.</li>
<li>share access to the same profile with other people, as long as it is not used at the same time. For that use case it may be better to run SimpleX Chat terminal client in the cloud, as we do with our public account that you can connect to via the app.</li>
<li>preserve chat profile when you need to temporarily delete the app from your device.</li>
</ul>
<h3 id="protocol-privacy-and-performance-improvements" tabindex="-1">Protocol privacy and performance improvements</h3>
<p>Adding push notifications for iOS required SimpleX Messaging Protocol changes. We managed not just to keep the same level of meta-data privacy from passive observers, but to improve it - now all message meta-data that is passed from the server to the recipient is included into the same encrypted envelope as the message itself - as before, there is no identifiers or ciphertext in common inside TLS traffic between received and sent traffic of the server, and now there is no message timestamp inside TLS as well.</p>
<p>We also improved the protocol flow for establishing bidirectional connection between two users - it is substantially faster now, consuming much less network traffic and battery. It improves the time it takes to connect to your contacts and to start delivering images and files.</p>
<p>All these changes did not affect backward compatibility - if your contact has the previous version of the client, or you are connecting to a previous version of the server, the previous version of the protocol will be used - SimpleX has independent version negotiation in 4 protocol layers <a href="https://simplex.chat/blog/20220112-simplex-chat-v1-released.html#stable-protocol-implementation">since v1</a>, allowing us to evolve the protocols without any disruption to the users.</p>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter. <a href="https://github.com/simplex-chat/simplex-chat">SimpleX Chat</a> is our first application, a messaging application built on the SimpleX platform.</p>
<h3 id="the-first-and-we-believe-the-only-messaging-platform-without-user-identifiers-of-any-kind-100percent-private-by-design" tabindex="-1">The first (and we believe the only) messaging platform without user identifiers of any kind - 100% private by design!</h3>
<p>To protect identities of users and their connections, SimpleX Chat has no user identifiers visible to the servers and the network – unlike any other messaging platform. Not only SimpleX doesn't use phone numbers or emails, as Signal and many other platforms, it also does not have any persistent identifiers to identify users - unlike many other messengers considered private - Session, Cwtch, Ricochet, Briar, Jami, etc., - all these platforms have global user identifiers, uniquely identifying their users and creating the risks of de-anonymising the users.</p>
<h3 id="why-having-users-identifiers-is-bad-for-the-users" tabindex="-1">Why having users' identifiers is bad for the users?</h3>
<p>When each user has a unique identifier on the platform, even if this is just a random number, e.g. as a Session ID, it creates risks that whoever gains access to the platform data can observe how the users are connected and how many messages are transmitted between them, and then correlate this information with the existing public social networks, determining the real identities of some users. Even with the most private messengers built on top of Tor network, having a persistent identity means that if you talk to two different users via the same profile they can prove that they communicate with the same person, as they would use the same address to send messages.</p>
<p>SimpleX platform avoids these risks by not having any user identity in its design - so even if you talk to two different people from the same chat profile, they would not be able to prove they are talking to the same person - only that user profiles look the same. And we are planning to add a feature allowing to have a different display name for each contact you connect to - quite a few users asked for it.</p>
<h3 id="how-does-it-work" tabindex="-1">How does it work</h3>
<p>Many people asked: <em>if SimpleX has no user identifiers, how can it deliver messages?</em></p>
<p>I wrote about it in <a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html">v2 release announcement</a> and you can get more information about SimpleX platform objectives and technical design in <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">the whitepaper</a>.</p>
<h2 id="we-ask-you-to-help-us-pay-for-3rd-party-security-audit" tabindex="-1">We ask you to help us pay for 3rd party security audit</h2>
<p>I will get straight to the point: I ask you to support SimpleX Chat with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support we were lucky to have so far.</p>
<p>We are planning a 3rd party security audit for the app, and it would hugely help us if some part of this $20000+ expense could be covered with donations.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations for the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>If you are already using SimpleX Chat, or plan to use it in the future when it has more features, please consider making a donation - it will help us to raise more funds. Donating any amount, even the price of the cup of coffee, would make a huge difference for us.</p>
<p>It is possible to <a href="https://github.com/sponsors/simplex-chat">donate via GitHub</a>, which is commission-free for us, or <a href="https://opencollective.com/simplex-chat">via OpenCollective</a>, that also accepts donations in crypto-currencies, but charges a commission.</p>
<li>terminal app: <a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#terminall-app-access-to-messaging-servers-via-socks5-proxy--tor">access to messaging servers via SOCKS5 proxy</a> (e.g., Tor).</li>
<li>mobile apps: <a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#mobile-apps-join-and-leave-chat-groups">join and leave chat groups</a>.</li>
<li><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#optimized-battery-and-traffic-usage---up-to-90x-reduction">optimized battery and traffic usage - up to 90x reduction!</a>.</li>
<li><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#docker-configuration-for-self-hosted-smp-servers">two docker configurations for self-hosted SMP servers</a>.</li>
<p>While SMP protocol is focussed on protecting application-level meta-data by using pairwise connection identifiers instead of user identifiers (that are used by all other messaging platforms), there are scenarios when it is important for the users to protect their IP addresses from the servers - quite a few users have been somewhat disappointed that we didn't add it earlier.</p>
<p>This release of terminal app supports accessing the servers via Tor, but the servers themselves are still available on their usual addresses. We are planning to add .onion addresses (v3 hidden service) to all messaging servers we provide, and the users who self-host the servers will also be able to have dual servers addresses - so that one party in the conversation can access the servers via .onion address without necessarily requiring that the other party uses Tor as well.</p>
<p>To access SimpleX servers via Tor you need to install Tor proxy and run simplex-chat with <code>-x</code> option. See <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/CLI.md#access-messaging-servers-via-tor-beta">terminal app docs</a> for more information.</p>
<p>As this is a beta release, to install it you need to use this command:</p>
<pre><code class="language-sh">curl -o- https://raw.githubusercontent.com/simplex-chat/simplex-chat/stable/install.sh | sh -s -- v3.1.0-beta.0
</code></pre>
<h3 id="mobile-apps-join-and-leave-chat-groups" tabindex="-1">Mobile apps: join and leave chat groups</h3>
<p>Groups have been supported by SimpleX Chat core for a very long time, but there was no user interface in the mobile apps to use them - users had to use chat console to create groups, add members, and accept invitations.</p>
<p>This release allows accepting the invitations to join groups via mobile apps UI, making it much easier to create groups - only one user (a group owner) needs to use chat console, while all other groups members just need to tap a button in the UI to join or leave the group. Full group UI is coming in v3.1 in 1-2 weeks, but you can already start using groups today by installing beta-versions of mobile apps via <a href="https://testflight.apple.com/join/DWuT2LQu">TestFlight</a>, <a href="https://play.google.com/apps/testing/chat.simplex.app">Google PlayStore Beta</a> and <a href="https://github.com/simplex-chat/simplex-chat/releases/latest/download/simplex.apk">APK download</a>.</p>
<p>To manage groups via terminal app or via chat console in the mobile apps you have to use these commands:</p>
<li>to add member (admin by default): <code>/a &lt;group_name&gt; &lt;contact_name&gt; [owner/admin/member]</code></li>
<li>to remove member from the group: <code>/rm &lt;group_name&gt; &lt;contact_name&gt;</code></li>
</ul>
<p>Accepting group invitations, leaving and deleting groups no longer requires using console commands.</p>
<h3 id="optimized-battery-and-traffic-usage-up-to-90x-reduction" tabindex="-1">Optimized battery and traffic usage - up to 90x reduction</h3>
<p>To reduce battery and traffic usage this release updated SMP protocol to allow batching multiple server commands (up to 90!) into one traffic block – provided both the server and the client are upgraded. It means that if you have 90 contacts (or group members) on one server, to subscribe to all messaging queues you now need to send only one 16kb block instead of ~1.5Mb of traffic (90 blocks). It also hides how many contacts you have from any attackers who observe your network.</p>
<p>You might notice that sending commands to multiple queues in one block would allow the server to correlate that all these queues belong to the same user, even though the current server implementation we use does not do it. But even without batching, as the commands are sent via the same TCP connection, this correlation was already possible, so compared with the previous version it has no downsides.</p>
<p>To mitigate the risk of servers correlating your messaging queues we will soon add an option to access each queue via a separate TCP connection, which will have to be used together with access via Tor (as otherwise the servers would still see the same IP address). While it will increase battery and traffic consumption, it will also provide the highest level of privacy.</p>
<h3 id="docker-configuration-for-self-hosted-smp-servers" tabindex="-1">Docker configuration for self-hosted SMP servers</h3>
<p>When we released SimpleX Chat v3 two weeks ago many users wanted to host messaging servers in docker containers. So, we are now offering <a href="https://github.com/simplex-chat/simplexmq/tree/stable/scripts/docker">two versions of docker configurations</a>:</p>
<ul>
<li>fast and convenient - it downloads SMP server binary from GitHub.</li>
<li>more secure - it builds SMP server from the source code.</li>
</ul>
<p>Let us know how it works for you!</p>
<p>We are building a new platform for distributed Internet applications where privacy of the messages <em>and</em> the network matter. <a href="https://github.com/simplex-chat/simplex-chat">SimpleX Chat</a> is our first application, a messaging application built on the SimpleX platform.</p>
<h3 id="the-first-and-the-only-messaging-platform-without-user-identifiers-of-any-kind-100percent-private-by-design" tabindex="-1">The first (and the only?) messaging platform without user identifiers of any kind - 100% private by design!</h3>
<p>To protect identities of users and their connections, instead of user identifiers visible to the servers and/or the network (that are used by all other messaging platforms), SimpleX Chat uses <a href="https://csrc.nist.gov/glossary/term/Pairwise_Pseudonymous_Identifier">pairwise identifiers</a> of connections between the users – there are two queues in each connection, each queue having 2 different identifiers to send and to receive the messages. It increases the number of used identifiers to the square of the number of users, making it more difficult (or impossible) to determine who is talking to whom. I <a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">wrote previously</a> why it is bad for the users' privacy to have any identifiers, even random numbers, associated with their profiles.</p>
<h3 id="if-simplex-has-no-user-identifiers-how-can-it-deliver-messages" tabindex="-1">If SimpleX has no user identifiers, how can it deliver messages?</h3>
<p>I wrote about it in <a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html">v2 release announcement</a> and you can get more information about SimpleX platform objectives and technical design in <a href="https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md">the whitepaper</a>.</p>
<h3 id="privacy-technical-details-and-limitations" tabindex="-1">Privacy: technical details and limitations</h3>
<p>SimpleX design follows &quot;defence in depth&quot; security principles having multiple overlapping defensive mechanisms to protect users privacy and security:</p>
<ul>
<li>TLS transport with server identity validation and channel binding, limited to the most secure cryptographic algorithms.</li>
<li>Three levels of encryption that both protect message content and meta-data, preventinc trafic correlation even if TLS is compromised:
<ul>
<li>end-to-end encryption in each messaging queue.</li>
<li>end-to-end encryption of the conversation using double-ratchet algorithms, that provides OTR messaging with forward secrecy and break-in recovery.</li>
<li>additional encryption layer between the server and message recipient, to prevent traffic correlation by ciphertext or any identifiers.</li>
</ul>
</li>
<li>Four levels of message padding to prevent any attack based on the content size - the TLS transport block is padded to a fixed 16kb size, and each of 3 encrypted envelopes is padded to a constant size before encryption as well.</li>
</ul>
<p>What we plan to add soon to further improve privacy and security:</p>
<ul>
<li>message queue rotation, so that pairwise identifiers become temporary, and your conversations move from server to server automatically.</li>
<li>access to the messaging servers via Tor v3 hidden services.</li>
<li>message mixing - adding latencies to message delivery, to protect against traffic correlation by message time.</li>
<li>using Tor v3 hidden service addresses for messaging servers.</li>
<li>passphrase-based local database encryption.</li>
</ul>
<p>SimpleX Chat <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#privacy-technical-details-and-limitations">README page</a> has more details about it.</p>
<h2 id="we-ask-you-to-help-us-pay-for-3rd-party-security-audit" tabindex="-1">We ask you to help us pay for 3rd party security audit</h2>
<p>I will get straight to the point: I ask you to support SimpleX Chat with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support we were lucky to have so far.</p>
<p>We are planning a 3rd party security audit for the app, and it would hugely help us if some part of this $20000+ expense could be covered with donations.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations for the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>If you are already using SimpleX Chat, or plan to use it in the future when it has more features, please consider making a donation - it will help us to raise more funds. Donating any amount, even the price of the cup of coffee, would make a huge difference for us.</p>
<p>It is possible to <a href="https://github.com/sponsors/simplex-chat">donate via GitHub</a>, which is commission-free for us, or <a href="https://opencollective.com/simplex-chat">via OpenCollective</a>, that also accepts donations in crypto-currencies, but charges a commission.</p>
<title>SimpleX Chat v3.1 is released &mdash; with secret groups and server access via Tor</title>
<content type="html"><h1 id="simplex-chat-v31-is-released-with-secret-groups-and-server-access-via-tor" tabindex="-1">SimpleX Chat v3.1 is released - with secret groups and server access via Tor</h1>
<li><a href="https://simplex.chat/blog/20220808-simplex-chat-v3.1-chat-groups.html#access-messaging-servers-via-tor">access to messaging servers via Tor</a></li>
<li><a href="https://simplex.chat/blog/20220808-simplex-chat-v3.1-chat-groups.html#other-changes-since-v3">other changes since v3</a>:
<p>It's been <a href="https://simplex.chat/blog/20210914-simplex-chat-v0.4-released.html">nearly a year</a> since the users of SimpleX Chat terminal app started experimenting with the groups, and now it is available to mobile app users as well. Many bugs were fixed, the stability was improved, but there are both the features we need to add and the bugs we need to fix to make groups more useful - we really look forward to your feedback. You can send any suggestions via the app by choosing <code>Chat with the developers</code> via app Settings (or using <code>/simplex</code> command in the terminal app) – this would connect you to SimpleX team via its <a href="https://simplex.chat/contact#/?v=1&amp;smp=smp%3A%2F%2FPQUV2eL0t7OStZOoAsPEV2QYWt4-xilbakvGUGOItUo%3D%40smp6.simplex.im%2FK1rslx-m5bpXVIdMZg9NLUZ_8JBm8xTt%23MCowBQYDK2VuAyEALDeVe-sG8mRY22LsXlPgiwTNs9dbiLrNuA7f3ZMAJ2w%3D">fixed chat address</a>.</p>
<p>SimpleX network is decentralized, so how do groups work? Unlike Matrix or Signal that host the group profile and the list of group members on their servers, SimpleX servers have no information about the group's existence - only its members do. SimpleX network does not assign any globally unique identifiers to the group, there is only a local database identifier and the list of members stored on members' devices. A user has an independent connection to each member in a group. When a user sends a message to the group, the app sends this message independently to each member. You can read more about how groups work in <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/protocol/simplex-chat.md#sub-protocol-for-chat-groups">SimpleX Chat Protocol</a>.</p>
<p>But how can it scale, you might ask? It simply won't, and the current design for the groups is only suitable for relatively small groups of people who know each other well, definitely not larger than few hundred members – this design prioritized privacy and security of the group over its size or performance. For example, to send a message to the group of 100 members a user would need to send a total of ~1.6mb of data (as each message uses a fixed size block of 16kb). And if you were to send a 1mb file then it would also require sending it 100 times (provided each member accepts it).</p>
<p>What if you need to send many large files to group members? We will be developing a file hosting server where the users will be able to upload the file (or image) once, and only send the file link and credentials to all group members, without the need to send the actual file. A small hosting quota will be available to all users for free, paid for by donations, and for larger files or to increase the total quota the users would either have to pay a small hosting cost or to self-host this server – it will be available as an open-source code.</p>
<p>What if you need to have a large group - e.g. 100,000 members or more? We will be introducing SimpleX channels later this year, that can be both public and private. These channels would require a server to host them, either provided by SimpleX Chat or self-hosted - same as for a website. If this is a public channel it would be optionally accessible via the web browser as well, and it will be possible to embed it into any webpage.</p>
<p>Other group improvements we will add soon:</p>
<ul>
<li>manage notifications in each group independently.</li>
<li>search for messages - it is useful for direct conversations too, but more important for groups.</li>
</ul>
<h3 id="access-messaging-servers-via-tor" tabindex="-1">Access messaging servers via Tor</h3>
<p>SimpleX protocols are focussed on protecting application-level meta-data – they don't have any user identifiers used by all other messaging platforms, instead relying on pairwise connection identifiers.</p>
<p>But there are scenarios when users need to protect their IP addresses from the servers and any network observers – this is best done by using Tor to access any network services.</p>
<p>This release allows to access SimpleX messaging servers via Tor on all platforms:</p>
<ul>
<li>terminal app beta supported it for a couple weeks now: to access SimpleX servers via Tor you need to install Tor proxy and run simplex-chat with <code>-x</code> option. See <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/CLI.md#access-messaging-servers-via-tor-beta">terminal app docs</a> for more information.</li>
<li>Android app supports access via Tor using Orbot SOCKS proxy. Once you install and start Orbot, you need to enable <code>Network &amp; Servers / Use SOCKS proxy</code> setting in the app to access SimpleX servers via Tor.</li>
<li>iOS app can also be used with Orbot iOS app (that is installed as a system-wide VPN provider). The only setting you might need to change is to increase network timeouts in the app - to do that you have to enable <code>Developer tools</code>, and then chose <code>Network &amp; Servers / Advanced network settings / Set timeouts for proxy</code>.</li>
</ul>
<p>Currently all servers are accessed via their public Internet addresses, and while users can self-host messaging servers on .onion addresses (as v3 hidden services), it would require both connected contacts to use Tor. We are planning to add support for dual server addresses very soon, to allow the same server to be accessed both via its public Internet address and via .onion address, so that users can access servers without exiting Tor (via .onion address), but their contacts can access the same servers without using Tor.</p>
<p>To reduce traffic on slow networks we added network access settings. To use these settings, you need to first enable <code>Developer tools</code> and then choose <code>Network &amp; Servers / Advanced network settings</code>:</p>
<ul>
<li>if your connections to the servers are unstable, and you frequently see the spinners in the list of chats, please increase the connection and protocol timeouts - it should reduce the traffic, but it may also make the app a bit slower when your Internet connection is slow.</li>
<li>if your connection to the servers appears stable, but the traffic usage is high, please try disabling TCP keep-alive setting or increasing keep-alive idle period (<code>TCP_KEEP_IDLE</code>) and interval (<code>TCP_KEEP_INTVL</code>).</li>
</ul>
<p>Once we investigated how these settings affect traffic and user experience we will simplify them - huge thanks to everyone testing them and reporting any traffic issues.</p>
<p>Many users asked to allow customizing the app, this is just a start - you can now choose either light or dark icon option via <code>Appearance</code> settings.</p>
<p>More options to customize the app are coming - please let us know what are the most important.</p>
<p>The <a href="https://github.com/simplex-chat/simplexmq/blob/stable/protocol/">low level SimpleX protocols</a> were published long time ago, and updated to reflect the evolution of the protocols, the high level chat protocol was not published before. The reason for that was to allow us to iterate it quickly, without committing to any of the decisions.</p>
<p>This is the <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/protocol/simplex-chat.md">first draft of SimpleX Chat Protocol</a> - let us know any questions or suggestions.</p>
<h3 id="other-changes-since-v3" tabindex="-1">Other changes since v3</h3>
<p>Since v3 release we also optimized battery and traffic usage - with up to 90x traffic reduction in some cases – and published two docker configurations for self-hosted SMP servers. Read more about it in the previous <a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html">beta version announcement</a>.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#privacy-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<h2 id="we-ask-you-to-help-us-pay-for-3rd-party-security-audit" tabindex="-1">We ask you to help us pay for 3rd party security audit</h2>
<p>I will get straight to the point: I ask you to support SimpleX Chat with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support we were lucky to have so far.</p>
<p>We are planning a 3rd party security audit for the app, and it would hugely help us if some part of this $20000+ expense could be covered with donations.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations for the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>If you are already using SimpleX Chat, or plan to use it in the future when it has more features, please consider making a donation - it will help us to raise more funds. Donating any amount, even the price of the cup of coffee, would make a huge difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a>: it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a>: it also accepts donations in crypto-currencies, but charges a commission.</li>
<li><a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#assign-names-to-your-contacts">assign names to your contacts</a></li>
<li><a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#using-onion-server-addresses-with-tor">use .onion server addresses with Tor</a></li>
<li><a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#endless-scrolling-and-search-in-chats">endless scrolling and search in chats</a></li>
<li><a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#choose-accent-color-and-dark-mode">choose accent color and dark mode</a></li>
<p><a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#we-ask-you-to-help-us-pay-for-3rd-party-security-audit">Implementation audit is arranged for October</a>!</p>
<p><em>SimpleX is already private, so why do we need an incognito mode</em>, you may ask.</p>
<p>You indeed can choose a pseudonym as your main profile name, but there are several problems:</p>
<ul>
<li>many users want to have their real name as their main profile, so that their friends recognise them. SimpleX objective is to provide anonymity from the network operators, but not necessarily from your contacts.</li>
<li>even if you choose a pseudonym, it would be used for all your contacts. And if two of them meet, while they cannot prove they are talking to the same person, as they use different addresses in SimpleX network to send you the messages, they could <em>suspect it</em>.</li>
<li>any pseudonym you manually choose leaks some information about you, as it's not really random.</li>
</ul>
<p>You could also use multiple chat profiles - currently you can only switch between them via export/import, we will make it easier very soon! But there are problems with multiple profiles too:</p>
<ul>
<li>if you make many anonymous connections, each in its own user profile, you would end up having too many profiles - it is very inconvenient to manage.</li>
<li>sometimes, as your relationship with your contact evolves, you may want to share your main profile with them and have them among your friends - multiple profiles don't make it possible.</li>
</ul>
<p>So, the new Incognito mode allows having a new random name shared with each new contact, while having them all in the same user profile, and without the hassle of managing it manually. It's like a private mode in the browsers, where you can temporarily enable it when you connect to somebody you don't trust, and then disable it when connecting to the friend who knows you. It can be turned on via the app settings - see the pictures.</p>
<p>I don't know any other messenger with this feature, and I always wanted to have this mode, so we are really looking forward to your feedback about it!</p>
<h3 id="assign-names-to-your-contacts" tabindex="-1">Assign names to your contacts</h3>
<p>You can now change the name under which your contacts appear in the chats. This is particularly useful when somebody connected to you using a random name – you can change it to be related to the context of the connection.</p>
<h3 id="using-onion-server-addresses-with-tor" tabindex="-1">Using .onion server addresses with Tor</h3>
<p>We have released support for using SOCKS proxy to access messaging servers via Tor, but previously the servers were still available via their public Internet addresses. It means that while your IP address was protected from the server, the whole Tor circuit could have been observed by some actors, and for some communication scenarios it is not desirable.</p>
<p>This release adds support for servers with multiple hostnames - all servers provided by SimpleX Chat now have dual addresses (one public and one .onion), and you can have your own servers available via two addresses as well - all you have to do is to install Tor client on your server and register its address with Tor. If you server has both public and .onion address, it is not really hidden, so you should enable HiddenServiceSingleHopMode to reduce the latency of connection - it protects anonymity of the people who connect to the server, but not of the server itself. The server address would include both its public and onion address, as you can see in the server addresses in the app (in the contacts pages) - you should use the same format for the addresses of your servers.</p>
<p>Both android and iOS app allow managing whether .onion addresses are used, and you can also enforce using .onion addresses - in this case the app will not connect to the server unless one of its hostname is .onion address. On Android, .onion addresses are used by default when SOCKS proxy is enabled.</p>
<h3 id="endless-scrolling-and-search-in-chats" tabindex="-1">Endless scrolling and search in chats</h3>
<p>Now you can access the full chat history via the app - it's embarrassing how long it took us to add it! And you can search the messages as well.</p>
<h3 id="choose-accent-color-and-dark-mode" tabindex="-1">Choose accent color and dark mode</h3>
<p>Many of you said that blue is the worst possible color, so you can now make the app buttons and links look like you want! My favourite colours are green and orange.</p>
<p>And you can choose dark or light mode independently of the system settings.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#privacy-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<h2 id="we-ask-you-to-help-us-pay-for-3rd-party-security-audit" tabindex="-1">We ask you to help us pay for 3rd party security audit</h2>
<p>Our great news is that we have already signed the agreement and paid for the security audit!</p>
<p>It is planned in October, and if there are no major issues we will publish this report straight away, otherwise - once we fix them.</p>
<p>This is a major expense for use - over $20,000 - I would really appreciate if you could help us cover some part of this cost with the donations.</p>
<p>Our promise to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We will be establishing a legal framework this year to ensure that it doesn't change if the ownership of SimpleX Chat Ltd changes at any future point.</p>
<p>Please consider making a donation - it will help us to raise more funds. Donating any amount, even the price of the cup of coffee, would make a huge difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a>: it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a>: it also accepts donations in crypto-currencies, but charges a commission.</li>
<title>SimpleX Chat v4.0 with encrypted database is released</title>
<content type="html"><h1 id="simplex-chat-v4-with-encrypted-local-database-is-released" tabindex="-1">SimpleX Chat v4 with encrypted local database is released</h1>
<li><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#local-chat-database-encryption">encrypted local chat database</a>.</li>
<li><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#self-hosted-webrtc-ice-servers">support for self-hosted WebRTC ICE servers</a>.</li>
<li><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#improved-stability-of-creating-new-connections">improved stability of creating new connections: more reliable groups, files and contacts</a>.</li>
<li><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#deleting-files-and-media">deleting files and media</a>.</li>
<li><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#for-developers---typescript-sdk-for-integrating-with-simplex-chat">For developers - TypeScript SDK for integrating with SimpleX Chat</a> (e.g., chat bots or chat assistants).</li>
<li>animated images in Android app.</li>
<li>disable messages per contact / group in terminal app (it is already supported in mobile apps).</li>
</ul>
<p>Also, this version adds German language to mobile apps UI - huge thanks to <a href="https://github.com/mlanp">Michael</a> who contributed them!</p>
<li>secret chat groups (see details in <a href="https://simplex.chat/blog/20220808-simplex-chat-v3.1-chat-groups.html#secret-chat-groups">v3.1 announcement</a> - they are fully decentralized, only their members know these groups exist.</li>
<li>accessing messaging servers via Tor with support for .onion server addresses (see details in <a href="https://simplex.chat/blog/20220808-simplex-chat-v3.1-chat-groups.html#access-messaging-servers-via-tor">v3.1</a> and <a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#using-onion-server-addresses-with-tor">v3.2</a> announcements) - to protect users anonymity on the TCP transport level.</li>
<li>Incognito mode - sharing a random profile name with each new contact, to completely eliminate any shared data between them (see details in <a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#incognito-mode">v3.2</a> announcement).</li>
<p><a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html#we-ask-you-to-help-us-pay-for-3rd-party-security-audit">Implementation audit is arranged for October</a>!</p>
<p>SimpleX Chat focus has always been on protecting messages in delivery, not when they are stored on the device. This release changes it - now all messages that you receive and send are stored on the device encrypted with <a href="https://github.com/sqlcipher/sqlcipher">SQLCipher</a>.</p>
<p><strong>Please note</strong>: If you are already using SimpleX Chat, your database will remain unencrypted until you enter the passphrase via the app settings. You have to remember the passphrase you choose, as there is no way to recover it if it is lost.</p>
<p>By default your passphrase will be stored securely on the device (in KeyChain on iOS or encrypted with the key stored in TPM, if available, on Android) - it is only accessible to the app, and only on one device. Storing passphrase is required for instant notifications to work. In this case, if you lose the passphrase, the app will continue to work, but you will not be able to change the passphrase and to migrate your user profile to another device.</p>
<p>For additional security of your messages you also have the option to remove the passphrase from the device. In this case you will need to enter the passphrase every time you start the app. The notifications will continue to work only while the app is in the background. For iOS it means that periodic and local notifications will work, but instant notifications will only show that there is a message available, but not message content or who it is from - you will need to open the app and enter the passphrase to see the messages. In this case, if you lose the passphrase, you will not be able to open the app or decrypt the database - so make sure you store it safely.</p>
<p>You could make audio and video calls via SimpleX Chat WebRTC servers since <a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#end-to-end-encrypted-audiovideo-calls">v3</a> - that meant that our servers could observe your IP addresses. This release adds configuration to use your own STUN/TURN servers, helping you protect your privacy.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/WEBRTC.md">this guide</a> to learn how to deploy your own <code>coturn</code> server and to configure the mobile apps to use it.</p>
<h3 id="improved-stability-of-creating-new-connections" tabindex="-1">Improved stability of creating new connections</h3>
<p>Secret groups made SimpleX Chat much more useful, but because SimpleX groups are completely decentralized and for them to work each member should connect to all other members, sometimes these connections fail and the group becomes fragmented - some members do not receive all messages. That was more common for larger groups, as the number of required member connections is O(n^2) of the group size.</p>
<p>The reason for that problem was that some network operations required for group connections were not retried. This release improves stability of all network operations - receiving messages, making new contact connections, receiving files and connecting to members in the groups you join.</p>
<h3 id="deleting-files-and-media" tabindex="-1">Deleting files and media</h3>
<p>While the database with messages and all contacts is now encrypted, the files you receive and send are not (we are planning to improve it later). To protect the security of the files we have added an option to delete all files from the app storage - just make sure not to do it before the files you send are delivered to the recipients, or they won't receive them.</p>
<h3 id="for-developers-typescript-sdk-for-integrating-with-simplex-chat" tabindex="-1">For developers - TypeScript SDK for integrating with SimpleX Chat</h3>
<p>It's been quite some time since it's been possible to create a chat-bot using SimpleX Chat as a library - but you had to either write Haskell code or use foreign function interface in any other language.</p>
<p>With v4 we are announcing <a href="https://github.com/simplex-chat/simplex-chat/tree/stable/packages/simplex-chat-client/typescript">TypeScript SimpleX Chat Client SDK</a> that you can use to create any integrations with SimpleX Chat CLI.</p>
<p>You can run SimpleX Chat CLI as a local WebSockets server on any port, we use 5225 here:</p>
<p>Then you can create a JavaScript or TypeScript application that would connect to it and control it via a simple WebSocket API. TypeScript SDK defines all necessary types and convenience functions to use in your applications. See this <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/packages/simplex-chat-client/typescript/examples/squaring-bot.js">sample bot</a> and README page.</p>
<p>SimpleX Chat API allows you to:</p>
<ul>
<li>create and change user profile (although in most cases you would do it manually, via SimpleX Chat terminal app).</li>
<li>create and accept invitations or connect with the contacts.</li>
<li>create and manage long-term user address, accepting connection requests from the code or automatically.</li>
<li>create, join and manage groups - this can be used, for example, to connect two different people who connected to chat-bot.</li>
<li>send and receive files.</li>
</ul>
<p>Some possible applications you can create:</p>
<ul>
<li>peer-to-peer trading bots, that would connect people with matching buy/sell orders,</li>
<li>bots to access information,</li>
<li>language translation bots,</li>
<li>etc.</li>
</ul>
<p>As SimpleX Chat protocols provide strong encryption and authorization of the connections, you could use it not only in various communication scenarios, but also to remotely control any equipment where high level of security is required, for example:</p>
<ul>
<li>smart home automation,</li>
<li>network services,</li>
<li>remote deletion of application data,</li>
<li>etc.</li>
</ul>
<p>We are really looking forward to seeing what applications you create - please submit your ideas and implementations, we will publish the links on a separate page on the website and GitHub repository.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#privacy-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<h2 id="we-ask-you-to-help-us-pay-for-3rd-party-security-audit" tabindex="-1">We ask you to help us pay for 3rd party security audit</h2>
<p>We have already signed the agreement and paid for the security audit!</p>
<p>It is planned for October, and if there are no major issues we will publish this report straight away, otherwise - once we fix them.</p>
<p>This is a major expense for use - over $20,000 - I would really appreciate if you could help us cover some part of this cost with the donations.</p>
<p>Our promise to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We will be establishing a legal framework this year to ensure that it doesn't change if the ownership of SimpleX Chat Ltd changes at any future point.</p>
<p>Please consider making a donation - it will help us to raise more funds. Donating any amount, even the price of the cup of coffee, would make a huge difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a>: it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a>: it also accepts donations in crypto-currencies, but charges a commission.</li>
<title>Security assessment by Trail of Bits, the new website and v4.2 released</title>
<content type="html"><h1 id="security-assessment-by-trail-of-bits-the-new-website-and-v42-released" tabindex="-1">Security assessment by Trail of Bits, the new website and v4.2 released</h1>
<p>When we first launched the app in March the response on Reddit was: <em>&quot;Have you been audited or should we just ignore you?&quot;</em>.</p>
<p>We have a growing number of enthusiasts using SimpleX Chat who can accept the security risks of unaudited system, but the users who depend on their security were patiently waiting until some independent experts review our codebase.</p>
<p><a href="https://www.trailofbits.com/about">Trail of Bits</a>, a US based security and technology consultancy whose clients include big tech companies, governmental agencies and major blockchain projects, had 2 engineers reviewing SimpleX Chat for one calendar week, specifically <a href="https://github.com/simplex-chat/simplexmq">simplexmq library</a> that is responsible for all cryptography and networking of SimpleX platform.</p>
<p>2 medium and 2 low severity issues were identified, all of which require a high difficulty attack to exploit – the attacker would need to have a privileged access to the system, may need to know complex technical details, or must discover other weaknesses to exploit them. 3 of these issues are already fixed in v4.2.</p>
<p>In the course of the audit, Trail of Bits assessed the maturity of the <a href="https://github.com/simplex-chat/simplexmq">simplexmq library</a> across eight categories and found five of them to be strong or satisfactory.</p>
<p>Explained below is our understanding of the issues, as well as fixes implemented by the SimpleX Chat team after project completion. The full security review is available via <a href="https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf">Trail of Bits publications</a>.</p>
<p>We are hugely thankful to Trail of Bits and their engineers for the work they did, helping us identify these issues and supporting the ongoing efforts to make SimpleX Chat more secure.</p>
<h4 id="x3dh-key-exchange-for-double-ratchet-protocol" tabindex="-1">X3DH key exchange for double ratchet protocol</h4>
<p>We made a mistake implementing X3DH key exchange - the key derivation function was not applied to the result of concatenation of three DH operations. The attack to exploit this mistake has high difficulty, as it would require compromising one of private keys generated by the clients, and also it would only affect forward secrecy until break-in recovery happens (after both sides sent some messages).</p>
<p>Please note that SimpleX does not perform X3DH with long-term identity keys, as the SimpleX protocol does not rely on long-term keys to identify client devices. Therefore, the impact of compromising a key will be less severe, as it will affect only the secrets of the connection where the key was compromised.</p>
<p>This issue is fixed in version 4.2 in <a href="https://github.com/simplex-chat/simplexmq/pull/548/files">this PR</a>, and if both clients are updated the key exchange will not have this vulnerability. Also, previously created connections should be secure as long as both sides sent the messages, but if you believe that your private key(s) could have been compromised (for example, if you used SimpleX Chat since before we added database encryption), we recommend that you create the new connections with your contacts, at least with the security-critical ones. Simply rotating the connection queue (manual queue rotation is added in version 4.2) will not be sufficient, as this rotation does not re-initialize the ratchets - this is something we will be adding in the future.</p>
<h4 id="keys-are-stored-in-unpinned-memory-and-not-cleared-after-their-lifetime" tabindex="-1">Keys are stored in unpinned memory and not cleared after their lifetime</h4>
<p>The problem here is that the memory with cryptographic keys can be swapped to the storage and potentially accessed by an attacker who has root-level access to the device (or the level of access required to access swap file of the application). So, if you are running SimpleX Chat on desktop you could improve its security by running it in an isolated container.</p>
<p>In our opinion, on mobile operating systems it is less severe as each application already runs in its own container, and applications do not share access to their swap areas (e.g., on Android swap is a <a href="https://developer.android.com/topic/performance/memory-management">compressed area in RAM</a> not accessible to other applications).</p>
<p>To exploit this issue an attacker needs to have a privileged system access to the device. Also, we believe <a href="https://www.microsoft.com/en-us/research/wp-content/uploads/1993/01/gen-gc-for-haskell.pdf">Haskell generational garbage collection</a> makes the lifetime of unused memory lower than in other languages.</p>
<p>We will be addressing this issue in the near future, possibly by using library <a href="https://hackage.haskell.org/package/secure-memory-0.0.0.2">secure-memory</a> created by Kirill Elagin, an engineer at Serokell, or some other similar approach.</p>
<h4 id="the-string-padding-function-is-incorrect-for-long-messages-and-the-string-unpadding-function-throws-exception-for-short-messages" tabindex="-1">The string padding function is incorrect for long messages, and the string unpadding function throws exception for short messages</h4>
<p>Both these issues are fixed in 4.2 in <a href="https://github.com/simplex-chat/simplexmq/pull/547/files">this PR</a>, with the additional unit tests, and we also validated that even before the fix the strings that would cause such exception were never passed to this function – The SimpleX Chat team could not find the possibility of the attack that would succeed because of this issue.</p>
<p>There are areas of SimpleX Chat that were out of scope of this review, specifically:</p>
<ul>
<li>the chat protocol implementation and mobile UIs, as they includes no cryptography of networking (with the exception of Android app storing encrypted database passphrase and key exchange/encryption for WebRTC calls).</li>
<li>push notifications server that is used by iOS clients.</li>
</ul>
<p>We will be arranging to review these areas separately.</p>
<h2 id="the-new-website" tabindex="-1">The new website</h2>
<p>Our <a href="https://old-website.simplex.chat/">previous website</a> was created 2 years ago to present SimpleX idea, there was no SimpleX Chat at the time - we only had a prototype implementation of SimpleX Messaging Protocol server then.</p>
<p>A lot of people told us that our website didn't explain well enough who SimpleX Chat is for, what problems it solves, and how it is different from the alternatives. So, while we love to be focused on the chat application, we decided to make the new one.</p>
<p>We hope that our <a href="https://simplex.chat/">new website</a> better answers these questions. If you think something should be added/removed/changed - please let us know. Thank you!</p>
<p>It's been requested by many users - to be able to join a group via link. Because SimpleX Chat groups are fully decentralised, and there is no server-side state, joining via these links requires the participation of the link creator who has to be online to accept the group joining request.</p>
<p>The way it works under the hood is similar to how contact addresses work:</p>
<ol>
<li>Group admin or owner creates a long term address that is technically the same as a user address, but it is associated with a specific group.</li>
<li>The user that joins the group can identify that this link belongs to some group by an additional piece of data in the link - <code>{&quot;type&quot;: &quot;group&quot;, &quot;groupLinkId&quot;: &quot;some random string&quot;}</code>. The ID in this link does not represent a group identity, every time any user creates a new link for the same group, this ID will be different. This ID is used by the joining client to identify the group and automatically accept the invitation when it is received.</li>
<li>When admin receives a connection request, they automatically accept it and send invitation link to join the group.</li>
<li>The joining user compares the ID in the invitation with the ID in the link, and if they match – automatically accepts the invitation.</li>
</ol>
<p>After that it works as when joining via the manual invitation - the joining user will be establishing the connection with all existing members to be able to send messages to the group.</p>
<p>The link can be created via the group page, as shown on the picture.</p>
<p>We have several groups you can join to ask any questions or just to test the app:</p>
<ul>
<li>
<p><a href="https://simplex.chat/contact#/?v=1-2&amp;smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2FWHV0YU1sYlU7NqiEHkHDB6gxO1ofTync%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAWbebOqVYuBXaiqHcXYjEHCpYi6VzDlu6CVaijDTmsQU%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion&amp;data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22mL-7Divb94GGmGmRBef5Dg%3D%3D%22%7D">#SimpleX-Group</a>: a general group with more than a 100 members where you can ask any questions.</p>
<p>You can join these groups either by opening these links in the app or by opening them in desktop browser and scanning QR code.</p>
<p>Let me know if you'd like to add some other countries to the list. Join via the apps to share what's going on and ask any questions!</p>
<p>When somebody connects to you via your long-term address you have to manually accept a connection request (it shows in blue color in the list of chats). The feature that we added in this release allows to configure the app to accept contact requests automatically, and also choose whether this contact should receive your main profile or a random incognito profile (independent of the current app setting), and add an optional auto-reply message.</p>
<p>This feature is useful if you publish your address on your webpage or social profile, and do not want to screen people who want to connect to you. You may want to send a standard welcome message, for example, if it is an online store, and you need to share any information with everybody who contacts you.</p>
<p>Our @simplex account that you connect to when you choose &quot;Connect to developers&quot; in the app used this feature for a long time, and now it is available to mobile app users.</p>
<h3 id="some-small-things" tabindex="-1">Some small things</h3>
<ol>
<li>
<p>Changing group member role is a very basic feature, but it was only added in this release.</p>
</li>
<li>
<p>You can now mark a conversation as unread, for example if you accidentally marked all messages as read and you want to review it later.</p>
</li>
<li>
<p>Send stickers and GIFs from Android keyboards, and, finally, the bug with backspace button is resolved as well.</p>
</li>
</ol>
<h3 id="change-your-delivery-address-beta" tabindex="-1">Change your delivery address (BETA)</h3>
<p>To manually switch any of your contacts (or a group member to a new server address) enable Developer tools and choose &quot;Change receiving address&quot; on the contact page. As long as they run a new version of the app and online, the switch should only take a few seconds.</p>
<p>That is a major improvement of metadata privacy of SimpleX protocols, because previously, while we didn't have user identifiers, the pairwise identifiers of messaging queues used to deliver messages were used for as long as the contact existed. Now these identifiers are temporary, and in a near future we will be adding automatic rotation of these delivery addresses.</p>
<p>It is also useful when you want to migrate message delivery to another server, for example, if you used SimpleX Chat default servers and now want to self-host your own. Or, maybe, you need to change the address of your server. Previously it would require creating new contacts and losing conversation histories, and now all you have to do is to change server configuration in the app, and when the change of the address is triggered (currently, only manually, and in the near future - automatically), your contacts will be migrated to a new server, without you doing anything - it only requires each party sending 2 messages to negotiate the reconnection, and it would also rotate the encryption keys used for the outer layer of E2E encryption.</p>
<h3 id="receive-images-and-small-files-faster-beta" tabindex="-1">Receive images and small files faster (BETA)</h3>
<p>From version 4.2 all files smaller than ~92kb (equal to 6 message blocks) will be sent in the same connection where you have the chat, and files smaller than ~231kb (the limit for image size) can also be optionally received via the same connection – the latter requires enabling &quot;Transfer images faster&quot; in Privacy &amp; security settings (it will be available after you enable Developer tools). There are two reasons why it is not on by default yet: 1) we wanted to ensure it is stable; 2) there is a small effect on metadata privacy of having a burst of traffic in the same connection where you are having the main conversation.</p>
<p>This functionality was created for the future voice messages, as they need to be sent without acceptance, so that the recipients can listen to them even when the sender is offline.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#privacy-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see the information on our <a href="https://simplex.chat/">new website</a> - it also answers all these questions.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a> - it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a> - it charges a commission, and also accepts donations in many crypto-currencies.</li>
<li>please let us know, via GitHub issue or chat, if you want to make a donation in some other cryptocurrency - we will add the address to the list.</li>
<title>SimpleX Chat reviews and v4.3 released – with instant voice messages, irreversible deletion of sent messages and improved server configuration.</title>
<content type="html"><h1 id="simplex-chat-reviews-and-v43-released-with-instant-voice-messages-irreversible-deletion-of-sent-messages-and-improved-server-configuration" tabindex="-1">SimpleX Chat reviews and v4.3 released – with instant voice messages, irreversible deletion of sent messages and improved server configuration.</h1>
<p>Since we published <a href="https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html">the security assessment of SimpleX Chat</a> completed by Trail of Bits in November, several sites published the reviews and included it in their recommendations:</p>
<ul>
<li>Privacy Guides added SimpleX Chat to <a href="https://www.privacyguides.org/real-time-communication/#simplex-chat">the recommended private and secure messengers</a>.</li>
<li>Mike Kuketz – a well-known security expert – published <a href="https://www.kuketz-blog.de/simplex-eindruecke-vom-messenger-ohne-identifier/">the review of SimpleX Chat</a> and added it to <a href="https://www.messenger-matrix.de/">the messenger matrix</a>.</li>
<li><a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#irreversible-message-deletion">irreversible deletion of sent messages for all recipients</a></li>
<li><a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#smp-servers-configuration-and-password">improved SMP server configuration and support for server passwords</a></li>
<li><a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#privacy-and-security-improvements">privacy and security improvements</a>:
<p>Voice messages, unlike normal files, are sent instantly, in the existing connection with your contact and without acceptance from the recipient. For this reason we limited the size of voice messages to ~92.5kb (an equivalent of 6 messages), that limits the duration to 30 seconds on iOS and to ~42 seconds on Android (the size is different because of different encoders), with an average sound quality. The voice messages are sent in MP4AAC format that is natively supported both on iOS and on Android, and you can play voice message files outside of SimpleX Chat app.</p>
<p>Users who do not want to receive voice messages can disable them, either globally, for all contacts, or for each contact independently. Please note that the global preference change will only affect the contacts where you shared your main profile (not incognito contacts) and where you didn't change the preference for the particular contact. Groups have a separate policy that allows disabling voice messages for all members (they are allowed by default). The owner can set this policy when creating a group or later, via Group preferences page.</p>
<p>When you receive email, you have full confidence that the sender cannot delete their email from your mailbox after you received it. And it seems correct – in the end, this is your device, and nobody should be able to delete any data from it.</p>
<p>Most existing messengers made an opposite decision – the senders can irreversibly delete their messages from the recipients' devices after they were delivered, whether recipients agree to that or not. And it seems correct too - this is your message, you should be able to delete it, at least for a limited time; that the message is on the recipient device doesn't change your ownership of this message.</p>
<p>While both these statements appear correct, at least to some people, they simply cannot both be correct at the same time, as they contradict each other - either one or both of them must be wrong. This appears to be a very polarising subject, and <a href="https://mastodon.social/@simplex/109461879089268041">the polls</a> <a href="https://www.reddit.com/r/SimpleXChat/comments/zdam11/poll_irreversible_message_deletion_by_sender_what/">I made</a> <a href="https://twitter.com/epoberezkin/status/1599797374389727233">yesterday</a> <a href="https://www.linkedin.com/feed/update/urn:li:activity:7005564342502842368/">show it</a> - the votes are split evenly.</p>
<p>You may want to be able to delete your messages even after they are received to protect your privacy and security, and you want the communication product you use to enforce it. But you may also have many reason to disagree to the deletion of messages on your device for several different reasons:</p>
<ul>
<li>it may be a business context, and either your organisation policy or a compliance requirement is that every message you receive must be preserved for some time.</li>
<li>these messages may contain threat or abuse and you want to keep them as a proof.</li>
<li>you may have paid for the the message (e.g., it can be a consulting report), and you don't want it to suddenly disappear before you had a chance to store it outside of the conversation.</li>
</ul>
<p>Instead of taking any side in this choice, we decided to allow to change this behaviour either globally or separately for each contact or group. That makes SimpleX Chat unique, being suitable both for the communication contexts where email is traditionally used and in informal or privacy sensitive contexts, that would allow the senders to delete messages irreversibly, provided that the recipients agree to that.</p>
<p>In any case, the senders can never be 100% certain that the message is deleted from the recipient's device - recipient can be running a modified client that does not honour the conversation setting, and there is no way to ascertain which code your contact runs on their device.</p>
<p>If irreversible message deletion is not allowed in the conversation, the senders can still mark their messages as deleted, and it would show &quot;mark deleted&quot; placeholder in the conversation. The recipients can then both reveal the content of the original message and fully delete it on their devices.</p>
<h3 id="smp-servers-configuration-and-password" tabindex="-1">SMP servers configuration and password</h3>
<p>When you self-host your own SMP server you may want to make it public so that anybody can use it to receive messages. But many users want to host their private servers, so that only they and their friends can use them to receive the messages.</p>
<p>v4.0 of SMP server and the new version of the apps adds support for server passwords. It is chosen randomly when you initialize the new server, and if you already have a server you can change it. Anybody can still message you, it doesn't require knowing the password, and the links you share do not include it, but to be able to receive the messages you need to know a server address that includes the password. In a way, it is similar to how basic authentication works in HTTP, and how browsers support the URIs with included credentials.</p>
<p>The new server configuration section now allows to test your servers before you start using them, and you can also share your server address via QR code, so that your friends or your team can use them too, without the need to copy paste the addresses.</p>
<p>You can read how to install and configure SMP servers in <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SERVER.md">this guide</a>.</p>
<h3 id="privacy-and-security-improvements" tabindex="-1">Privacy and security improvements</h3>
<p>It is now enabled by default, but you can disable it via settings.</p>
<p>iOS app only hides the app screen in the recent apps, Android app in addition to that also prevents the screenshots.</p>
<p>This is not the security measure for the senders, and we made it optional, as the recipient could circumvent it anyway – this is for you to protect your app screen when you give your phone to somebody.</p>
<h4 id="privacy-and-security-of-simplex-invitation-links" tabindex="-1">Privacy and security of SimpleX invitation links</h4>
<p>Previously, when you sent somebody an invitation link, a contact address or a group link, they would take half a screen in the chat and they could open in the browser in some cases. Also, as these links are quire large, it is not easy to see if the page domain is maliciously replaced, what SMP server the connection would go through or what kind of link it is.</p>
<p>This version instead of showing the full link shows a short description, and it replaces a public web address with an internal URI scheme that the app uses (simplex:/) – such links open directly in the app. There is an option to show the full link, if you need it, and even to open it in the browser from the app, but in this case if this link is not using <a href="https://simplex.chat/">https://simplex.chat</a> website it will show as red to highlight it.</p>
<h3 id="optional-android-app-data-backup" tabindex="-1">Optional Android app data backup</h3>
<p>The previous version always backed up app data in the way it was configured by the system. Now you can override it from inside the app, preventing the backup even if it's enabled by the system settings. This version requires disabling it manually, we will make it disabled by default in the next release (v4.3.1).</p>
<h3 id="direct-messages-between-group-members" tabindex="-1">Direct messages between group members</h3>
<p>The new version does not allow them by default, but it can be enabled by group owners in the group settings when the group is created or at any later moment.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://simplex.chat/blog/20220723-simplex-chat-v3.1-tor-groups-efficiency.html#privacy-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see the information on our <a href="https://simplex.chat/">new website</a> - it also answers all these questions.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a> - it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a> - it charges a commission, and also accepts donations in many crypto-currencies.</li>
<li>please let us know, via GitHub issue or chat, if you want to make a donation in some other cryptocurrency - we will add the address to the list.</li>
<title>SimpleX Chat v4.4 released – with disappearing messages, live messages, connection security verification and French language!</title>
<content type="html"><h1 id="simplex-chat-v44-released-with-disappearing-messages-live-messages-connection-security-verification-and-french-language" tabindex="-1">SimpleX Chat v4.4 released – with disappearing messages, live messages, connection security verification and French language!</h1>
<li><a href="https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#animated-images-and-stickers">animated images and stickers</a> – now on iOS too.</li>
<p>Also, we added <a href="https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#french-language-interface">French language interface</a>, thanks to the users' community and Weblate!</p>
<p>It is now possible to send the messages that will be deleted from both sender and recipient device after set time – for the sender from the time they were sent, and for the recipient - from the time they were read.</p>
<p>Unlike in most other messengers, it requires agreement of both sides, not just the sender decision. I <a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#irreversible-message-deletion">wrote previously</a> why we believe it is wrong to allow the senders to delete their messages without recipient consent, and the same logic applies here – if you want to send the message that will disappear after some time, your contact should be ok with that too.</p>
<p>Pressing &quot;bolt&quot; button before you start typing the message will start a &quot;live&quot; message. Now, as you type it, it will be updated for all recipients every several seconds, including only complete words. To finish the message you need to press &quot;checkmark&quot; button.</p>
<p>You can also start a live message after you started typing or after you chose the image – long-press send button and then press &quot;Send live message&quot;.</p>
<p>SimpleX Chat design prevents the possibility of messaging servers substituting the key during the initial connection (man-in-the-middle attack) by requiring that the invitation link is passed via another channel. I wrote more about how MITM attack works in <a href="https://www.poberezkin.com/posts/2022-12-07-why-privacy-needs-to-be-redefined.html">this post</a>. But this other channel, however unlikely, could still have been compromised by an attacker to replace the invitation link you sent. That is the reason why we recommend sharing QR code in a video call – this is very complex for an attacker to replace it in this case.</p>
<p>This new feature allows you to verify, via yet another channel, that the connection is secure and the keys were not replaced. You can either scan the security code from your contact's app, or compare codes visually, or even read it in a voice call – if your and your contact's app have the same security code for each other then the connection is secure.</p>
<p>If you are sending direct messages to some group members then it might also be important to verify security of these connections, as in this case the invitations were exchanged via the member who added you or another member, and if this member's client was modified, they could have replaced the keys and the addresses, and intercept the entire conversation.</p>
<p>Regardless how connection is established, verifying the connection proves its security. Technically, this security code is the hash of associated data used in the end-to-end encryption, which in turn is taken by combining public keys from the initial key exchange.</p>
<h3 id="animated-images-and-stickers" tabindex="-1">Animated images and stickers</h3>
<p>Android app supported GIFs and stickers for some time, now you can view and send them from iOS app as well, e.g. using GIPHY keyboard - you no longer need to choose between privacy and stickers. Just bear in mind, that third party keyboards can be insecure, so you should not be using them for typing sensitive information.</p>
<h3 id="french-language-interface" tabindex="-1">French language interface</h3>
<p>Thanks to our users' community and to <a href="https://weblate.org/en-gb/">Weblate</a> kindly providing a free hosting plan for SimpleX Chat translations we can now support more languages in the interface – this version adds French.</p>
<p>Please get in touch if you want to translate the interface into your language!</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>It is possible to donate via:</p>
<ul>
<li><a href="https://github.com/sponsors/simplex-chat">GitHub</a> - it is commission-free for us.</li>
<li><a href="https://opencollective.com/simplex-chat">OpenCollective</a> - it charges a commission, and also accepts donations in crypto-currencies.</li>
<li>please let us know, via GitHub issue or chat, if you want to create a donation in some other cryptocurrency - we will add the address to the list.</li>
<title>SimpleX Chat v4.5 released – with multiple chat profiles, message draft, transport isolation and Italian language!</title>
<content type="html"><h1 id="simplex-chat-v45-released-with-multiple-user-profiles-message-draft-transport-isolation-and-italian-interface" tabindex="-1">SimpleX Chat v4.5 released – with multiple user profiles, message draft, transport isolation and Italian interface!</h1>
<p>Also, we added <a href="https://simplex.chat/blog/20230204-simplex-chat-v4-5-user-chat-profiles.html#italian-interface">Italian interface</a>, thanks to the users' community and Weblate!</p>
<p>Incognito mode added in v3.2 allows to share a random profile name with your new contacts. It is quite popular - more than half of users connecting to our support profile use it. In case when you just want a throw-away profile name that doesn't share any information about you it is more convenient that creating a new profile for each contact manually.</p>
<p>But there are many cases when a disposable profile is not good enough enough, and you want to create separate profiles - one for your family, another for work, yet one more for your online contacts that only know your pseudonym rather than your real name.</p>
<p>Previously this was only possible by using separate chat databases. This version adds a chat profile manager that allows you to create unlimited number of profiles, and very quickly switch them. All these profiles are connected at the same time.</p>
<p>When you delete profile you no longer need you have two options - either delete both profile data on the device and any message queues that this profile created on SMP servers (e.g., when it is more important to leave as few meta-data on the servers), or delete only profile data without making any network requests (when it is more important to delete all data from the device quickly).</p>
<p>While most app settings apply to all profiles, several settings are profile-specific.</p>
<p>You can separately set which SMP servers are used to create the new contacts in each profile (via Network settings). Please note: changing SMP servers in one profile won't affect other profiles, and all new profiles are created with preset servers.</p>
<p>You can also separately set the retention time for messages in each profile (via Database settings).</p>
<p>Also, you have a different contact address in each profile, and different Chat preferences.</p>
<p>All other settings are used for all profiles. While you may want to have different settings for different security levels, it is much better to use different devices in this case.</p>
<p>Previously, if you've closed the conversation with unsent message, this message was disappearing. While it might be better for privacy, there are several scenarios when it is very inconvenient:</p>
<ul>
<li>you need to compose the message from several parts that you copy from other conversations.</li>
<li>some messages arrives that you need to answer urgently, so you can leave unfinished message to return to it later.</li>
</ul>
<p>Both are now possible - the message you wrote, together with any attachments, and even a voice message you recorded, will remain available as draft until you either close the app or leave another message unfinished - while you can send the message in another chat without losing the current draft, there can be only one draft at a time.</p>
<p>Even when you create different chat profiles you are still connecting to your contacts via the same device. Transport isolation, by default, makes connections belonging to the same profile use different TCP sessions, so while the server sees the same IP address, it doesn't see it as the same client connection. If you are connecting via Tor using SOCKS proxy (e.g. Orbot app on Android) not only the app will use different TCP sessions, it will also use separate Tor circuits for connections from different profiles, preventing the servers and network observers seeing this as traffic coming from the same device.</p>
<p>There is an additional BETA option to use a separate transport connection for each contact and group member connection you have – it is available in Network settings if you enable dev tools. In case you have a large number of contacts or participate in large groups across all profiles in the app, you should not use this option, as it may create a lot of traffic and also can exceed the quota for TCP sockets. Also creating a lot of separate Tor circuits can be slow. We will be testing at which number of connections this option starts failing and by the time it's available without dev tools we will add some limits.</p>
<p>Battery usage is one of the biggest complaints of SimpleX Chat users. The main reason for excess traffic is inefficient retry strategies for Network operations in these cases:</p>
<ul>
<li>the message queue capacity is exceeded - the app will keep retrying to send the message until there will be capacity.</li>
<li>the server is not available, e.g. if you connect to somebody via their server, and they later disable it. This case creates much less extra traffic than the first.</li>
</ul>
<p>This version makes retries for exceeded queue capacity 10x less frequent and adds SMP protocol extension that will allow to reduce retries even further by the next version. It works in the following way:</p>
<ul>
<li>when the sender encounters &quot;queue quota exceeded&quot; error, the sender stops trying to send the message.</li>
<li>the server also takes note of that error.</li>
<li>once recipient receives all messages from this queue, the server will notify the recipient that the sender had &quot;queue quota exceeded&quot; error.</li>
<li>the recipient will then send a special message to the sender client to instruct it that it can resume delivery.</li>
<li>the sender can still occasionally try sending the message, e.g. once every hours, but it won't need to retry once every few minutes as it does now.</li>
</ul>
<p>Reducing battery usage is our big priority - we expect to reduce it by at least 2-3x in the next few months.</p>
<p>When you send an image or voice message they are sent as files with filenames including timestamp. We didn't see it as a problem, as files are sent together with the message, and messages have server-side timestamps anyway. But the users pointed out that the timestamp we used was in the local timezone, and therefore leaked the country (or continent) where the user is located. A simple workaround was to reset timezone to UTC, and that is what most users who need to protect their location do anyway. But this version resolves it - these filenames now include UTC timezones – no workarounds are needed.</p>
<p>Thanks to our users' community and to Weblate providing a free hosting plan for SimpleX Chat translations we can now support more languages in the interface – this version adds Italian and many more is in progress - Chinese, Japanese, Czech, Dutch, etc.</p>
<p>You can <a href="https://github.com/simplex-chat/simplex-chat/tree/stable#translate-the-apps">contribute the translation</a> of the apps to your language too!</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX File Transfer Protocol - a new protocol for sending large files efficiently, privately and securely.</title>
<content type="html"><h1 id="simplex-file-transfer-protocol-a-new-protocol-for-sending-large-files-efficiently-privately-and-securely" tabindex="-1">SimpleX File Transfer Protocol – a new protocol for sending large files efficiently, privately and securely.</h1>
<li><a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html#%E2%9A%A1%EF%B8%8F-quick-start-send-a-file-with-xftp-cli-in-3-simple-steps">Quick start: how to send a file using XFTP CLI</a></li>
<li><a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html#whats-the-problem">What's the problem</a></li>
<li><a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html#why-didnt-we-just-use-some-existing-solution">Why didn't we just use some existing solution?</a></li>
<li><a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html#what-is-xftp-and-how-does-it-work">What is XFTP and how does it work?</a></li>
<li><a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html#what-is-next">What is next?</a></li>
<h2 id="quick-start-send-a-file-with-xftp-cli-in-3-simple-steps" tabindex="-1">⚡️ Quick start: send a file with XFTP CLI in 3 simple steps</h2>
<p>Download XFTP binary for Linux from <a href="https://github.com/simplex-chat/simplexmq/releases/tag/v5.0.0-beta.3">the release</a> – you need the file <code>xftp-ubuntu-20_04-x86-64</code> - rename it as <code>xftp</code>.</p>
<p><strong>Step 1</strong>: To send the file:</p>
<p><strong>Step 2</strong>: Pass file description(s) (files <code>rcvN.xftp</code>) to the recipient(s) securely, e.g. send it as a file via SimpleX Chat.</p>
<p><strong>Step 3</strong>: To receive the file:</p>
<p>The sender also delete all file chunks from the relays before they expire in 48 hours with this command:</p>
<pre><code class="language-bash">xftp del ./filename.ext/snd.xftp.private
</code></pre>
<br />
<h2 id="whats-the-problem" tabindex="-1">What's the problem?</h2>
<p>If you are using SimpleX Chat apps you know that support of sending files and images is not very good, and sending videos and large files is simply impossible. There are currently these problems:</p>
<ul>
<li>the sender has to be online for file transfer to complete, once it was confirmed by the recipient.</li>
<li>when the file is sent to the group, the sender will have to transfer it separately to each member, creating a lot of traffic.</li>
<li>the file transfer is slow, as it is sent in small chunks - approximately 16kb per message.</li>
</ul>
<p>As a result, we limited the supported size of files in the app to 8mb. Even for supported files, it is quite inefficient for sending any files to large groups.</p>
<h2 id="why-didnt-we-just-use-some-existing-solution" tabindex="-1">Why didn't we just use some existing solution?</h2>
<p>We really hoped to find some existing open-source solution that we could integrate with SimpleX Chat.</p>
<p>We decided not to use torrent-like or any other P2P solutions because of their lack of privacy, challenging legality in some jurisdictions and, in many cases, because they are inefficient in groups.</p>
<p>We reviewed several S3-compatible solutions (e.g., <a href="https://github.com/minio/minio">minio</a>, <a href="https://git.deuxfleurs.fr/Deuxfleurs/garage">garage</a>, <a href="https://github.com/seaweedfs/seaweedfs">SeaweedFS</a>), but they all require the development of a separate service layer, making them unusable as standalone services and harder to deploy for the users who want to self-host the file transfer service. As a side note, the solution that we developed can still be composed with S3-compatible storage for higher capacity servers with some privacy/efficiency trade-offs.</p>
<p>We also looked at a few independent implementations of file sharing, with some ad-hoc protocols (e.g., <a href="https://github.com/ceph/ceph">ceph</a> and <a href="https://framagit.org/fiat-tux/hat-softwares/lufi">lufi</a>), but neither seemed sufficiently mature, and also not as private as we would like.</p>
<p>So after a lot of searching we decided to design and implement a new protocol for file transfers, that both solved the problems above, and provided a higher level of metadata privacy than any other file transfer solution has.</p>
<h2 id="what-is-xftp-and-how-does-it-work" tabindex="-1">What is XFTP and how does it work?</h2>
<pre><code> Sender Internet XFTP relays Internet Recipient
chunk N --------------------------- +---------+ --------------------- chunk N
| | (store file chunks) | |
| | | |
| | | |
</code></pre>
<p>XFTP stands for SimpleX File Transfer Protocol. Its design is based on the same ideas and has some of the qualities of SimpleX Messaging Protocol, that is used in SimpleX Chat:</p>
<ul>
<li>recipient cannot see sender's IP address, as the file fragments (chunks) are temporarily stored on multiple XFTP relays.</li>
<li>file can be sent asynchronously, without requiring the sender to be online for file to be received.</li>
<li>there is no network of peers that can observe this transfer - sender chooses which XFTP relays to use, and can self-host their own.</li>
<li>XFTP relays do not have any file metadata - they only see individual chunks, with access to each chunk authorized with anonymous credentials (using Edwards curve cryptographic signature) that are random per chunk.</li>
<li>chunks have one of the sizes allowed by the servers - currently we allow 256kb, 1mb and 4mb chunks, so if you send, say 1gb file, to XFTP relays it will look indistinguishable from sending many small files, and they would only know that chunks are sent by the same user only via the transport information, but none of the relays will see all chunks. Also, once this feature is available in mobile apps you can use transport isolation per chunk, when each file fragment will be uploaded via a separate TCP connection (and Tor circuit, if you use Tor) – the CLI we released does not yet support per-chunk transport isolation.</li>
<li>each chunk can be downloaded by multiple recipients, but each recipient uses their own key and chunk ID to authorize access, and the chunk is encrypted by a different key agreed via ephemeral DH keys (NaCl crypto_box (SalsaX20Poly1305 authenticated encryption scheme ) with shared secret derived from Curve25519 key exchange) on the way from the server to each recipient. XFTP protocol as a result has the same quality as SMP protocol - there are no identifiers and ciphertext in common between sent and received traffic inside TLS connection, so even if TLS is compromised, it complicates traffic correlation attacks.</li>
<li>XFTP protocol also supports redundancy - each file chunk can be sent via multiple relays, and the recipient can choose the one that is available. The released CLI does not support redundancy though.</li>
<li>the file as a whole is encrypted with a random symmetric key using NaCl secret_box.</li>
</ul>
<p>So, how would any recipient know where to get all these file fragments from and how to put them back together into the original file? Normally, when you send a file via any file-sharing service it provides you a link that you can pass to the recipient. The link allows to download the original file, but it also provides the server a lot of file meta-data, that often includes file name and exact size, and in many cases the server also has access to a file content.</p>
<p>Instead of using a link, XFTP protocol includes a special format for a &quot;file description&quot; - it is a small text file containing the locations, access keys and digests for all file chunks, and also the encryption key and digest (SHA512) for the whole file. This file description does not contain the original file name or exact file size, so if it is used after the file fragments are expired or removed from XFTP relays, this information is not accessible.</p>
<p>CLI generates a separate file description for each intended recipient - you need to specify how many people you want to be able to receive this file. You can specify a larger number of recipients to avoid revealing the real number of recipients from XFTP relays. Mobile apps, when this protocol is integrated, will do it automatically, choosing some large random number of possible recipients, so while the relays will be able to observe how many people time the file was downloaded, they won't know how many intended recipients you had - sending to a group of 10 people and to 1 recipient can look the same to the relays.</p>
<p>File description is a security-sensitive file that contains private keys and chunk addresses necessary to receive the whole file, and also a symmetric key to decrypt the file. Therefore you must use a secure channel to send file description - e.g., it can be sent via SimpleX Chat. But once the recipient downloaded the file, CLI invalidates the file fragment addresses on relays and the same file description cannot be used again to download the file.</p>
<h2 id="what-is-next" tabindex="-1">What is next?</h2>
<p>We released and deployed several XFTP relays for you to experiment with (they are hardcoded in the XFTP CLI), and you can deploy your own relays either from <a href="https://github.com/simplex-chat/simplexmq/releases/tag/v5.0.0-beta.3">downloadable binary</a> or by compiling <a href="https://github.com/simplex-chat/simplexmq">the source code</a>. We also released XFTP CLI - it is available in the same release.</p>
<p>We are currently integrating support for sending large files using XFTP protocol into SimpleX Chat clients. SimpleX Chat v5.0 will have support for receiving files sent via XFTP protocol (you will be able to send a file description via a SimpleX Chat CLI app, so that mobile apps will be able to receive them as normal files, only much faster), and v5.1 will fully support for sending large files (up to 1gb) in the mobile apps.</p>
<p>We will also publish a formal specification for XFTP protocol and overview of its security qualities and threat model. For now you can learn more about the protocol design and motivations from this internal <a href="https://github.com/simplex-chat/simplexmq/blob/stable/rfcs/2022-12-26-simplex-file-transfer.md">XFTP protocol RFC</a>.</p>
<p>Using and sending files with the available XFTP CLI will hugely help us stabilizing both the protocol and implementations. What we really like about this design is that it is completely independent from SimpleX Chat - you can use it on its own, sending files and passing file descriptions to your contacts via any other messenger - e.g. via Signal, – without this messenger being able to observe that you are in fact sending a large file.</p>
<p>We did not yet decide whether we will be making a separate security audit of XFTP implementation, or if we combine it with the next security audit of SimpleX Chat. The latter seems more likely, as XFTP uses the same cryptographic primitives that were reviewed during <a href="https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html">SimpleX Chat security assessment by Trail of Bits</a> in November 2022.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<li><a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html#group--community-moderation">group / community moderation</a></li>
<li><a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html#smp-server-monitoring">SMP server monitoring: status bot and page</a></li>
<p>Also, we added <a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html#chinese-and-spanish-interface---you-can-choose-the-language-via-the-app">Chinese and Spanish interface languages</a>, thanks to the users' community and Weblate!</p>
<h3 id="armv7a-32-bit-and-android-8-support" tabindex="-1">ARMv7a (32 bit) and Android 8+ support!</h3>
<p>It increases the number of supported Android devices twice - now most of your friends should be able to install SimpleX Chat. SimpleX Chat still doesn't support Android 7 and erlier versions.</p>
<p>If you install the app from GitHub or F-Droid you need to choose the correct APK, Play Store will provide it automatically.</p>
<p>For a long time the main way to protect SimpleX Chat app from people who have access to your phone was device authentication - it is requested when you open the app (and some of its sensitive functions).</p>
<p>Many users asked to allow setting the app password or PIN independently from the device PIN, as some other apps do. But it did not seem a good enough solution - if somebody has your device PIN, then in most cases they can also ask you to provide the app PIN as well.</p>
<p>So instead of having an app password, that reduces convenience and doesn't improve security too much, we did what we think could be better. You can now create hidden chat profiles, that are not visible anywhere in the app, and do not show any notifications, until you enter a correct passphrase. If multiple profiles are hidden with the same passphrase they will all show in the list when you enter it.</p>
<p>It's important to remember that these hidden profiles are still stored locally on your device, so if somebody has access to your chat database (they need to know database passphrase, that is independent from device PIN or profile passphrases) or to chat console in the app, they will be able to access these profiles data and reset their passwords. We are considering how chat console can be better protected - e.g., by requiring a separate password or by providing an option to remove it from the UI permanently - tell us what you think.</p>
<h3 id="group-community-moderation" tabindex="-1">Group / Community moderation</h3>
<p>Initially we did not design SimpleX Chat to support communities - our focus has always been maximum privacy and security.</p>
<p>SimpleX Chat supports small and fully decentralized groups, that are not hosted anywhere. But many users want to participate in and to discover communities. Since we added support for group links, the groups we created to let users test the app started to grow, and many other communities of over 100 people emerged.</p>
<p>We are already observing some less-than-friendly messages and undesirable content that is not welcome in some communities. So this version adds features allowing to moderate groups.</p>
<p>Firstly, group admins and owners can revoke members rights to send messages to the group by assigning members an &quot;observer&quot; role, and also make this role default for users joining via a group link.</p>
<p>Secondly, group admins can now delete messages sent by other members (excluding the messages sent by the group owners). &quot;Moderate&quot; action in the message menu will either mark the message as deleted or delete it irreversibly for all members, as set in group preferences by the owners.</p>
<p>These features will allow group owners to decide their own rules. More robust moderation tools are coming later when we build support for large communities.</p>
<p>Prior to this version audio and video calls in iOS app were very limited – they only worked while the app was in foreground. This version fully re-implemented audio/video calls in iOS – it now uses native WebRTC library instead of web view. These calls are still end-to-end encrypted, and compatible with the calls in the previous versions of the app, both on iOS and on Android platforms.</p>
<p>Where allowed by App Store policy, the calls on iOS now use Apple's native interface for calls CallKit, that allows to accept calls from the lock screen, prevents call interruption by incoming phone calls and optionally allows to include calls in the phone call history - the last option needs to be enabled separately.</p>
<p>Calls on Android were also improved – they now support bluetooth headphones, allow changing volume in video calls and support proximity sensor during the audio call, to prevent accidental interruption when you hold the phone close to your ear.</p>
<p>We know that battery usage of SimpleX Chat is suboptimal, and we are committed to reduce it. Unfortunately, there is no simple change that we could make to solve this problem, it requires many systematic improvements and fixes.</p>
<p>One of the big issues, particularly in large groups, was inefficient retry strategy for sending messages in cases when the receiving message queue (mailbox) was out of capacity.</p>
<p>This version increases the maximum retry period for &quot;out-of-capacity&quot; scenario to 1 hour, and also preserves this retry period in the database. So, if previously before the message expired in 48 hours there were up to ~2800 delivery attempts and up to ~45Mb wasted traffic per recipient (depending on how frequently the app was restarted), now there will be only ~50 retries, resulting in not more than 0.8Mb of traffic - up to 56x traffic reduction when sending messages to the large groups.</p>
<p>This issue might not have affected you at all, and also solving it won't reduce overall traffic/battery usage by that factor - there are other inefficiences we will be addressing. But if you actively sent messages to large groups you should observe a substantial reduction of battery and traffic consumption.</p>
<p>Please share your experience. If the battery usage is still suboptimal, please share your usage statistics - they can be requested in chat console with <code>/get stats</code> command - it will return the aggregated number of network operations, per server, since the app was started. Please note that these statistics include the addresses of the servers you connect to, so if you want to keep them private, please redact them. You can also reset usage statistics with <code>/reset stats</code> command.</p>
<h3 id="smp-server-monitoring" tabindex="-1">SMP server monitoring</h3>
<p>If you use preset servers in SimpleX Chat you can now see when we do any maintenance or when the server is down either by <a href="https://simplex.chat/contact#/?v=1-2&amp;smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2FShQuD-rPokbDvkyotKx5NwM8P3oUXHxA%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEA6fSx1k9zrOmF0BJpCaTarZvnZpMTAVQhd3RkDQ35KT0%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion">connecting to status bot via the app</a> or by visiting a <a href="https://status.simplex.chat/">status page</a>. Status bot always sends automatic messages before the server is restarted for maintenance, but in case of downtime if the same server is down that you use to receive the messages from the bot, you may miss them - check the status page in this case.</p>
<h3 id="chinese-and-spanish-interface-you-can-choose-the-language-via-the-app" tabindex="-1">Chinese and Spanish interface - you can choose the language via the app!</h3>
<p>Thanks to our users' community and to Weblate providing a free hosting plan for SimpleX Chat translations we can now support more languages in the interface – this version adds Chinese and Spanish and more are in progress.</p>
<p>You can <a href="https://github.com/simplex-chat/simplex-chat/tree/stable#translate-the-apps">contribute the translation</a> of the apps to your language too!</p>
<p>The app now supports 8 languages in addition to English - Czech, German, Spanish, French, Italian, Dutch, Russian and Chinese. You can now choose the language via the app settings (Appearance page), independently from the system settings.</p>
<p><a href="https://simplex.chat/#how-simplex-works">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/#why-ids-bad-for-privacy">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Visit our <a href="https://simplex.chat/">website</a> to learn more.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX Chat: vision and funding, v5.0 released with videos and files up to 1gb</title>
<content type="html"><h1 id="simplex-chat-vision-and-funding-v50-released-with-videos-and-files-up-to-1gb" tabindex="-1">SimpleX Chat: vision and funding, v5.0 released with videos and files up to 1gb.</h1>
<li><a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#why-is-it-a-commercial-company">why is it a commercial company?</a></li>
<li><a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#how-is-it-funded-and-what-is-the-business-model">how is it funded and what is the business model?</a></li>
<li><a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#what-is-next">what is next?</a></li>
<li><a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#send-videos-and-files-up-to-1gb">send videos and files up to 1gb</a></li>
<li><a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#app-passcode">app passcode independent from system authentication</a></li>
<p>Also, we added Polish interface language, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">the users' community and Weblate</a>.</p>
<p>SimpleX Chat apps are now available in 10 languages!</p>
<h2 id="simplex-chat-vision-and-funding" tabindex="-1">SimpleX Chat vision and funding</h2>
<h3 id="why-is-it-a-commercial-company" tabindex="-1">Why is it a commercial company?</h3>
<p>It was a big decision: whether SimpleX Chat should be a non-profit project or an open-source project led by a commercial company.</p>
<p>During the last 25 years of the Internet, commercial companies have shown a much higher ability to innovate than non-profit organizations. One of the most inspiring examples is NetScape that created the Web as we know it - not only as the destination to access information, but also as an application platform, inventing cookies, SSL and JavaScript, that to this day remain the main building blocks for all web applications.</p>
<p>While SimpleX Chat Ltd is a commercial company, SimpleX Chat software is and will remain open-source. We believe that this way we will create much more value both for the end users, and also for the shareholders and the employees of the company.</p>
<p>Many large tech companies prioritizing value extraction over value creation earned a bad reputation for all businesses, particularly in the communities that value decentralization and privacy. But commercial objectives do not have to result in exploitation. Our goal is to build a new kind of communication network, and also an application platform, that is private by design, fully decentralized and not owned by any single entity, where SimpleX Chat Ltd is one of many organizations that operate the network. I shared my thoughts about how the Internet and privacy might evolve in the interview in <a href="https://optoutpod.com/episodes/s3e02-simplexchat/">Opt Out Podcast</a>.</p>
<h3 id="how-is-it-funded-and-what-is-the-business-model" tabindex="-1">How is it funded and what is the business model?</h3>
<p>We started working full-time on the project in 2021 when <a href="https://www.linkedin.com/in/portmanwills/">Portman Wills</a> and <a href="https://www.linkedin.com/in/peterbriffett/">Peter Briffett</a> (the founders of <a href="https://wagestream.com/en/">Wagestream</a> where I led the engineering team) supported the company very early on, and several other angel investors joined later. In July 2022 SimpleX Chat raised a pre-seed funding from the VC fund <a href="https://www.villageglobal.vc/">Village Global</a> - its co-founder <a href="https://www.villageglobal.vc/team/ben-casnocha">Ben Casnocha</a> was very excited about our vision of privacy-first fully decentralized messaging and community platform, both for the individual users and for the companies, independent of any crypto-currencies, that might grow to replace large centralized platforms, such as WhatsApp, Telegram and Signal.</p>
<blockquote>
<p>Edit: please see the comment from Ben Casnocha about this investment in <a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html">our post from August 14, 2024</a>.</p>
<p>Overall we raised from our investors approximately $370,000 for a small share of the company to allow the project team working full time for almost two years, funding product design and development, infrastructure, and also <a href="https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html">the security assessment by Trail of Bits</a>. A large part of this money is not spent yet.</p>
<p>The project was hugely supported by the users as well - collectively, <a href="https://github.com/simplex-chat/simplex-chat#help-us-with-donations">you donated</a> over $25,000. Without these donations the investment we raised would not be possible, because we believe that voluntary user donations can sustain the project in the long term – it already covers all infrastructure costs. There are only two ways an Internet service can exist - either users are paying for it, or the users data becomes the product for the real customers, as happened with many large Internet companies. In the latter case the users are losing much more money than they are saving by giving away their privacy and the rights to the content they create on the centralized platforms.</p>
<p>Going forward we plan to keep the basic usage of the platform free, and at the same time we will be providing the benefits to the project sponsors. For example, there will be additional app icons and user profile badges. There also will be higher file transfer limits – currently we don't limit it at all, only limiting the file size, but it's unlikely to be sustainable. In any case, the app will remain highly usable for everyone for free, and fully open-source. Several other apps are already being developed based on our app core, leading to a fully decentralized network.</p>
<h3 id="what-is-next" tabindex="-1">What is next?</h3>
<p>Our goals for the next 1-2 years are to make the messaging network:</p>
<ul>
<li>more reliable and resilient, by adding redundancy into the message delivery and delivery receipts,</li>
<li>more private, by automating rotation of the servers used to deliver messages and by adding delivery relays to better protect IP addresses of the users,</li>
<li>more usable by adding and improving the functions users are expecting in messengers, and also adding some unique functions, like we did with <a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#incognito-mode">incognito mode</a>, <a href="https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#live-messages">live messages</a> and <a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html#hidden-chat-profiles">hidden profiles</a>.</li>
<p>One major initiative we will kick-off this year is the support for large, fully decentralized and private communities and groups not hosted on any servers – something that no Internet platform achieved so far in as private and efficient way as we plan to build it.</p>
<p>To accelerate product development and growth we will be raising a seed funding this year, both from the VCs and angel investors, and we also might offer our users an opportunity to participate in the crowd funding round on the same terms as other investors, allowing to both support the project and to benefit from its future growth. <a href="https://simplex.chat/#join-simplex">Subscribe to our updates</a> not to miss it, connect to the team in SimpleX Chat and <a href="https://github.com/simplex-chat/simplex-chat#join-user-groups">join users' groups</a>.</p>
<h2 id="whats-new-in-v50" tabindex="-1">What's new in v5.0</h2>
<h3 id="send-videos-and-files-up-to-1gb" tabindex="-1">Send videos and files up to 1gb!</h3>
<p>In the beginning of March <a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html">we released servers and command-line utility to send and receive files via XFTP protocol</a> - a very private and secure protocol that sends end-to-end encrypted files in chunks, protecting meta-data better than any alternatives we know of.</p>
<p>Now this protocol is fully integrated in SimpleX Chat, and all files except small voice messages are sent using this protocol (small voice messages are sent as usual messages). Not only it is much faster than before - with the fast Internet connection I can send 25Mb file in 3 seconds and 1gb file in 2 minutes (for most users it's capped at the available Internet bandwidth), it has two other major advantages making it more usable:</p>
<ul>
<li>the file sent to a group has to be uploaded only once, regardless of the group size.</li>
<li>once the file is uploaded (it will have the tick), you no longer need to be online for your contact (or group members) to be able to receive it.</li>
</ul>
<p>As for the metadata privacy, it has similar guarantee to SimpleX Messaging Protocol. The files are sent via TLS 1.2/1.3, with the same server identity verification, TLS channel binding and upload authorization as used with SMP servers. But the file metadata is protected even if TLS is compromised, as there are no identifiers and ciphertext in common in server received and sent traffic, allowing to correlate only by sending and receiving time. Correlating by time becomes less efficient as the server traffic grows.</p>
<p>We also added the ability to send videos in the chat, so they can be played right in the conversation or on full screen without leaving the app – thanks to the efficient and fast file transfer they are very usable.</p>
<p>We also plan to add support for longer and higher quality voice messages, and also for sending full resolution images in the next versions.</p>
<p>While we do think that app passcode does not increase security too much, compared with device passcode or biometric protection, there are cases when it may be preferable, and also many users really wanted that it is added.</p>
<p>Now you can choose whether to use faster and more convenient system biometric authentication or to use a separate app passcode. You can choose which one to use when it is first offered, or switch later in the settings.</p>
<p>Two small improvements to the app networking capabilities were added in this version.</p>
<p>Firstly, you can now make your self-hosted servers available on IPv6 addresses, and the app supports them as well. Please bear in mind that older clients won't be able to connect to you if you use IPv6 address, and also that some ISPs do not provide IPv6 addresses to their users, in which case they would also not be able to connect if IPv6 address is used. To allow connections in these cases you should make your servers available on some domain name that resolves to both IPv4 and IPv6 addresses, and use this domain name in the server address.</p>
<p>Secondly, Android client now supports configuring host and port of the SOCKS proxy, allowing to use apps other than Orbot and also to run SOCKS proxy in the local network, to save mobile device battery.</p>
<p><a href="https://simplex.chat/#how-simplex-works">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/#why-ids-bad-for-privacy">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Visit our <a href="https://simplex.chat/">website</a> to learn more.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<li><a href="https://simplex.chat/blog/20230523-simplex-chat-v5-1-message-reactions-self-destruct-passcode.html#voice-messages-up-to-5-minutes-better-quality-playback-control">voice messages up to 5 minutes</a>.</li>
<li><a href="https://simplex.chat/blog/20230523-simplex-chat-v5-1-message-reactions-self-destruct-passcode.html#disappearing-messages-choose-any-time">custom time to disappear</a>.</li>
<li>new design and <a href="https://simplex.chat/blog/20230523-simplex-chat-v5-1-message-reactions-self-destruct-passcode.html#customize-and-share-color-themes">customizable themes</a> that you can share!<sup>*</sup></li>
<p>There are lots of small improvements and fixes in this release:</p>
<ul>
<li>setting to disable audio/video calls per contact.</li>
<li>group welcome message visible in a group profile - add the link to join the group there.</li>
<li>fixes for sending files.</li>
<li>configurable SOCKS proxy host and port<sup>*</sup>.</li>
<li>improved calls on lock screen<sup>*</sup>.</li>
<li>locale-dependent formatting of time and date<sup>*</sup>.</li>
</ul>
<p>Also, we added Japanese and Portuguese (Brazil)<sup>*</sup> interface languages, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<p>* These features are available in the Android version only.</p>
<p>No idea why it took us so long to add them – finally we have them, and they are great.</p>
<p>We didn't like the view of other messengers plagued by 40 different reactions on a message, and we were not quite sure what can be done about it, so we initially decided to limit available reactions to just 6: thumbs up 👍, down 👎, smile 😀, tear 😢, heart ❤️ and rocket 🚀. But unlike some other messengers, we don't limit the reactions to just one per message - you can put up to 3.</p>
<p>You can add them via the menu, or just by tapping the reaction already on the message.</p>
<p>The next app version will allow prohibiting the reactions per conversation, as you asked. Some groups work better with more substantive responses.</p>
<p>Since <a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#instant-voice-messages">v4.3</a> voice messages were sent in small 16kb chunks, so we had to limit them to 30-40 seconds for better user experience, as sending larger files would require the sender to be online.</p>
<p>With the new XFTP protocol that allows sending files up to 1gb it is now possible to increase the message size - we decided to limit it at 5 min, increasing their quality 2x (the bitrate is increased from 16 to 32kbps). We also added a slider to control the playback.</p>
<h3 id="disappearing-messages-choose-any-time" tabindex="-1">Disappearing messages: choose any time!</h3>
<p>Since <a href="https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#disappearing-messages">v4.4</a> disappearing messages were only configurable for the whole conversation, with a limited choice of allowed times between 30 seconds and 1 month.</p>
<p>This version allows to configure the time for messages to disappear more granularly, in the range from 1 second to 3 months. You can also set a different time to disappear when you send the message (hold the Send button), as long as disappearing messages are enabled in the conversation.</p>
<p>I <a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#irreversible-message-deletion">wrote previously</a> why we decided to require the recipient concent before the messages can be fully deleted by the sender - in short, it is to support recipient's data sovereignty and prevent the possibility of offensive messages being removed without any trace. By default, when the sender deletes the message it is marked as deleted, rather than fully deleted, and you can reveal the original message.</p>
<p>You've found the workaround for it of course - it's enough to simply edit the message to hide the original content. This version adds a visible message editing history, together with other detailed information about when the message was sent, received or deleted, that wasn't visible in the conversation.</p>
<h2 id="customize-and-share-color-themes" tabindex="-1">Customize and share color themes</h2>
<p>Android app now allows choosing between three color themes - Light, Dark and SimpleX (a dark blue theme). You can customize any theme by setting 9 different colors used in the app, including titles, menus, accent colors and colors for sent and received messages.</p>
<p>You can share your theme with other users by exporting it to a file and sending to them. You can also <a href="https://simplex.chat/docs/themes.html">contribute your favorite themes</a> to our GitHub repository.</p>
<p>This is something many of you asked before - when asked to enter the app passcode under duress, to be able to enter a special self-destruct code that would remove the app data. This feature is offered in many security tools, and now you can configure it in SimpleX Chat as well.</p>
<li>switch lock mode to Passcode and, if necessary, enable lock – Self-destruct passcode will become available.</li>
<li>enable it, enter the main passcode and then enter and confirm self-destruct passcode.</li>
<li>optionally, you can set the new display name of the profile that will be created after the data was wiped. If it is left blank, a new empty profile will have a random name.</li>
<p><a href="https://simplex.chat/#how-simplex-works">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/#why-ids-bad-for-privacy">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Visit our <a href="https://simplex.chat/">website</a> to learn more.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<li><a href="https://simplex.chat/blog/20230722-simplex-chat-v5-2-message-delivery-receipts.html#message-delivery-receipts">message delivery receipts</a> – with opt-out per contact!</li>
<li><a href="https://simplex.chat/blog/20230722-simplex-chat-v5-2-message-delivery-receipts.html#filter-favorite-and-unread-chats">filter favorite and unread chats</a>.</li>
<li><a href="https://simplex.chat/blog/20230722-simplex-chat-v5-2-message-delivery-receipts.html#problems-of-public-groups">problems of public groups</a>:
<li><a href="https://simplex.chat/blog/20230722-simplex-chat-v5-2-message-delivery-receipts.html#what-about-read-receipts">what about read receipts?</a></li>
<p>Most messaging apps add two ticks to sent messages – the first one to show that the message is accepted by the server, and the second – that it is delivered to the recipient's device. It confirms that the network is functioning, and that the message is not lost or delayed. SimpleX Chat now has this feature too!</p>
<p>In some cases it may compromise recipients' privacy, as they show that the recipient is online, so we made sending delivery receipts optional – it can be disabled separately for each chat profile or contact. For the new chat profiles this feature is enabled by default.</p>
<p>To avoid compromising your privacy, sending delivery receipts is disabled for all your existing chat profiles. The first time you start the app after the update, you will be offered to enable them for all <a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html#hidden-chat-profiles">visible profiles</a>, and they can be enabled later via Privacy and Security settings.</p>
<p>You can now mark your contacts and groups as <em>favorite</em>, to be able to find them faster. With filter enabled, you will only see favorite chats, chats that contain unread messages and also any unaccepted group invitations and contact requests.</p>
<p>Active SimpleX Chat users know how broken the current group experience is, and that we plan some major overhaul of the groups protocol – more on that below. In the meanwhile, we added some simple features that make groups in their current state a bit more usable.</p>
<h4 id="what-is-this-in-reply-to" tabindex="-1">What is this in reply to?</h4>
<p>A major problem is that you can see replies to the messages you've not seen before - this would happen both when you just join the group, and didn't connect to most other members, and also when other new members join the group and they didn't yet connect to you – so literally all the time, and the bigger the group gets, the worse it becomes. While this problem cannot be solved without major group protocol changes, at least there is now ability to see the original message that was replied to via the message information.</p>
<h4 id="how-to-connect-to-this-member" tabindex="-1">How to connect to this member?</h4>
<p>To simplify direct connections with other group members, you can now share your SimpleX address via your chat profile, and group members can send you a contact request even if the group does not allow direct messages.</p>
<h4 id="how-to-find-a-member-in-the-list" tabindex="-1">How to find a member in the list?</h4>
<p>Large member lists (and also the long lists of contacts, if you have many of them) become hard to scroll through, so now there is a search in both lists.</p>
<p>This version fixes many long-standing problems with the message delivery, failed connections with group members (that also contributed to group fragmentation), and reduces traffic in groups (beta users experienced a traffic spike because of this fix, but it doesn't affect the final v5.2 release). It's not the end of the road to making SimpleX Chat as stable as mainstream messengers, but it is a big improvement.</p>
<p>Please report the cases when messages are not delivered – delivery receipts should help with that.</p>
<h4 id="messages-failed-to-decrypt-problem-solved" tabindex="-1">Messages failed to decrypt? Problem solved!</h4>
<p>Previously, a growing number of users had the issue when after restoring the chat database from backup, messages from some contacts failed to decrypt and were showing an error in the app.</p>
<p>This happens due to double ratchet protocol protecting the integrity of end-to-end encryption after the compromise - <a href="https://simplex.chat/docs/glossary.html#post-compromise-security">post-compromise security</a>. The protocol logic does not allow to use the old version of the database to decrypt the message.</p>
<p>v5.2 added the extension to the messaging protocol allowing to negotiate the new ratchet keys in such cases - both with the contacts and the group members. This requires a user action, and it resets the security code verification status for this contact or member – you need to verify it again to have the additional protection from <a href="https://simplex.chat/docs/glossary.html#man-in-the-middle-attack">man-in-the-middle attacks</a>.</p>
<p>The negotiation of the new ratchet keys still happens via the end-to-end encrypted messages, as the protocol has two layers of end-to-end encryption, so it cannot be compromised by the messaging relays.</p>
<p>You may still lose connection if you or your contact changed the receiving address after you made the backup, so make sure to make a new backup after any receiving address changes.</p>
<h4 id="reconnect-the-servers" tabindex="-1">Reconnect the servers</h4>
<p>While v5.2 solved many message delivery issues, there may be some others, but they are usually resolved with app restart. It was difficult to fully restart Android app, as there is a continuosly running background service for notifications that doesn't restart with the app. Now Android app has both Restart and Shutdown buttons that take background service into account.</p>
<p>On iOS you can now pull down the list of conversations to reconnect to all relays without restarting the app.</p>
<p>You can now send a separate disappearing message if the chat preferences allow them, but do not have any time to disappear enabled – this applies both to groups and to contacts. You can also set the time to disappear up to 12 months.</p>
<h3 id="problems-of-public-groups" tabindex="-1">Problems of public groups</h3>
<p>As I wrote above, the major problem is that not all messages are received by all members, or, at least, they may be substantially delayed. Additional problems are various scenarios when the list of members gets out of sync for different members.</p>
<p>How to cope with these problems?</p>
<p>It really helps to only use one link shared with the members to join the group - the one created by the client that is most frequently online, ideally always online. This is sometimes confusing, as any group admin can create another group link, and share it with the members, and if this admin is not online, the new member won't be able to join.</p>
<p>We will add new group features to manage fragmentation - there will be an option to fix the connection with the member that you failed to connect to by passing the link out-of-band. This can be particularly helpful for stable groups of 20-50 people where it's important to see all messages.</p>
<p>In the long term, the only way to make groups usable is to move to a new design. We considered several options.</p>
<h4 id="why-not-hosted-groups-with-mls" tabindex="-1">Why not hosted groups with MLS?</h4>
<p>Initially, we considered the design with the dedicated servers, potentially self-hosted, that host groups. This design would require adopting MLS (or similar) protocol for group-wide key agreement. Unfortunately, this design is not sufficiently resilient and easier to censor than decentralized design. Also, MLS protocol is very complex to implement, requires a centralized component, and reduces forward secrecy. So we decided against this approach.</p>
<h4 id="why-not-fully-decentralized-groups" tabindex="-1">Why not fully decentralized groups?</h4>
<p>We also <a href="https://simplex.chat/blog/https%3A//github.com/simplex-chat/simplex-chat/blob/stable/simplex-chat/docs/rfcs/2023-05-02-groups.md">considered</a> rumour-mongering protocol, where all members are equal and participate in message dissemination. The problem with this approach is that it adds a lot of traffic for all members, even those who mostly read messages. Also, it still requires establishing a fully connected graph, and with large groups it becomes prohibitively expensive and unreliable, given that many members join public groups for a limited time.</p>
<h4 id="members-host-the-groups" tabindex="-1">Members host the groups</h4>
<p>We are now considering a middle-ground - the design where the owners and admins host the group, synchronising the state between them, receiving and re-broadcasting the messages between all members. This puts a higher burden on these members, but these clients can be hosted in the cloud, and also group owners have a larger incentive to maintain group integrity. At the same time, this design is better for the rest of the group members, as they don't need to establish connections with all other members, only with a limited number of &quot;hosting&quot; members, and it also better protects their privacy, due to the lack of direct connections between most members.</p>
<p>This approach avoids the need for a group-wide key agreement protocol, as hosting members are expected to have access to all content anyway, so pair-wise ratchets are sufficient. At the same time the content remains end-to-end encrypted, and protected from the outsiders.</p>
<p>This approach also simplifies moderation - the message that needs to be removed simply won't reach the members before it is moderated (in case of automatic or policy-based moderation).</p>
<p>Discovery and content search in such groups will be provided via a dedicated discovery server that will participate in the group, provide an always-online client, and also automatic content moderation functionality - a possible approach to moderation is <a href="https://simplex.chat/blog/https%3A//github.com/simplex-chat/simplex-chat/blob/stable/simplex-chat/docs/rfcs/2023-05-22-groups-moderation.md">described here</a>.</p>
<p>We really look forward to your feedback on this design.</p>
<h3 id="what-about-read-receipts" tabindex="-1">What about read receipts?</h3>
<p>We have an approximately equal number of users who ask us to add receipts, and those who ask not to add them, even as optional.</p>
<p>While read receipts provide some convenience to the message senders, they introduce a lot of stress for the recipients.</p>
<p>As one of the users in the group wrote it: &quot;The existence of read receipts in other platforms is exhausting and is often a source of undue stress. I have to make a decision to read something and let someone know that I have read something and decided not to respond or merely didn't have the time to respond. The outcome of that is a complex social negotiation with non-theoretical social fallout as a consequence. All in all, it's an invasion of privacy of being able to read things at the pace of the individual as opposed to the pace dictated by others... Most people don't need a read receipt, so leave it to a group of individuals to decide if having read receipts make sense to them for their workflow&quot;.</p>
<p>Also read <a href="https://neilalexander.dev/2021/04/09/read-receipts-typing-notifs">this post</a> about the damage from read receipts and other invasive features, like typing and presense notifications.</p>
<p>There is also no discounting that the presense of read receipts functionality, even as opt-in, creates a social pressure to enable them, with the same consequences – there are many scenarios when they become non-optional in some relationships. So many users belive, and we share this view, that it is better not to have these features at all. We will be re-assessing this view.</p>
<p><a href="https://simplex.chat/#how-simplex-works">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/#why-ids-bad-for-privacy">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Visit our <a href="https://simplex.chat/">website</a> to learn more.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<li><a href="https://simplex.chat/blog/20230925-simplex-chat-v5-3-desktop-app-local-file-encryption-directory-service.html#group-directory-service-and-other-group-improvements">directory service and other group improvements</a>.</li>
<li><a href="https://simplex.chat/blog/20230925-simplex-chat-v5-3-desktop-app-local-file-encryption-directory-service.html#encrypted-local-files-and-media-with-forward-secrecy">encrypted local files and media with forward secrecy</a>.</li>
<p>Also, we added 6 new interface languages: Arabic<sup><em></em></sup>, Bulgarian, Finnish, Hebrew<sup></sup>, Thai and Ukrainian - thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<p>Thanks a lot to everybody who was testing the desktop app since July – it really helped to make it stable!</p>
<p>To use desktop app you need to <strong>create a new profile</strong>. As SimpleX platform has no user accounts, it's not as simple as for centralized apps to access the same profile from two devices.</p>
<p>The next app version will allow using your mobile profile from desktop app. For now, as a workaround, you can join groups from both mobile and desktop devices, and use small groups instead of direct conversations.</p>
<p>When you start the app first time, you will be offered to <strong>set database passphrase</strong> – you have to memorize it, as there is no way to recover it. If you skip it, a random passphrase will be generated and stored on your desktop device as plaintext (unencrypted) – you can change it later.</p>
<p>Other limitations of the desktop app:</p>
<p>You can download the desktop app for Linux and Mac via <a href="https://simplex.chat/downloads/index.html">downloads page</a>. Windows version will be available soon.</p>
<h2 id="group-directory-service-and-other-group-improvements" tabindex="-1">Group directory service and other group improvements</h2>
<p>Directory service provides a way to search for public groups submitted by the users. To use it, you need to connect to it via SimpleX Chat, as you would connect to any other contact, and type some words to search.</p>
<p>You can also create and register your group, with some limitations explained <a href="https://simplex.chat/docs/directory.html">here</a>.</p>
<p>Other group improvements in this release:</p>
<ul>
<li>
<p>you can send delivery receipts to the groups up to 20 members.</p>
</li>
<li>
<p>if the group settings allow it, you can send direct messages to group members even after you deleted the contact.</p>
</li>
<li>
<p>connections between members are made faster, and the bug that prevented the connections in some cases is fixed in this release.</p>
</li>
</ul>
<p>The next release will reduce the time it takes to send messages to the group, especially when there are many members or when you have a slow device storage.</p>
<h2 id="encrypted-local-files-and-media-with-forward-secrecy" tabindex="-1">Encrypted local files and media with forward secrecy</h2>
<p>All messages, files and media sent via SimpleX Chat were always end-to-end encrypted from the very beginning. SimpleX Chat uses double-ratchet algorithm with encrypted message headers, for the best possible meta-data protection.</p>
<p>You contacts, groups and messages are stored in the local database on your device, and this database was encrypted from <a href="https://simplex.chat/blog/20220928-simplex-chat-v4-encrypted-database.html">v4.0 released a year ago</a>.</p>
<p>But until this version all files and media in the app storage were not encrypted, and when you exported the chat archive, they were unencrypted there as well.</p>
<p>From v5.3 all files and media (except videos, for now) are encrypted with a random symmetric key - in many cases they are encrypted before they are written to the storage. Local file encryption can be disabled via Privacy &amp; Security settings, for example, if you need to access the files from the storage outside of the app.</p>
<p>In addition to the videos that are stored unencrypted, there are other rare scenarios when the received files may be unencrypted in this release. Files have an open or closed lock icons to indicate whether they were encrypted locally. These limitations will be addressed in the next release. In any case, all files and media are always sent end-to-end encrypted, without any exceptions.</p>
<p>The keys used to encrypt files locally are associated with the messages and stored in the encrypted database. If you delete a message with the attached file or media, the key will be irreversibly deleted as well. Even if an attacker gains access to your database passphrase later and to the copy of the encrypted file, they won't be able to decrypt the file.</p>
<p>This approach provides forward secrecy for locally stored files, unlike file encryption schemes used in some other apps when the same passphrase is used for all files.</p>
<p>Incognito mode was <a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html">added a year ago</a> to improve anonymity of your profile, but it was confusing for some users - it was a global setting, but it only affected the new connections.</p>
<p>It is now simpler to use - you can decide whether to connect to a contact or join a group using your main profile at a point when you create an invitation link or connect via a link or QR code.</p>
<p>When you are connecting to people you know you usually want to share your main profile, and when connecting to public groups or strangers, you may prefer to use a random profile.</p>
<p><a href="https://simplex.chat/#how-simplex-works">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/#why-ids-bad-for-privacy">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Visit our <a href="https://simplex.chat/">website</a> to learn more.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX Chat v5.4 - link mobile and desktop apps via quantum resistant protocol, and much better groups.</title>
<content type="html"><h1 id="simplex-chat-v54-link-mobile-and-desktop-apps-via-quantum-resistant-protocol-and-much-better-groups" tabindex="-1">SimpleX Chat v5.4 - link mobile and desktop apps via quantum resistant protocol, and much better groups.</h1>
<li><a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#link-mobile-and-desktop-apps-via-secure-quantum-resistant-protocol">Link mobile and desktop apps via secure quantum-resistant protocol</a>.
<li><a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#faster-to-join-with-more-reliable-message-delivery">Faster to join and more reliable</a>.</li>
<li><a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#new-group-features">New group features</a>:
<li><a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#better-calls">Better calls</a>: faster to connect, with screen sharing on desktop.</li>
<p>There are many <a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#other-improvements">other improvements</a> and fixes in this release:</p>
<li>profile names now allow spaces.</li>
<li>when you delete contacts, they are optionally notified.</li>
<li>previously used and your own SimpleX links are recognized by the app.</li>
<li>and more - see the <a href="https://github.com/simplex-chat/simplex-chat/releases/tag/v5.4.0">release notes</a>.</li>
</ul>
<h2 id="link-mobile-and-desktop-apps-via-secure-quantum-resistant-protocol" tabindex="-1">Link mobile and desktop apps via secure quantum-resistant protocol</h2>
<p>This release allows to use chat profiles you have in mobile app from desktop app.</p>
<p>This is only possible when both devices are connected to the same local network. To send and receive messages mobile app has to be connected to the Internet.</p>
<h3 id="quick-start-how-to-use-it" tabindex="-1">⚡️ Quick start - how to use it</h3>
<p>If you don't have desktop app installed yet, <a href="https://simplex.chat/downloads/index.html">download it</a> and create any chat profile - you don't need to use it, and when you create it there are no server requests sent and no accounts are created. Think about it as about user profile on your computer.</p>
<p>In mobile app settings choose <em>Use from desktop</em>, scan the QR code and verify session code when it appears on both devices - it should be the same. Verifying session code confirms that the devices are connected directly via a secure encrypted connection. There is an option to verify this code on subsequent connections too, but by default it is only required once.</p>
<p>The devices are now paired, and you can continue using all mobile profiles from desktop.</p>
<p>If it is an Android app, you can move the app to background, but iOS app has to remain open. In both cases, while you are using mobile profiles from desktop, you won't be able to use mobile app.</p>
<p>The subsequent connections happen much faster - by default, the desktop app broadcasts its session address to the network, in encrypted form, and mobile app connects to it once you choose <em>Use from desktop</em> in mobile app settings.</p>
<h3 id="how-does-it-work" tabindex="-1">How does it work?</h3>
<p>The way we designed this solution avoided any security compromises, and the end-to-end encryption remained as secure as it was - it uses <a href="https://simplex.chat/docs/glossary.html#double-ratchet-algorithm">double-ratchet algorithm</a>, with <a href="https://simplex.chat/docs/glossary.html#forward-secrecy">perfect forward secrecy</a>, <a href="https://simplex.chat/docs/glossary.html#post-compromise-security">post-compromise security</a> and deniability.</p>
<p>This solution is similar to WhatsApp and WeChat. But unlike these apps, no server is involved in the connection between mobile and desktop. The connection itself uses a new SimpleX Remote Control Protocol (XRCP) based on secure TLS 1.3 and additional quantum-resistant encryption inside TLS. You can read XRCP protocol specification and threat model in <a href="https://github.com/simplex-chat/simplexmq/blob/master/rfcs/2023-10-25-remote-control.md">this document</a>. We will soon be <a href="https://github.com/simplex-chat/simplex-chat/blob/master/docs/rfcs/2023-09-30-pq-double-ratchet.md">augmenting double ratchet</a> to be resistant to quantum computers as well.</p>
<p>The downside of this approach is that mobile device has to be connected to the same local network as desktop. But the upside is that the connection is secure, and you do not need to have a copy of all your data on desktop, which usually has lower security than mobile.</p>
<p>Please note, that the files you send, save or play from desktop app, and also images you view are automatically saved on your desktop device (encrypted by default except videos). To remove all these files you can unlink the paired mobile device from the desktop app settings – there will be an option soon allowing to remove the files without unlinking the mobile.</p>
<h3 id="connecting-to-remote-simplex-cli" tabindex="-1">🤖 Connecting to remote SimpleX CLI</h3>
<p><em>Warning</em>: this section is for technically advanced users!</p>
<p>If you run SimpleX CLI on a computer in another network - e.g., in the cloud VM or on a Raspberry Pi at home while you are at work, you can also use if from desktop via SSH tunnel. Below assumes that you have remote machine connected via SSH and CLI running there - you can use <code>tmux</code> for it to keep running when you are not connected via ssh.</p>
<p>Follow these steps to use remote CLI from desktop app:</p>
<ol>
<li>On the remote machine add the IP address of your desktop to the firewall rules, so that when CLI tries to connect to this address, it connects to <code>localhost</code> instead: <code>iptables -t nat -A OUTPUT -p all -d 192.168.1.100 -j DNAT --to-destination 127.0.0.1</code> (replace <code>192.168.1.100</code> with the actual address of your desktop, and make sure it is not needed for something else on your remote machine).</li>
<li>Also on the remote machine, run Simplex CLI with the option <code>--device-name 'SimpleX CLI'</code>, or any other name you like. You can also use the command <code>/set device name &lt;name&gt;</code> to set it for the CLI.</li>
<li>Choose <em>Link a mobile</em> in desktop app settings, note the port it shows under the QR code, and click &quot;Share link&quot;.</li>
<li>Run ssh port forwarding on desktop computer to let your remote machine connect to desktop app: <code>ssh -R 12345:127.0.0.1:12345 -N user@example.com</code> where <code>12345</code> is the port on which desktop app is listening for the connections from step 3, <code>example.com</code> is the hostname or IP address of your remote machine, and <code>user</code> is some username on remote machine. You can run port forwarding in the background by adding <code>-f</code> option.</li>
<li>On the remote machine, run CLI command <code>/connect remote ctrl &lt;link&gt;</code>, where <code>&lt;link&gt;</code> is the desktop session address copied in step 3. You should run this command within 1 minute from choosing <em>Link a mobile</em>.</li>
<li>If the connection is successful, the CLI will ask you to verify the session code (you need to copy and paste the command) with the one shown in desktop app. Once you use <code>/verify remote ctrl &lt;code&gt;</code> command, CLI can be used from desktop app.</li>
<li>To stop remote session use <code>/stop remote ctrl</code> command.</li>
<h3 id="faster-to-join-with-more-reliable-message-delivery" tabindex="-1">Faster to join, with more reliable message delivery</h3>
<p>We improved the protocols for groups, by making joining groups much faster, and also by adding message forwarding. Previously, the problem was that until a new member connects directly with each existing group member, they did not see each other messages in the group. The problem is explained in detail in <a href="https://www.youtube.com/watch?v=7yjQFmhAftE&amp;t=1104s">this video</a> at 18:23.</p>
<p>With v5.4, the admin who added members to the group forwards messages to and from the new members until they connect to the existing members. So you should no longer miss any messages and be surprised with replies to messages you have never seen once you and new group members upgrade.</p>
<h3 id="new-group-features" tabindex="-1">New group features</h3>
<p><strong>Create groups with incognito profile</strong></p>
<p>Previously, you could only create groups with your main profile. This version allows creating groups with incognito profile directly. You will not be able to add your contacts, they can only join via group link.</p>
<p><strong>Block group members to reduce noise</strong></p>
<p>You now can block messages from group members that send too many messages, or the messages you don't won't to see. Blocked members won't know that you blocked their messages. When they send messages they will appear in the conversation as one line, showing how many messages were blocked. You can reveal them, or delete all sequential blocked messages at once.</p>
<p><strong>Prohibit files and media in a group</strong></p>
<p>Group owners now have an option to prohibit sending files and media. This can be useful if you don't won't any images shared, and only want to allow text messages.</p>
<p>Calls in SimpleX Chat still require a lot of work to become stable, but this version improved the speed of connecting calls, and they should work for more users.</p>
<p>We also added screen sharing in video calls to desktop app.</p>
<p>This version also has many small and large improvements to make the app more usable and reliable.</p>
<p>The new users and group profiles now allow spaces in the names, to make them more readable. To message these contacts in CLI you need to use quotes, for example, <code>@'John Doe' Hello!</code>.</p>
<p>When you delete contacts, you can notify them - to let them know they can't message you.</p>
<p>When you try to connect to the same contact or join the same group, or connect via your own link, the app will recognize it and warn you, or simply open the correct conversation.</p>
<p>You can find the full list of fixed bugs and small improvements in the <a href="https://github.com/simplex-chat/simplex-chat/releases/tag/v5.4.0">release notes</a>.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX Chat: free infrastructure from Linode, v5.5 released with private notes, group history and a simpler UX to connect.</title>
<content type="html"><h1 id="simplex-chat-free-infrastructure-from-linode-v55-released-with-private-notes-group-history-and-a-simpler-ux-to-connect" tabindex="-1">SimpleX Chat: free infrastructure from Linode, v5.5 released with private notes, group history and a simpler UX to connect.</h1>
<li><a href="https://simplex.chat/blog/20240124-simplex-chat-infrastructure-costs-v5-5-simplex-ux-private-notes-group-history.html#simpler-ux-to-connect-to-other-users">simpler UX to connect to other users</a></li>
<li><a href="https://simplex.chat/blog/20240124-simplex-chat-infrastructure-costs-v5-5-simplex-ux-private-notes-group-history.html#message-delivery-stability-and-other-improvements">message delivery stability and other improvements</a></li>
<p>Also, we added Hungarian (only Android) and Turkish interface languages, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<p>SimpleX Chat Android app is now available in 20 languages!</p>
<h2 id="simplex-chat-infrastructure-on-linode" tabindex="-1">SimpleX Chat infrastructure on Linode</h2>
<p>We chose Linode as our hosting provider as and they have been consistently reliable, cheaper than alternatives, with excellent support and great documentation.</p>
<p>When Linode was acquired by Akamai, we were a bit nervous about how it may affect service quality. So far it's been working out quite well.</p>
<p>As the usage of SimpleX network was growing, so did our hosting costs, and from being really small they started to become significant, particularly as we didn't yet manage to optimize the servers last year.</p>
<p>Linode helped - we're really excited to announce that Akamai decided to support SimpleX Chat growth by accepting it into their <a href="https://www.linode.com/linode-for-startups/">Linode Rise startup program</a>.</p>
<p>Thanks to this program:</p>
<ul>
<li>
<p>we received free infrastructure for the first year up to $10,000 per month, no strings attached. It already saved us some money, and gave us enough time to optimize the servers - the latest version of the servers are much less costly to operate with the current traffic, and can support a much larger traffic within this limit. In the year 2 of the program we will receive 50% discount with unlimited traffic, and in year 3 - 25% discount.</p>
</li>
<li>
<p>Linode Marketplace now includes <a href="https://www.linode.com/marketplace/apps/simplex-chat/simplex-chat/">SimpleX Chat messages and file servers</a> - you can get free $100 credits for the first 2 months and run your own servers in just a few clicks, and use them in SimpleX Chat apps. Anybody can submit their application to Linode marketplace, but dedicated support we have from Linode team via this program made it simpler.</p>
</li>
<li>
<p>Akamai solution engineers are helping us to design high capacity server solution, free of charge, so that a single host can provide horizontally scalable capacity for messaging, allowing for a much larger number of concurrent users on a single server address. Initially we considered using HAProxy, and the latest proof of concept uses OpenResty - a fork of Nginx with Lua script engine - to route requests from a single host to multiple SMP relays, reducing an overhead for the clients that would be configured with a smaller number of higher capacity servers. This project is still in progress, there will be more details as we roll it out.</p>
</li>
</ul>
<h2 id="whats-new-in-v55" tabindex="-1">What's new in v5.5</h2>
<p><em>&quot;Where do I put notes for myself?&quot;</em> was a very common support question. There was a workaround - you could create an empty group, just with yourself, and use it to save notes, but it was not very convenient, and you could accidentally add members there.</p>
<p>This version has a more convenient and private alternative - the Private notes. It looks like an ordinary conversation where you can put text messages, links with previews, and any media and files, but they are not sent anywhere - they are stored locally, only on your device, with encrypted files.</p>
<p>You can access the Private notes created in mobile app from desktop app too, by linking a mobile and desktop apps - the feature <a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html">added in the previous version</a>. It allows to conveniently share files between the devices without sending them over the Internet.</p>
<p>In the previous version, when users joined groups, they only saw an empty conversation, and the notifications of being connected to other members. This version allows group admins sending recent group history to the new members - this option is enabled by default for new groups, and can be enabled for the existing groups in the preferences. So now new members can join the conversation as soon as they join.</p>
<p>This does not mean that these messages are stored on any servers - the admin member that adds a new member to the group sends these messages directly when a new member joins. Groups are still fully decentralized, do not have any identity on the network, and fully private - only their members know they exist.</p>
<p>That is, unless a group owner decides to make it public. Groups can be registered in <a href="https://simplex.chat/contact#/?v=1-4&amp;smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2FeXSPwqTkKyDO3px4fLf1wx3MvPdjdLW3%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAaiv6MkMH44L2TcYrt_CsX3ZvM11WgbMEUn0hkIKTOho%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion">SimpleX groups directory</a> to be discovered by the new members - group directory is also improved.</p>
<h3 id="simpler-ux-to-connect-to-other-users" tabindex="-1">Simpler UX to connect to other users</h3>
<p>SimpleX platform has no user accounts or identities, and while it improves metadata privacy, it also makes it harder to understand how to connect to other people, particularly for the new users who are not invited by the existing users.</p>
<p>This version simplifies this interface by allowing to connect via the received link just by pasting the address into the search bar, as is common in many wallet apps and some other decentralized messengers. We also improved the interface of creating invitation links.</p>
<p>We will continue working on improving and simplifying user interface throughout the year. Please send us any feedback and suggestions to the team's address available in the app.</p>
<h3 id="message-delivery-stability-and-other-improvements" tabindex="-1">Message delivery stability and other improvements</h3>
<p>One of the long standing issues was that message reception could get stuck in some rare occasions, and only get resumed once the app is fully restarted. As Android app includes an always-on notification service that runs in background, full restart should be done via the app settings.</p>
<p>This version fixed many issues with message delivery stability and also added some diagnostics to identify any other cases when message delivery may stop. These fixes should also reduce battery usage, particularly on slow internet connections.</p>
<p>Other improvements in this version:</p>
<ul>
<li>you can now reveal secret messages by tapping. To send a secret message wrap in &quot;#&quot; characters, e.g. &quot;#password#&quot;.</li>
<li>you can delete the last user profile, simplifying account deletion. If you have <a href="https://simplex.chat/blog/20230328-simplex-chat-v4-6-hidden-profiles.html">hidden user profiles</a>, they won't be deleted in this case, and will be accessible again once you create a new profile.</li>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<p>This is a major upgrade for SimpleX messaging protocols, we are really proud to present the results of the hard work of our whole team on the <a href="https://en.wikipedia.org/wiki/Pi_Day">Pi day</a>.</p>
<p>This post also covers various aspects of end-to-end encryption, compares different messengers, and explains why and how quantum-resistant encryption is added to SimpleX Chat:</p>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#why-do-we-need-end-to-end-encryption">Why do we need end-to-end encryption?</a></li>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#why-is-encryption-even-allowed">Why is encryption even allowed?</a></li>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#end-to-end-encryption-security-attacks-and-defense">End-to-end encryption security: attacks and defense.</a>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#how-secure-is-end-to-end-encryption-in-different-messengers">How secure is encryption in different messengers?</a></li>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#adding-quantum-resistance-to-signal-double-ratchet-algorithm">Adding quantum resistance to Signal double ratchet algorithm.</a></li>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#when-can-you-start-using-quantum-resistant-chats">When can you start using quantum resistant chats?</a></li>
<li><a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#next-for-post-quantum-crypto---all-direct-chats-small-groups-and-security-audit">Next for post-quantum crypto - all direct chats, small groups and security audit.</a></li>
<h2 id="why-do-we-need-end-to-end-encryption" tabindex="-1">Why do we need end-to-end encryption?</h2>
<p>The objective of end-to-end encryption is to make any potential attackers, such as traffic observers or communication providers who pass the messages between senders and recipients, unable to recover <em>any</em> message content or meaningful information about the messages, even if these attackers possess very advanced computing and mathematical capabilities.</p>
<p>While human eyes are unable to see any difference between simply scrambled and encrypted messages, the difference between unreadable scrambling and unbreakable encryption can be as huge as just a few seconds to unscramble a message on an average laptop and more time than the Universe existed required to break the encryption on the most powerful computer in the world.</p>
<p>Achieving the latter requires a lot of mathematical precision in both the cryptographic algorithms and in how they are used, and effectively makes encrypted messages indistinguishable from random noise, without any discoverable patterns or statistical irregularities that a computer could use to break the message encryption any faster than it it would take to try every possible combination of bits in the key.</p>
<p>End-to-end encryption is an important component of our individual and business security, privacy and sovereignty. Having our private communications protected from any observers is both the natural condition and our inalienable human right.</p>
<p>It's very sad to see the same people who keep their financial affairs private to protect from financial crimes, lock their doors to protect from thieves, and curtain their windows to protect from the occasional prying eyes, when it comes to protecting their personal lives from the data criminals say &quot;we don't care about privacy, we have nothing to hide&quot;. Everybody's safety depends on keeping their affairs and relations private, not visible to a vast and ruthless data gathering machines, that abuse our data for commercial gain, without any regard to our interests or even <a href="https://nmdoj.gov/press-release/attorney-general-raul-torrez-files-lawsuit-against-meta-platforms-and-mark-zuckerberg-to-protect-children-from-sexual-abuse-and-human-trafficking/">the safety of our families and children</a>.</p>
<p>If encryption is such a powerful tool to protect our lives, it also can be used to conceal crimes, so why the governments don't consider it similar to arms, and don't heavily regulate its use?</p>
<p>Prior to 1996 the cryptography was considered munition, and its export from the United States was controlled under this category, <a href="https://cr.yp.to/export/1995/0303-eff.txt">alongside flamethrowers and B-1 bombers</a>. When <a href="https://en.wikipedia.org/wiki/Daniel_J._Bernstein">Daniel J. Bernstein</a> (DJB), then a student of Mathematics at University of California, Berkeley, wanted to publish the paper and the source code of his Snuffle encryption system, the Office of Defense Trade Controls of the Department of State (DOS) after more than a year of correspondence requested that DJB registers as the arms dealer.</p>
<p>In 1995 DJB represented by the Electronic Frontier Foundation brought a case against the DOS to overturn cryptography restrictions. The ruling in the case declared that the export control over cryptographic software and related technical data constitute <a href="https://cr.yp.to/export/1996/1206-order.txt">an impermissible infringement on speech in violation of the First Amendment</a>. This decision resulted in regulatory changes, reducing controls on encryption exports, particularly for open-source algorithms. The case continued until 2003, when it was put on hold after the commitment from the US government not to enforce any remaining regulations.</p>
<p>This case is very important for the whole industry, as to this day we can freely create and use open-source cryptography without export control restrictions. It also shows the importance of engaging with the system and challenging its views in an open dialogue, rather than either blindly complying or violating regulations.</p>
<p>DJB role for cryptography and open-source goes beyond this case – many cryptographic algorithms that are considered to be the most advanced, and many of which we use in SimpleX Chat, were designed and developed by him:</p>
<ul>
<li>Ed25519 cryptographic signature algorithm we use to authorize commands to the servers.</li>
<li>NaCL library with cryptobox and secretbox constructions that combine X25519 Diffie-Hellman key agreement with Salsa20 encryption and Poly1305 authentication. We use cryptobox to encrypt messages in two of three encryption layers and secretbox to encrypt files.</li>
<li>Streamlined NTRU Prime algorithm for quantum resistant key agreement that we used in the protocol for linking mobile app with desktop, and now added to Signal double ratchet algorithm, as explained below.</li>
</ul>
<p>Without DJB's work the world would have been in a much worse place privacy- and security-wise.</p>
<p>Daniel, we are really grateful for the work you did and continue doing. Thank you, and congratulations on the International Mathematics Day!</p>
<h2 id="end-to-end-encryption-security-attacks-and-defense" tabindex="-1">End-to-end encryption security: attacks and defense</h2>
<p>End-to-end encryption is offered by many messaging apps and protocols, but the security of different implementations are not the same. While many users know about the importance of forward secrecy - the quality of end-to-end encryption that preserves security of the encryption of the past messages, even if the keys used to encrypt some of the messages were compromised - there are many other qualities that protect from different attacks. Below there is the overview of these attacks and the properties of end-to-end encryption schemes that mitigate these attacks.</p>
<h3 id="1-compromised-message-size-mitigated-by-padding-messages-to-a-fixed-block-size" tabindex="-1">1. Compromised message size - mitigated by padding messages to a fixed block size</h3>
<p>While the content encryption is the most important, concealing the actual message size is almost as important for several reasons:</p>
<ul>
<li>attacker able to observe even approximate message sizes can use these sizes as an additional signal for machine learning to de-anonymise the users and to categorize the relationships between the users.</li>
<li>if a messenger conceals the routing of the messages to hide the transport identities (IP addresses) of senders and recipients, message sizes can be used by traffic observers to confirm the fact of communication with a much higher degree of certainty.</li>
</ul>
<p>The only effective mitigation to these attacks is to pad all messages to a fixed size. Using space-efficient schemes like Padme, or padding to encryption block size is ineffective for mitigating these attacks, as they still allow differentiating message sizes.</p>
<p>To the best of our knowledge, the only messengers other than SimpleX Chat that pad all messages to a fixed packet size are Cwtch and no longer developed <a href="https://github.com/agl/pond">Pond</a> - SimpleX design can be seen as an evolution of Pond design.</p>
<p>Many users are very interested in having ability to irreversibly delete sent messages from the recipients devices. But not only would this ability violate data sovereignty of device owners, it is also completely ineffective, as the recipients could simply put the device offline or use a modified client app to ignore message deletion requests. While SimpleX Chat provides such features as <a href="https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#disappearing-messages">disappearing messages</a> and the ability to <a href="https://simplex.chat/blog/20221206-simplex-chat-v4.3-voice-messages.html#irreversible-message-deletion">irreversibly delete sent messages</a> provided both parties agree to that, these are convenience features, and they cannot be considered security measures.</p>
<p>The solution to that is well known to cryptographers - it is the quality of the encryption algorithms called &quot;repudiation&quot;, sometimes also called &quot;deniability&quot;. This is the ability of the senders to plausibly deny having sent any messages, because cryptographic algorithms used to encrypt allow recipients forging these messages on their devices, so while the encryption proves authenticity of the message to the recipient, it cannot be used as a proof to any third party.</p>
<p>Putting it all in a simpler language - a sender can claim that the recipient forged messages on their device, and deny ever having sent them. The recipient will not be able to provide any cryptographic proof. This quality makes digital conversation having the same qualities as private off-the-record conversation - that's why the family of algorithms that provide these qualities are called off-the-record (OTR) encryption.</p>
<p>Repudiation is still a rather new concept - the first off-the-record algorithms were proposed in 2004 and were only offered to a wide range of users in Signal messenger. This concept is still quite badly understood by users and society, and yet to have been used as the defense in any public court cases, as legal systems evolve much slower than technology. In high profile cases repudiation can be used as an effective evidence for the defense.</p>
<p>Repudiation in messaging systems can be undermined by adding cryptographic signature to the protocol, and many messengers that use OTR encryption algorithms do exactly that, unfortunately. SimpleX Chat does not use signature in any part of client-client protocol, but the signature is currently used when authorizing sender's messages to the relays. v5.7 will improve deniability by enabling a different authorization scheme that will provide full-stack repudiation in all protocol layers.</p>
<p>The attacker who obtained or broke the keys used to encrypt individual messages, may try to use these keys to decrypt past or future messages. This attack is unlikely to succeed via message interception, and it is likely to require breaking into the device storage. But in any case, if the key was broken or obtained in some other way it's important that this key cannot be used to decrypt other messages - this is achieved by forward secrecy.</p>
<p>This property is well understood by the users, and most messengers that focus on privacy and security, with the exception of Session, provide forward secrecy as part of their encryption schemes design.</p>
<h3 id="4-compromised-long-term-or-session-mitigated-by-break-in-recovery" tabindex="-1">4. Compromised long-term or session - mitigated by break-in recovery</h3>
<p>This attack is much less understood by the users, and forward secrecy does not protect from it. Arguably, it's almost impossible to compromise individual message keys without compromising long-term or session keys. So the ability of the encryption to recover from break-in (attacker making a copy of the device data without retaining the ongoing access) is both very important and pragmatic - break-in attacks are simpler to execute on mobile devices during short-term device access than long-term ongoing compromise.</p>
<p>Out of all encryption algorithms known to us only <em>Signal double ratchet algorithm</em> (also referred to as <em>Signal algorithm</em> or <em>double ratchet algorithm</em>, which is not the same as Signal messaging platform and protocols) provides the ability for the encryption security to recover after break-ins attacks. This recovery happens automatically and transparently to the users, without them doing anything special or even knowing about break-in, by simply sending messages. Every time one of the communication parties replies to another party message, new random keys are generated and previously stolen keys become useless.</p>
<p>Double ratchet algorithm is used in Signal, Cwtch and SimpleX Chat. But Signal app by allowing to use the same profile on multiple devices compromises the break-in recovery function of Signal algorithm, as explained in <a href="https://eprint.iacr.org/2021/626.pdf">this paper</a>. Because of break-in recovery you cannot use SimpleX Chat profile on more than one device at the same time - the encryption scheme rotates the long term keys, randomly, and keys on another device become useless, as they would become useless for the attacker who stole them. Security always has some costs to the convenience.</p>
<p>Many people incorrectly believe that security of end-to-end encryption cannot be broken by communication provider. But end-to-end encryption is only as secure as key exchange. While any intermediary passing the keys between senders and recipients cannot recover the private keys from the public keys, they can simply replace the passed public keys with their own and then proxy all communication between the users having full access to the original messages. So instead of having an end-to-end encrypted channel, users would have two half-way encrypted channels - between users and their communication intermediary.</p>
<p>Pictures below illustrate how this attack works for RSA encryption.</p>
<h4 id="1-alice-sends-the-key-to-bob-eg-via-p2p-network-or-via-the-messaging-server" tabindex="-1">1) Alice sends the key to Bob (e.g. via p2p network or via the messaging server).</h4>
<p><img src="https://simplex.chat/blog/images/20240314-mitm1.jpg" alt="Public key is shared" /></p>
<h4 id="2-now-bob-can-send-encrypted-messages-to-alice-he-believes-they-are-secure" tabindex="-1">2) Now Bob can send encrypted messages to Alice - he believes they are secure!</h4>
<p><img src="https://simplex.chat/blog/images/20240314-mitm2.jpg" alt="Message is encrypted" /></p>
<h4 id="3-but-the-key-could-have-been-intercepted-and-substituted-by-tom-the-attacker-or-a-service-provider" tabindex="-1">3) But the key could have been intercepted and substituted by Tom (the attacker, or a service provider).</h4>
<p><img src="https://simplex.chat/blog/images/20240314-mitm3.jpg" alt="Key is intercepted and replaced" /></p>
<h4 id="4-now-the-attacker-can-read-the-messages-without-alice-and-bob-knowing" tabindex="-1">4) Now the attacker can read the messages without Alice and Bob knowing.</h4>
<p><img src="https://simplex.chat/blog/images/20240314-mitm4.jpg" alt="End-to-end encryption is compromised" /></p>
<p>The attack on Diffie-Hellman (or on quantum-resistant) key exchange, when both parties send their public keys (or public key and ciphertext), requires the attacker to intercept and replace both keys, but the outcome remains the same - if all communication is passed via a single channel, as it is usually the case with communication services, then any attacker that has inside access to the service can selectively compromise some of the conversations. Two years ago I wrote the post about this <a href="https://www.poberezkin.com/posts/2022-12-07-why-privacy-needs-to-be-redefined.html#e2e-encryption-is-not-bulletproof">vulnerability of end-to-end encryption to MITM attacks</a>.</p>
<p>All known mitigations of this attack require using the secondary communication channel to ensure that the keys have not been substituted. The most secure approach is to make user's key (or key fingerprint) a part of the user's address or connection link, thus making two-factor key exchange non-optional. This approach is used in Session, Cwtch and SimpleX Chat.</p>
<p>A less secure approach is to provide users an optional way to compare security codes - this is what is done by Signal, Element and many other messengers. The problem with this post-key-exchange verification is that it is optional, and is usually skipped by the majority of the users. Also, this security code can change because the user changed the device, or as a result of the attack via the service provider. When you see in the client app the notification that the security code changed, it's pointless to ask in the same messenger whether the device was changed, as if it were an attack, the attacker would simply confirm it. Instead, the security code needs to be re-validated again via another channel. A good security practice for the users would be to warn their communication partners about the intention to switch the device in advance, before the security code is changed.</p>
<p>This is the idea based on the assumption that commercially viable quantum computers will become available during the next 10 years, and then they can use time-efficient <a href="https://en.wikipedia.org/wiki/Shor%27s_algorithm">Shor's algorithm</a> developed in 1994 to break asymmetric encryption with quantum computer (symmetric encryption is not vulnerable to this algorithm).</p>
<p>Post-quantum cryptography, or encryption algorithms that are resistant to quantum computers, has been the area of ongoing research for several decades, and there are some algorithms that <em>might</em> protect from quantum computers. It's important to account for these limitations:</p>
<ul>
<li><em>none of the post-quantum algorithms are proven to be secure</em> against quantum or conventional computers. They are usually referred to as &quot;believed to be secure&quot; by the researchers and security experts. There is continuous research to break post-quantum algorithms, and to prove their security, and many of these algorithms are broken every year, often by conventional computers.</li>
<li>because of the lack of proofs or guarantees that post-quantum cryptography delivers on its promise, these algorithms can only be used in hybrid encryption schemes to augment conventional cryptography, and never to replace it, contrary to some expert recommendations, as DJB explains in this <a href="https://blog.cr.yp.to/20240102-hybrid.html">blog post</a>.</li>
<li>they are much more computationally expensive and less space efficient, and the encryption schemes have to balance their usability and security.</li>
<li>many of post-quantum algorithms have known patent claims, so any system deploying them accepts the risks of patent litigation.</li>
<li>the silver lining to these limitations is that the risk of appearance of commercially viable quantum computers in the next decade may be exaggerated.</li>
<p>So, to say it provocatively, post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. While there is a reasonable hope that it <em>might</em> work, so it's not exactly a <em>snake oil</em>, these limitations and risks have to be much better communicated to the end users than they are.</p>
<p>Does it mean that post-quantum cryptography is useless and should be ignored? Absolutely not. The risks of &quot;record now, decrypt later&quot; attacks are real, particularly for high profile targets, including millions of people - journalists, whistle-blowers, freedom-fighters in oppressive regimes, and even some ordinary people who may become targets of information crimes. Large scale collection of encrypted communication data is ongoing, and this data may be used in the future. So having the solution that <em>may</em> protect you (post-quantum cryptography), as long as it doesn't replace the solution that is <em>proven</em> to protect you (conventional cryptography), is highly beneficial in any communication solution, and has already been deployed in many tools and in some messengers.</p>
<h2 id="how-secure-is-end-to-end-encryption-in-different-messengers" tabindex="-1">How secure is end-to-end encryption in different messengers?</h2>
<p>This comparison may be incorrect in some of the columns. We apologize if some of the points are incorrect, please let us know about any mistakes so we can amend them!</p>
<p>The main objective here is to establish the framework for comparing the security of end-to-end encryption schemes, and to highlight any areas for improvement, not to criticize any implementations.</p>
<p><sup>1</sup> Repudiation in SimpleX Chat will include client-server protocol from v5.7 or v5.8. Currently it is implemented but not enabled yet, as its support requires releasing the relay protocol that breaks backward compatibility.</p>
<p><sup>2</sup> Post-quantum cryptography is available in beta version, as opt-in only for direct conversations. See below how it will be rolled-out further.</p>
<p>Some columns are marked with a yellow checkmark:</p>
<li>when messages are padded, but not to a fixed size (Briar pads messages to the size rounded up to 1024 bytes, Signal - to 160 bytes).</li>
<li>when repudiation does not include client-server connection. In case of Cwtch it appears that the presence of cryptographic signatures compromises repudiation (deniability), but it needs to be clarified.</li>
<h2 id="adding-quantum-resistance-to-signal-double-ratchet-algorithm" tabindex="-1">Adding quantum resistance to Signal double ratchet algorithm</h2>
<p>We have been exploring post-quantum cryptography since early 2022, when SimpleX Chat was first released, and we did not want to be pioneers here - cryptography is critically important to make it right.</p>
<p>We hoped to adopt the algorithm that will be standardized by NIST, but the standardization process turned out to be hugely disappointing, and the ML-KEM (Kyber) algorithm that was accepted as a standard was modified to remove an important hashing step (see the lines 304-314 in <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf">the published spec</a>)), that mitigates the attacks via a compromised random numbers generator, ignoring strong criticism from many expert cryptographers, including DJB (see <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/WFRDl8DqYQ4">this discussion</a> and <a href="https://csrc.nist.gov/files/pubs/fips/203/ipd/docs/fips-203-initial-public-comments-2023.pdf">the comments NIST received</a>). To make it even worse, the calculation of security levels of Kyber appears to have been done incorrectly, and overall, the chosen Kyber seems worse than rejected NTRU according to <a href="https://blog.cr.yp.to/20231003-countcorrectly.html">the analysis by DJB</a>.</p>
<p>We also analyzed the encryption schemes proposed in Tutanota in 2021, and another scheme adopted by Signal last year, and published the design of <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/rfcs/2023-09-30-pq-double-ratchet.md">quantum resistant double ratchet algorithm</a> that we believe provides better security than these schemes:</p>
<ul>
<li>unlike Tutanota design, it augments rather than replaces conventional cryptography, and also avoids using signatures when the new keys are agreed (ratchet steps).</li>
<li>unlike other messengers that adopted or plan to adopt ML-KEM, we used Streamlined NTRU Prime algorithm (specifically, strnup761) that has no problems of ML-KEM, no known patent claims, and seems less likely to be compromised than other algorithms - it is exactly the same algorithm that is used in SSH. You can review the comparison of <a href="https://ntruprime.cr.yp.to/warnings.html">the risks of various post-quantum algorithms</a>.</li>
<li>unlike Signal design that only added quantum resistance to the initial key exchange by replacing X3DH key agreement scheme with post-quantum <a href="https://signal.org/docs/specifications/pqxdh/">PQXDH</a>, but did not improve Signal algorithm itself, our design added quantum-resistant key agreements inside double algorithm, making its break-in recovery property also quantum resistant.</li>
</ul>
<p>The we could make break-in recovery property of Signal algorithm quantum-resistant, and why, probably, Signal didn't, is because irrespective of the message size SimpleX Chat uses a fixed block size of 16kb to provide security and privacy against any traffic observers and against messaging relays. So we had an extra space to accommodate additional ~2.2kb worth of keys in each message without any additional traffic costs.</p>
<p>In case when the message is larger than the remaining block size, e.g. when the message contains image or link preview, or a large text, we used <a href="https://en.wikipedia.org/wiki/Zstd">zstd compression</a> to provide additional space for the required keys without reducing image preview quality or creating additional traffic - our previously inefficient JSON encoding of chat messages was helpful in this case.</p>
<p>The additional challenge in adding sntrup761 was that unlike Diffie-Hellman key exchange, which is symmetric (that is, the parties can share their public keys in any order and the shared secret can be computed from two public keys), sntrup761 is interactive key-encapsulation mechanism (KEM) that requires that one party shares its public key, and another party uses it to encapsulate (which is a fancy term for &quot;encrypt&quot; - that is why it has asterisks in the image) a random shared secret, and sends it back - making it somewhat similar to RSA cryptography. But this asymmetric design does not fit the symmetric operation of Signal double ratchet algorithm, where both sides need to generate random public keys and to compute new shared secrets every time messaging direction changes for them. So to achieve that symmetry we had to use two KEM key agreements running in parallel, in a lock-step fashion, as shown on the diagram. In this case both parties generate random public keys and also use the public key of another party to encapsulate the random shared secret. Effectively, this design adds a double quantum-resistant key agreement to double ratchet algorithm steps that provide break-in recovery.</p>
<h2 id="when-can-you-start-using-quantum-resistant-chats" tabindex="-1">When can you start using quantum resistant chats?</h2>
<p>Quantum resistant double ratchet algorithm is already available in v5.6 (beta) of SimpleX Chat as an optional feature that can be enabled for the new and, separately, for the existing direct conversations.</p>
<p>The reason it is released as opt-in is because once the conversation is upgraded to be quantum resistant, it will no longer work in the previous version of the app, and we see this ability to downgrade the app if something is not working correctly as very important for the users who use the app for critical communications.</p>
<p><strong>To enable quantum resistance for the new conversations</strong>:</p>
<ul>
<li>open the app settings (tap user avatar in the top left corner).</li>
<li>scroll down to <em>Developer tools</em> and open them.</li>
<p>Once you have enabled it for the new contacts, you can also <strong>enable it for some of the existing contacts</strong>:</p>
<ul>
<li>open the chat with the contact you want to upgrade to be quantum resistant.</li>
<li>tap contact name above the chat.</li>
<li>tap Allow PQ encryption.</li>
<li>exchange several messages back and forth with that contact - the quantum resistant double ratchet will kick in after 3-5 messages (depending on how many messages you send in each direction), and you will see the notice in the chat once it enables.</li>
</ul>
<h2 id="next-for-post-quantum-crypto-all-direct-chats-small-groups-and-security-audit" tabindex="-1">Next for post-quantum crypto - all direct chats, small groups and security audit</h2>
<p>We will be making quantum resistance default for all direct chats in v5.7, and we plan that all existing direct chats will be automatically upgraded when both contacts install v5.7.</p>
<p>We will also be adding quantum resistance to small groups up to 10-20 members. Computing cryptographic keys is much slower, in comparison, and it would be very inefficient (and completely unnecessary) for large public groups.</p>
<p>We have also arranged a 3rd party cryptographic review of our protocol and encryption schemes design for June/July 2024 - it will cover the additions to SimpleX protocols since <a href="https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html">the previous security audit</a> in November 2022, including <a href="https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html">XFTP protocol</a> we use for file transfers and quantum resistant Signal double ratchet algorithm we just released in this beta version.</p>
<p>In November 2024 we will be conducting further implementation audit, with double the scope of our 2022 audit.</p>
<p>Security audits are very expensive, as they require employing exceptionally competent engineers and cryptographers, and it does stretch our budgets - so any donations to help us cover the costs would be hugely helpful.</p>
<p>That's it for now!</p>
<p>Thank you for helping us improve the app, and look forward to your feedback.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donates to SimpleX Chat!</p>
<p>As I wrote, we are planning a 3rd party security audit for the protocols and cryptography design, and also for an app implementation, and it would hugely help us if some part of this $50,000+ expense is covered with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX network based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX network: real privacy and stable profits, non-profits for protocols, v5.6 released with quantum resistant e2e encryption and simple profile migration</title>
<content type="html"><h1 id="simplex-network-real-privacy-and-stable-profits-non-profits-for-protocols-v56-released-with-quantum-resistant-e2e-encryption-and-simple-profile-migration" tabindex="-1">SimpleX network: real privacy and stable profits, non-profits for protocols, v5.6 released with quantum resistant e2e encryption and simple profile migration</h1>
<li><a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#community-and-business-interests-are-aligned">community and business interests are aligned</a>.</li>
<li><a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#the-journey-to-the-decentralized-non-profit-protocol-governance">the journey to the decentralized non-profit protocol governance</a>.</li>
<li><a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#quantum-resistant-end-to-end-encryption-beta">quantum resistant end-to-end encryption</a> (BETA) – enable it for the new contacts.</li>
<li><a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#use-the-app-during-the-audio-and-video-calls">use the app during the audio and video calls</a>.</li>
<li><a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#migrate-all-app-data-to-another-device-via-qr-code">migrate all app data to another device via QR code</a>.</li>
<p>There are many other improvements and fixes in this release:</p>
<ul>
<li>group admins can block a member for all other members.</li>
<li>filtering chats no longer includes muted chats with unread messages.</li>
<li>and more - see the <a href="https://github.com/simplex-chat/simplex-chat/releases/tag/v5.6.0">release notes</a>.</li>
</ul>
<h2 id="simplex-network-deliver-real-privacy-via-a-profitable-business-and-non-profit-protocol-governance" tabindex="-1">SimpleX network: deliver real privacy via a profitable business and non-profit protocol governance</h2>
<h3 id="community-and-business-interests-are-aligned" tabindex="-1">Community and business interests are aligned</h3>
<p>Some people in our users' community believe that there is a conflict between the business and the community interests. This view fails to see a bigger picture of how these interests are aligned. I wrote a blog post about it <a href="https://www.poberezkin.com/posts/2023-10-31-why-privacy-impossible-without-venture-funding.html">here</a>. Our goal is to grow the network and the ecosystem while enriching all stakeholders involved, both the community and the business shareholders. This strategy relies on the strengths and opportunities of both the business and the decentralized network we build, with its vibrant community of individuals and organizations. It positions the business not as a controller but as a supporter of the community growth, resilience and sustainability.</p>
<p>By leveraging access to investment resources, its ability to provide stock-based incentives beyond salaries, operating as a business will satisfy users' and community needs more effectively, ensuring the long-term viability and growth of the network, while remaining true to the mission. A purely nonprofit model with no avenue to sustain this growth is simply not possible. Sustainability requires profits, that is simply spending less than earning, as every responsible individual and organization should aim for, and these profits must be based on users' payments, and not on some other sources of revenue or funds. And building the software product that customers are willing to pay for requires substantial business investments. We will accomplish it while maintaining transparency and the commitment to keep SimpleX network and its protocols open and free to use.</p>
<h3 id="the-journey-to-the-decentralized-non-profit-protocol-governance" tabindex="-1">The journey to the decentralized non-profit protocol governance</h3>
<p>At the current early stage of network growth the protocols will benefit most from the rapid evolution and centralized design. Many protocols that decentralized their evolution too early failed to evolve and to adapt to the product requirements of the majority of users, causing them to stall in growth. Even the open web became possible only thanks to Netscape, a venture funded company, that developed browsers and web server software taking it upon themselves to rapidly evolve web specification to make it into a robust application platform as we now know it. It is very unlikely that it would have happened if it was managed by a nonprofit or community, in a decentralized way.</p>
<p>Once SimpleX network protocols stabilize and reach the required maturity, we plan to transition its governance to several new nonprofit entities, ensuring its continued evolution aligns more closely with our vision of community-driven, independent and transparent governance. We and our investors believe that this is a win-win strategy. It both maximizes the business value, by creating a product built on protecting privacy and users' trust - a model that we see as the only viable path forward. It also maximizes the value created for the user community.</p>
<p>To help us deliver these goals, Esra’a Al Shafei joined SimpleX Chat team - we are excited to welcome her!</p>
<p>Esra'a is a longtime privacy and human rights advocate from Bahrain. She is the founder of <a href="http://majal.org/">Majal.org</a>, a network of platforms that amplify under-reported and marginalized voices in the Middle East and North Africa. She is also the co-founder of the <a href="https://numun.fund/">Numun Fund</a>, the first dedicated fund for women-led tech in the Global South. Esra’a is currently the Vice Chair of the Board at the <a href="https://wikimediafoundation.org/">Wikimedia Foundation</a>, the nonprofit which hosts Wikipedia. She is also on the Board of the <a href="https://www.torproject.org/">Tor Project</a>, developers of one of the world’s strongest tools for privacy and freedom online. Previously, she served on the Board of <a href="https://www.accessnow.org/">Access Now</a>, an international nonprofit dedicated to an open and free Internet.</p>
<p>In her own words: <em>&quot;Privacy and security have been the center of my work as a human rights advocate for the last 20 years in one of the most surveilled countries in the world where staying safe remains a burden. Our privacy is our dignity. It is something that belongs to us and something we should treasure - as people, as companies, as governments. Despite messaging being the most intimate aspect of our digital lives, the leading protocols in this space are centralized and we deserve a web that operates on the core principles of genuine privacy and security in a fully decentralized framework. SimpleX network will play a critical role towards that vision.&quot;</em></p>
<p>Executing the plan towards decentralized nonprofit protocol governance will be Esra’a’s primary responsibility. Our primary objective with this plan is to ensure that no single entity can control or have unrestricted ownership of the protocols, so it can maintain its integrity.</p>
<h2 id="whats-new-in-v56" tabindex="-1">What's new in v5.6</h2>
<p>Adding post-quantum resistance to the double ratchet end-to-end encryption algorithm in SimpleX Chat is a major upgrade to messaging protocols, and it creates the security against the future quantum computers.</p>
<p>I wrote in detail in the previous post about various properties of end-to-end encryption and how exactly quantum resistance is implemented in SimpleX Chat - currently SimpleX Chat has <a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#how-secure-is-end-to-end-encryption-in-different-messengers">the most secure end-to-end encryption design</a> against the present and future attacks.</p>
<p>We plan to perform a security audit of this design and implementation later this year.</p>
<p>Post-quantum encryption is currently added as opt-in and has to be separately enabled to be active for the new contacts, and, additionally, can be enabled for the existing contacts.</p>
<li>now you will see <em>Post-quantum E2EE</em> toggle - enable it as well.</li>
</ul>
<p>Now all new contacts you add to the app will use quantum resistant Signal double ratchet algorithm.</p>
<p>Once you have enabled it for the new contacts, you can also <strong>enable it for some of the existing contacts</strong>:</p>
<ul>
<li>open the chat with the contact you want to upgrade to be quantum resistant.</li>
<li>tap contact name above the chat.</li>
<li>tap Allow PQ encryption.</li>
<li>exchange several messages back and forth with that contact - the quantum resistant double ratchet will kick in after 3-5 messages (depending on how many messages you send in each direction), and you will see the notice in the chat once it enables.</li>
</ul>
<p>We will be making quantum resistance default for all direct chats in v5.7, and we plan that all existing direct chats will be automatically upgraded when both contacts install v5.7.</p>
<h3 id="use-the-app-during-the-audio-and-video-calls" tabindex="-1">Use the app during the audio and video calls</h3>
<p>Since we added the audio and video calls in 2022 a lot of work was done to improve the stability of calls. One of the usability downsides until this release was that it was impossible to use the app during the call.</p>
<p>This version solved this problem - now you can return back to the app without interrupting the call and use any of the app functions - for example, you can send the messages or files to the person you are in the call with. If this is a video call, you will continue seeing your contact in a small picture-in-picture view.</p>
<h3 id="migrate-all-app-data-to-another-device-via-qr-code" tabindex="-1">Migrate all app data to another device via QR code</h3>
<p>We always believed that cross-platform data portability is very important for any software. Users own their data, and they should have a way to export it from any software they use. So from the version of SimpleX Chat <a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#database-export-and-import">released in July 2022</a> it was possible to export the database as a self-contained file, including all contacts, messages and files, and import it on a new device.</p>
<p><em>&quot;How can I migrate my data to another device?&quot;</em> was one of the most frequent user questions, but until this release this process was <a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html">quite complex</a>, requiring too many steps, and most non-technical users were not willing to try it, as even though it was reliable, it appeared risky.</p>
<p>On the device you migrate your app data from, follow these steps:</p>
<ul>
<li>choose <em>Migrate to another device</em>,</li>
<li>if necessary, set the database passphrase (initially, the database is encrypted with a random passphrase), or, if it's already set, verify it - for security and to ensure that the archive will be usable on the new device,</li>
<li>tap <em>Archive and upload</em> to and upload the app data in chunks to the XFTP servers configured in the app,</li>
<li>the app will show the QR code that should be scanned from the new device.</li>
</ul>
<p><strong>Migrate data to the target device</strong></p>
<p>When the chat starts on the target device, make sure to tap <em>Finalize migration</em> and then <em>Delete database</em> on the source device.</p>
<p>The database cannot be used on two devices at the same time, doing so would make it impossible to decrypt the received messages. This is a security measure - the break-in recovery property of double ratchet algorithm.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat/blob/stable/README.md#frequently-asked-questions">How SimpleX is different from Session, Matrix, Signal, etc.</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donates to SimpleX Chat!</p>
<p>As I wrote, we are planning a 3rd party security audit for the protocols and cryptography design, and also for an app implementation, and it would hugely help us if some part of this $50,000+ expense is covered with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX network based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<p><em>By <a href="https://mastodon.social/@alshafei">Esra'a al Shafei</a></em></p>
<p>Transitioning from a lifelong career dedicated to nonprofits, including Board roles at organizations like the Wikimedia Foundation, Access Now and Tor, my decision to join SimpleX Chat may come as a surprise to some. But, as I step into this new chapter, I want to share the insights and convictions that have guided me here, shedding light on what I think sets SimpleX Chat apart and why this move feels like an essential learning opportunity.</p>
<p>The nonprofit world has been my primary focus for decades. My team and I ran the platforms at <a href="http://majal.org/">Majal.org</a> with an extremely limited budget. We had to navigate many complexities and challenges that shadow the nonprofit model. And because we worked primarily in creating applications and tools, a recurring theme has been financial sustainability. Being a Bahrain-based entity for most of these years meant that the many communities we served were not in a position to provide contributions and we were not eligible for most foundation grants. This drastically limited our growth and the reliability of our apps. When we failed to raise sufficient funds or meet our target budgets, we often had to shutter certain applications, sometimes after spending more than 10 years building them.</p>
<p>With secure and private messaging, the stakes are even graver. Any failure to commit and resource/fund ongoing development, security patches, etc means lives can be at risk. I still believe in nonprofit models, and it’s why I continue to serve them through various volunteer roles. I do also believe that there is room for a mixture of models that, in the case of something as unique as SimpleX Chat, can serve as a fully open and transparent public interest technology while also having a profitable values-aligned company that can keep the lights on to continue developing, expanding, and improving the protocol, network and their reach.</p>
<p>I’m no stranger to writing about some VC models being <a href="https://mastodon.social/@alshafei/112125959080515656">corrupt</a>. Frankly, I also hold the view that some tech VCs are amongst the <a href="https://responsiblestatecraft.org/defense-tech/">most complicit</a> in egregious war crimes worldwide, or enabling the <a href="https://mastodon.social/@alshafei/112140566088322925">intrusive surveillance</a> we’re fighting against. So being part of a VC-funded venture is not a decision I take lightly. However, I have been following SimpleX Chat’s growth since early 2022 when I first met Evgeny at the Mozilla Festival. I appreciated the drive and Evgeny’s firm refusal to settle for the current models of private messaging. We share the belief that messaging is something we need to keep improving and that we must continue pushing its boundaries to make it even more private, secure, usable for groups, and, most importantly - fully decentralized. This is a major undertaking, and it requires funding to achieve. Candidly, I did worry about funding and sustainability because, at the time, SimpleX was still primarily funded by user contributions.</p>
<p>But even knowing this, I scrutinized SimpleX Chat for taking VC funding ($350K) from Village Global and questioned the individuals featured on its frontpage. I had to speak with Evgeny directly to learn who exactly from this fund was involved, how much power they wielded, if any, and if this changes the ethos of the company - all of which he is already making public. It was only after these discussions that I was comfortable to take a leap of faith and continue to use the app and vouch for its current and future offerings. It required me to question my own views on whether a VC-funded company can actually have major positive contributions to privacy as well as the open ecosystem.</p>
<p>The web has a long history of <a href="https://www.engadget.com/from-its-start-gmail-conditioned-us-to-trade-privacy-for-free-services-120009741.html">trading privacy</a> for “free” services. Traditionally, these services have also been centralized, closed-source, non-transparent, and profit-oriented. The companies behind these apps and services became prolific because of their disregard of privacy rights, which normalized lucrative surveillance capitalism. There is such an extensive global monopoly that in Africa, only 1 of the 5 biggest messaging apps in Africa isn't owned by Meta, notoriously known for spying not just through its own apps but even through <a href="https://qz.com/project-ghostbusters-facebook-meta-wiretap-snapchat-1851366814">its competitors</a>, – relentless, massive data harvesting that stretches far beyond its own walled gardens:</p>
<p>Some of the world’s top engineers often go to these companies because of the benefits and financial opportunities. We can question their ethics all day long, but we also need to question if the web would look significantly different if there were as many opportunities at privacy-first companies with purpose and strong, proven moral boundaries, set up in a way that can guarantee operational independence from any shareholders and VCs.</p>
<p>SimpleX could have taken the route of other companies in the privacy space, whether it’s Skiff which rushed to take a large amount of <a href="https://techcrunch.com/2022/03/30/skiff-series-a-encrypted-workspaces/">VC money</a> only to <a href="https://www.techradar.com/computing/cyber-security/skiff-gets-bought-by-notion-raising-privacy-concerns">shutter its doors</a> after an acquisition, leaving its users hanging with many unanswered questions, or giving up control of the company, which would puts its future solely in the hands of VCs with majority ownership. SimpleX aims to prevent this, and in fact has left money on the table to ensure that it does not occur. Had it not been for this information, I would not have joined, and I would have remained a user of the product, albeit a very cautious one, constantly wondering whether it will be sold or corrupted.</p>
<p>It’s worth noting that some private foundations operate on the VC model in supporting nonprofits, either by requiring Board seats or requesting that their funding be used towards very specific objectives not always in alignment with the organization’s values and mission. It’s also worth noting that <a href="https://www.engadget.com/2019-05-31-sex-lies-and-surveillance-fosta-privacy.html">some nonprofits</a> actually operate on the models of surveillance and censorship. Therefore, whether an organization or company is VC-backed or a nonprofit should not be the sole factor in deciding whether or not it is trustworthy. Actions are important, with full transparency being one of the most critical factors, and being fully open source being another to attract valid criticisms and audits to ensure any product or protocol lives up to its privacy and security promise. SimpleX Chat prides itself on being both transparent and open, on top of also being fully decentralized. If you’re new to it and eager to know more, you can start with <a href="https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md">this overview</a>.</p>
<p>Another important consideration is that the SimpleX network does have a plan that would rely on users' payments for specific or tailored services, and not on some other sources of revenue or funds (ads, etc.). Building anything that users would be willing to pay for requires substantially more time and resources, hence the VC route to establish a business model that doesn’t translate to the user being the product. But any business services need to be separate from SimpleX as a public interest technology. As outlined in this <a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html">recent post</a>, I’ll be using my background in nonprofit governance structures to ensure that the SimpleX network protocols evolve under the stewardship of nonprofit entities in various jurisdictions, so that its continued evolution aligns more closely with the vision of community-driven, independent and decentralized governance. This would help create a necessary balance between different structures, in the same way many tech nonprofits also have for-profit subsidiaries to attract fee-for-service agreements to sustain their operations.</p>
<p>In summary: My decision to join Simplex Chat, despite my deep-rooted beliefs and skepticism towards VC funding, reflects a broader realization: that the fight for privacy, security, and decentralization in today’s web is multifaceted and sometimes requires us to depart from our comfort zones to explore sustainable paths for continuous growth and impact so that open source privacy tools and protocols are no longer “niche”, but universally accessible standards. As long as nothing in this journey compromises our moral principles and integrity, this will remain a very worthwhile goal to pursue.</p>
<title>The dangers of metadata in messengers</title>
<content type="html"><h1 id="the-dangers-of-metadata-in-messengers" tabindex="-1">The dangers of metadata in messengers</h1>
<p><em>By <a href="https://mastodon.social/@alshafei">Esra'a al Shafei</a></em></p>
<p>In many countries around the world, phone numbers are attached to biometrics data and personal IDs. Telecommunications companies are either government owned or are heavily regulated, privately owned monopolies who comply with most government requests for backdoors or user data. The idea that today, we still need to give out our phone numbers as primary identifiers to be able to use the leading messaging apps should be frowned upon and actively challenged. It’s necessary to advocate for private alternatives in messaging that do not rely on user IDs of any kind - and yes, it’s possible.</p>
<p>Messaging is still not where it needs to be. Privacy is confused with security, when both are not synonymous, and there are major gaps in helping users understand the fundamental differences.</p>
<p>For example, while WhatsApp messages are <a href="https://faq.whatsapp.com/820124435853543">end-to-end encrypted</a>, let’s consider what you give up when you use it, per its own listings in app stores:</p>
<ul>
<li>App activity (app interactions, in-app search history, and other user-generated content)</li>
<li>Location</li>
<li>Financial information (user payment info and payment history)</li>
<li>Contacts and their phone numbers</li>
<li>Groups you’re a member of</li>
<li>When you use the app and how often you use it</li>
<li>Device and other IDs</li>
<li>Personal info (email address, user IDs, phone number)</li>
</ul>
<p>This is called <a href="https://en.wikipedia.org/wiki/Metadata">metadata</a>. It reveals a wealth of information about you and your connections, and in the hands of a centralized monopoly, this can and does get misused in incredibly dangerous ways. Once such metadata is logged, it can create very detailed profiles about who you are, everywhere you’ve been, and everyone you’ve ever spoken to. In settling for apps that normalize this while giving you the illusion of privacy in their marketing, we are doing ourselves a disservice by accepting this as the default. Collectively, we aren’t doing enough to protect ourselves and our social graph from this invasive overreach.</p>
<p>When stored, aggregated and analyzed, this metadata provides ample information that could potentially incriminate someone or be submitted to authorities. When WhatsApp and Facebook Messenger enabled end-to-end encryption for messages, of course it was a welcome and widely celebrated change. But it’s important to remember that not all end-to-end encryption utilizes the same standards, <a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#how-secure-is-end-to-end-encryption-in-different-messengers">some implementations are more secure</a> than others, so it’s something that shouldn’t necessarily be accepted at face value. More importantly: collecting and storing an obscene amount of metadata should invite global scrutiny, considering this data is often combined with whatever other information companies like Meta harvest about your identity (which is <a href="https://www.vox.com/recode/23172691/meta-tracking-privacy-hospitals">a lot</a>.)</p>
<p>This is one of the many reasons why we need to resist giving out our phone numbers just to access an app, especially to do something as personal and intimate as private messaging. Even though users can sometimes mask their numbers with a username, their identity on the app is still fundamentally tied to their phone number. App operators have access to this, as well as user contacts. Additionally, with a simple modification to the app's source code, the contacts may also gain access in some cases. This should raise more concerns about privacy, and it makes the need for anonymity difficult to achieve.</p>
<p>Everyone has a different threat model (and if you don’t yet, now is a good time to <a href="https://www.privacyguides.org/en/basics/threat-modeling/#creating-your-threat-model">create one</a>). For many users today, WhatsApp and other apps may be sufficient for their specific needs, especially in connecting with families and friends who are already on the app and unlikely to migrate elsewhere. If that suits your life and needs, and if you’re aware and consciously accept the risks, great.</p>
<p>But we also need to acknowledge that the world is becoming increasingly dangerous in the way AI is being used to <a href="https://www.forbes.com/sites/forbestechcouncil/2024/02/02/artificial-intelligence-the-new-eyes-of-surveillance/?sh=cd57bc214f27">supercharge surveillance</a>, and we need to be educated and aware of the risks this is already having on our lives and what it subjects others in your network to when you choose metadata-heavy apps as your primary form of communication. Having alternatives will always be important, even if it’s not what you default to for everyday messaging. Recognize who in your social circles might require the extra privacy, anonymity and security, so that you can play a role in protecting vulnerable individuals who need it most. The messaging app you choose implicates others as well, not just yourself, and while you personally may not require complete privacy, others might have their lives depend on it.</p>
<p>End-to-end encryption is a solid start, but it's just the beginning of our pursuit for true privacy and security. True privacy means that even when legal demands come knocking, there's no useful metadata to hand over. It's not enough to just protect the content of messages; we need consistent innovation in protecting metadata too.</p>
<p>Changing ingrained habits is tough, but your privacy is always worth the fight. Although giants like WhatsApp and Telegram may dominate global messaging for now, increasing concerns about data harvesting and AI-driven surveillance are fueling demand for alternatives. SimpleX Chat aims to be one of those strong alternatives, hence its radical focus on a decentralized framework with no user identifiers (in other words, nothing that uniquely identifies users on the protocol level to their contacts or to the relays) and extra optionality (self-hosting an <a href="https://simplex.chat/docs/server.html">SMP server</a> or <a href="https://simplex.chat/docs/xftp-server.html">XFTP server</a>, access via Tor, <a href="https://simplex.chat/docs/guide/chat-profiles.html">chat profiles</a> with incognito mode, etc.)</p>
<p>As of today, most messaging alternatives, including SimpleX, will have some limitations. But with the limited resources we have, we are committed to daily progress towards creating a truly private messenger that anyone can use while maintaining the features that users have come to know and love in messaging interfaces. We want to be the prime example of a messenger that achieves genuine privacy without compromising it for convenience. We need to be able to reliably move away from small and niche use cases to endorsing and enforcing global standards for privacy and making it accessible for all users regardless of their technical expertise.</p>
<p>We’re grateful for the users and <a href="https://github.com/simplex-chat/simplex-chat#help-us-with-donations">donors</a> who have been following along on this journey thus far and helping with feedback, anything from bug reports to identifying potential risks. Building in the open has always been a necessity for transparency and ongoing <a href="https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html">auditability</a>, because we don’t want anyone to just take our word for it. <a href="https://github.com/simplex-chat">See for yourself</a> and engage in the discussions. We fully expect you to hold us accountable to our word.</p>
<title>SimpleX network: legally binding transparency, v5.7 released with better calls and messages</title>
<content type="html"><h1 id="simplex-network-legally-binding-transparency-v57-released-with-better-calls-and-messages" tabindex="-1">SimpleX network: legally binding transparency, v5.7 released with better calls and messages</h1>
<li><a href="https://simplex.chat/blog/20240426-simplex-legally-binding-transparency-v5-7-better-user-experience.html#quantum-resistant-end-to-end-encryption">quantum resistant end-to-end encryption</a> with all contacts.</li>
<li><a href="https://simplex.chat/blog/20240426-simplex-legally-binding-transparency-v5-7-better-user-experience.html#forward-and-save-messages">forward and save messages</a> without revealing the source.</li>
<li><a href="https://simplex.chat/blog/20240426-simplex-legally-binding-transparency-v5-7-better-user-experience.html#in-call-sounds-and-switching-sound-sources">in-call sounds and switching sound sources</a>.</li>
<p>Also, we added Lithuanian interface language to the Android and desktop apps, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<li>We updated our <a href="https://simplex.chat/blog/https%3A//github.com/simplex-chat/simplex-chat/blob/stable/simplex-chat/PRIVACY.md">Privacy Policy</a> to remove undefined terms &quot;impermissible&quot; and &quot;acceptable&quot;, which would allow us to remove anything we don't like, without any clarity on what that is. You can see the edits <a href="https://github.com/simplex-chat/simplex-chat/pull/4076/files">here</a>.</li>
<li>We published a new page with <a href="https://simplex.chat/faq/index.html">Frequently Asked Questions</a>, thanks to the guidance from users.</li>
<li>We also have a new <a href="https://simplex.chat/security/index.html">Security Policy</a> – we welcome your feedback on it.</li>
<p>What do we mean by “legally binding transparency?”. It includes these principles:</p>
<ul>
<li>Accountability: an empty promise or commitment to transparency that is not legally binding is just marketing, and can provide opportunities for the organizations to be misleading or not disclose important information that can affect their users privacy and security.</li>
<li>Consistency: often, there's a disconnect between marketing claims and legally binding policies. Our approach is to ensure that promises made in marketing materials or any external communications align with our legally binding documents, so that users can rely on our promises, and know exactly what to expect from us.</li>
</ul>
<p>For example:</p>
<ul>
<li>we use open-source code, and we made a legally binding commitment to use the published code in all released apps and deployed preset servers.</li>
<li>we use precise and technical language in the Privacy Policy defining what data and metadata can be accessed via the preset relays.</li>
</ul>
<p>If you see any inconsistency between technical parameters of SimpleX Network and what is promised in our Privacy Policy please raise it with us.</p>
<h2 id="whats-new-in-v57" tabindex="-1">What's new in v5.7</h2>
<p>This release focus is improving the app usability, and preparing the foundation for v5.8 that will provide an in-built protection of user IP addresses when connecting to unknown file and messaging servers, reducing the need to use Tor (which would still remain supported via SOCKS proxy, for additional privacy).</p>
<p>We <a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html">wrote before</a> about how quantum resistant encryption was added to SimpleX Chat and also about other properties of end-to-end encryption, possible attacks on its security and known mitigations.</p>
<p>Quantum resistant encryption will now be enabled by default in all direct chats. For the new conversations it will be enabled from the beginning, and for the existing conversations it will be agreed after you exchange several messages with your contacts - you will see a notice in the conversation when it happens.</p>
<p>You can still safely downgrade the app to an earlier version if needed, as v5.6 already supports quantum resistant encryption.</p>
<p>With the users who have an earlier version, the app will work using the conventional encryption, which is still very secure. It's important that we augmented the conventional encryption with post-quantum cryptographic algorithm rather than replaced it, using a hybrid construction as recommended by the cryptography experts.</p>
<p>The groups currently do not support quantum resistant encryption yet - we plan to add it in the future to small groups.</p>
<h3 id="forward-and-save-messages" tabindex="-1">Forward and save messages</h3>
<p>You can now save received messages to private notes and forward them to your contacts and groups. This is both more convenient than copy-pasting the messages, and also more private - you can forward files and preserve a disappearing file in your private notes without saving them outside of the app.</p>
<p>You can see and navigate to the original source of the message via the message information, but the recipient of the message can only see that it was forwarded, but not from which conversation - in this way you can show that the message was quoted from another source without revealing the source (<a href="https://en.wikipedia.org/wiki/Chatham_House_rule">Chatham House Rule</a>).</p>
<h3 id="in-call-sounds-and-switching-sound-sources" tabindex="-1">In-call sounds and switching sound sources</h3>
<p>This was the most frequent request of the users who use SimpleX Chat for audio and video calls - to add sound indication to the connection progress, as happens in all other apps. This release added these sounds and also vibration when call connects and disconnects.</p>
<p>You can also switch between bluetooth headphones, speakerphone and earpiece via the new button in the call.</p>
<p>To reduce traffic and battery usage, this release made connection timeouts dependent on which network your device uses - timeouts will be larger when you are on mobile connection and smaller when on WiFi. It also makes connection attempts very infrequent when the device is not connected to network.</p>
<h3 id="customizable-shape-of-profile-images" tabindex="-1">Customizable shape of profile images</h3>
<p>To customizable the interface, you can now change the shapes of profile images to anything from squares with sharp corners to circles, as before, via the Appearance menu in the app Settings. The default shape of profile images is changed to squares with rounded corners.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donates to SimpleX Chat!</p>
<p>We are planning a 3rd party security audit for the protocols and cryptography design in July 2024, and also the security audit for an implementation in December 2024/January 2025, and it would hugely help us if some part of this $50,000+ expense is covered with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX network based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX: Redefining Privacy by Making Hard Choices</title>
<content type="html"><h1 id="simplex-redefining-privacy-by-making-hard-choices" tabindex="-1">SimpleX: Redefining Privacy by Making Hard Choices</h1>
<p><strong>Published:</strong> May 16, 2024</p>
<p>When it comes to open source privacy tools, the status quo often dictates the limitations of existing protocols and structures. However, these norms need to be challenged to radically shift how we approach genuinely private communication. This requires doing some uncomfortable things, like making hard choices as it relates to funding, alternative decentralization models, doubling down on privacy over convenience, and more.</p>
<p>There will always be questions on why the SimpleX Chat and network makes the choices it makes, and that’s good! It’s important to question us and to understand the reasoning behind each decision, whether it’s technical, structural, financial or any other.</p>
<p>In this post we explain a bit more about why SimpleX operates and makes decisions the way it does.</p>
<h2 id="no-user-accounts" tabindex="-1">No user accounts</h2>
<p>Within SimpleX network there are no user accounts, and more importantly, no user profile identifiers whatsoever at the protocol level, not even random numbers or cryptographic keys used to identify the users. This means there is absolutely nothing that uniquely links users to their contacts or to the network relays. While it's accurate to say, &quot;You need an address to send something,&quot; it's crucial to understand that this &quot;address&quot; serves merely as a transient delivery destination, and not as a user profile identifier in any sense.</p>
<p>You can read more about how SimpleX works <a href="https://simplex.chat/#how-simplex-works">here</a>.</p>
<h2 id="privacy-over-convenience" tabindex="-1">Privacy over convenience</h2>
<p>One of the main considerations often ignored in security and privacy comparisons between messaging applications is multi-device access. For example, in Signal’s case, the Sesame protocol used to support multi-device access has the vulnerability that is <a href="https://eprint.iacr.org/2021/626.pdf">explained in detail here</a>:</p>
<p><em>&quot;We present an attack on the post-compromise security of the Signal messenger that allows to stealthily register a new device via the Sesame protocol. [...] This new device can send and receive messages without raising any ‘Bad encrypted message’ errors. Our attack thus shows that the Signal messenger does not guarantee post-compromise security at all in the multi-device setting&quot;</em>.</p>
<p>Solutions are possible, and even the quoted paper proposes improvements, but they are not implemented in any existing communication solutions. Unfortunately this results in most communication systems, even those in the privacy space, having compromised security in multi-device settings due to these limitations. That's the reason we are not rushing a full multi-device support, and currently only provide <a href="https://simplex.chat/blog/20231125-simplex-chat-v5-4-link-mobile-desktop-quantum-resistant-better-groups.html#link-mobile-and-desktop-apps-via-secure-quantum-resistant-protocol">the ability to use mobile app profiles via the desktop app</a>, while they are on the same network.</p>
<p>Another choice that compromises privacy for convenience and usability is 3rd party push notifications. At SimpleX, we take a slow path of optimizing the network and battery consumption in the app, rather than simply hiding inefficiencies behind the quick fix solution of 3rd party push notifications that <a href="https://www.wired.com/story/apple-google-push-notification-surveillance/">increases vulnerability</a>, a path Signal and others chose. Like other choices, it has usability and optimization trade offs, but ultimately it’s the right thing to continue progressing towards a better solution as we explain <a href="https://simplex.chat/blog/20220404-simplex-chat-instant-notifications.html">here</a>.</p>
<p>Whenever possible, we strive to achieve significantly higher levels of privacy and security. For example, unlike most, if not all, applications (including Signal), <a href="https://simplex.chat/blog/20230925-simplex-chat-v5-3-desktop-app-local-file-encryption-directory-service.html#encrypted-local-files-and-media-with-forward-secrecy">we encrypt application files with per-file unique key</a>. Consequently, once a message is deleted, there's no means to open a file that someone may have stolen in hopes of acquiring the key later. Similarly, apps like Session have done away with forward secrecy, a decision which caused them <a href="https://www.privacyguides.org/en/real-time-communication/#additional-options">not to be recommended</a> for &quot;long-term or sensitive communications&quot;. And <a href="https://simplifiedprivacy.com/spain-has-banned-telegram-defending-session/">misinformation</a> around this makes it dangerous and irresponsible to recommend without such necessary disclosures for people’s awareness.</p>
<p>Session’s decision was based on <a href="https://getsession.org/blog/session-protocol-explained">the incorrect statements</a> about double ratchet being impossible in decentralized networks, and underplayed importance of forward secrecy, break-in recovery and deniability - the absence of these crucial qualities makes Session a much weaker choice for private messaging. For transparency, this was something that was debated with their team <a href="https://twitter.com/SimpleXChat/status/1755216356159414602">here</a>. We also made <a href="https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#end-to-end-encryption-security-attacks-and-defense">a separate post</a> about these qualities of end-to-end encryption and their presence in different messengers, to show that not all end-to-end encrypted apps offer the same level of protections.</p>
<p>It's important to recognize that a model of decentralization where all servers are openly known and accessible to all clients, that some users ask for, actually results in a less decentralized network, and as the network grows it often requires an introduction of a central authority to protect from bad actors with malicious intent. Therefore, we've deliberately opted for a slower path towards achieving a higher degree of decentralization where there is no central server registry or network authority. For example, p2p designs may offer higher initial decentralization but often compromise on privacy and eventual decentralization. In essence, our approach prioritizes a balance between initial decentralization, privacy, and higher degree of decentralization down the line.</p>
<p>Additionally, while it's true that we haven't yet established a model to incentivize other network operators, it's certainly on the roadmap. We see the decentralization of network operators offered within the app as a top priority.</p>
<p>Where it stands today, users have the freedom to select their preferred servers within the SimpleX network by configuring the app, with thousands of self-hosted servers in operation. Moreover, numerous third-party applications rely on our code for their in-app communications, operating independently of our servers, many of which we may not even be aware of.</p>
<p>Decentralization is an ongoing journey, and we strive to proceed at a measured pace to ensure its proper implementation. While the immediate results may not always appear ideal, prioritizing a careful approach ensures that in the long run, the decisions made in this area align with our ultimate objectives of a private, efficient, reliable and fully decentralized network.</p>
<h2 id="funding-and-profitability" tabindex="-1">Funding and profitability</h2>
<p>We explain our rationale for funding <a href="https://simplex.chat/faq/index.html#funding-and-business-model">here</a>. Funding sources is always one of the most difficult choices to make, and it’s important to underline that VC models don’t necessarily translate to a quest for control, interference of any kind, or overall influence on product roadmap and strategy. The vast majority of investors seek profitability. Irrespective of the organization type profitability is essential for a sustainable operation, and it can and should be done while adhering to the highest possible standards for privacy. For-profit vs. nonprofit is also not an accurate metric to measure a commitment towards privacy and open standards, which is further explained <a href="https://simplex.chat/blog/20240404-why-i-joined-simplex-chat-esraa-al-shafei.html">here</a>.</p>
<p>To make a profit, satisfying customers is the key. Unlike the many companies that profit from selling customer data, we put user privacy first. Doing this at scale requires investments. If the investors don’t own or control a company, their participation becomes merely about profit for them, and not about how this profit is obtained. With the investors we have, we are completely aligned on this - they are betting on the future where privacy is the norm. They do not dictate on anything related to our model. We build SimpleX chat, protocols and network the way Internet should have been built if we as developers always put the privacy and empowerment of users first.</p>
<p>With regards to jurisdictions, nowhere is perfect. For that reason we plan to establish the foundations for protocol governance in <a href="https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html#the-journey-to-the-decentralized-non-profit-protocol-governance">various jurisdictions</a>.</p>
<p>But we’d like to clarify some misconceptions about the UK, where SimpleX Chat Ltd. is registered, and the UK legislation.</p>
<p>For example, the Online Safety Act (OSA). Some people believe that it applies only to UK companies. But the OSA applicability isn’t determined by the company’s jurisdiction - it applies based on the nature and characteristics of the business and its services, as well as the number of its users in the UK. In case of SimpleX network, the OSA doesn’t apply for both of these reasons.</p>
<p>The UK’s position on communication encryption, and more specifically, on end-to-end encrypted messaging, remains the subject of political debates. But with the OSA, the legislative intent was to propose technical measures to block CSAM, and it was trying to explore ways to do this via client-side scanning, which of course would undermine the encryption. However, and thanks to the hard work of privacy experts, researchers, academics and rights organizations throughout the UK and the rest of the world, the Online Safety Bill did not prohibit end-to-end encrypted apps without such scanners. It is an open question whether such technology will ever be possible, and the UK government made a public commitment that client-side scanning won't be required until it is.</p>
<p>For now, strong end-to-end encryption remains permissible and protected, and we hope to also add to the privacy advocacy and debates as a UK-based company to keep it legally protected.</p>
<p>Overall, we view the UK as being better jurisdiction for privacy than many alternatives - there are some trade-offs everywhere.</p>
<p>The future of the Internet should be based on decentralized infrastructure operated by commercially viable organizations. These operators need to possess minimal user data, so that users have genuine control over their identities, and free from lock-in by the operators, to support fair competition. This requires a drastic re-imagining of the current norms and newer, more privacy-minded protocols. All in all, private messaging is surrounded by very difficult challenges but it’s worth it to keep pushing the industry forward and not settle for the status quo and current trade offs, protocol limitations and vulnerabilities. The Internet deserves better standards, and so do users.</p>
<p>As lawmakers grapple with the serious issue of child exploitation online, some proposed solutions would fuel the very problem they aim to solve. Despite expert warnings, the Belgian Presidency persists in pushing for the implementation of client-side scanning on encrypted messaging services, rebranding the effort as &quot;upload moderation&quot;. Their <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN&amp;qid=1652451192472">latest proposal</a> mandates that providers of private communication services obtain user consent for AI-based scanning of their private chats. If users do not consent, they will be prohibited from sharing images, videos, and URLs.</p>
<p>Privacy critics have long pushed for measures like centralized scanning of private photos and messaging data, arguing it could detect illicit content. However, invasive monitoring of private communications would create detrimental risks that far outweigh any perceived benefits.</p>
<p>SimpleX Chat signed a <a href="https://www.globalencryption.org/2024/05/joint-statement-on-the-dangers-of-the-may-2024-council-of-the-eu-compromise-proposal-on-eu-csam/">joint statement</a> about the dangers of the EU compromise proposal on EU CSAM because maintaining end-to-end encryption is crucial for protecting privacy and security for everyone, including and especially children.</p>
<p>We urge the Ministers in the Council of the EU to stand firm against any scanning proposals that undermine end-to-end encryption, which would enable mass surveillance and misuse by bad actors, whether framed as client-side scanning, upload moderation, or any other terminology. Compromising this basic principle opens the door to devastating privacy violations. We also urge any organizations or individuals reading this to write to their representatives and voice their concerns. European Digital Rights has <a href="https://edri.org/our-work/be-scanned-or-get-banned/">outlined these issues</a> in greater detail for anyone seeking more information.</p>
<p>The core issue is that compromising encryption and privacy makes innocent people vulnerable to malicious hackers and criminals seeking to exploit users data. Centralized scanning systems become a tempting target, potentially exposing millions of private family photos when breached. This would easily open up avenues for blackmail, abuse, and victimization of children. A case in point is the recent <a href="https://techcrunch.com/2024/01/17/unredacted-meta-documents-reveal-historical-reluctance-to-protect-children-new-mexico-lawsuit/">criminal charges</a> against Meta in New Mexico, which highlights how the tech giant's algorithms enabled child exploitation by encouraging connections between minors and sexual predators. Privacy-eroding initiatives like client-side scanning would play into the hands of malicious actors by making more sensitive information accessible and weaponized in the same way that it has been on Meta platforms.</p>
<h2 id="what-should-be-done" tabindex="-1">What should be done</h2>
<p>Rather than undermining privacy, to achieve child safety online users should be empowered with high standards for encryption and data control. For example, adopting a model where children (and users in general) cannot be discovered or approached on networks unless they or their parents permit it, similar to the SimpleX network privacy model. Intelligent multi-device synchronization could enable this oversight without compromising end-to-end encryption overall. It’s always possible to protect children without opening everyone, especially children themselves, to greater vulnerabilities due to such proposals.</p>
<p>However, some recent legislative efforts have bizarrely moved in the opposite direction by seeking to limit parental access. The chilling truth is that the least private platforms have been major enablers of child exploitation. Eroding privacy protections on other services will only aid criminals further, not protect children. Preserving strong encryption and user privacy must be the foundation for any credible effort to combat online child exploitation. Initiatives trading privacy for supposed safety are not just technically flawed, but would achieve the exact opposite of their stated intent. We must avoid being gaslighted by narratives that defy logic, and instead provide users with the highest possible standards for privacy protections as a core principle.</p>
<p>Protecting end-to-end encryption without carving out backdoors or vulnerabilities should be non-negotiable for children's and everyone’s safety. It is critical to redirect the discourse to focus on taking genuine privacy further by protecting against <a href="https://simplex.chat/blog/20240416-dangers-of-metadata-in-messengers.html">metadata hoarding</a> and other means by which people’s data can be abused or subjected to surveillance.</p>
<title>SimpleX network: private message routing, v5.8 released with IP address protection and chat themes</title>
<content type="html"><h1 id="simplex-network-private-message-routing-v58-released-with-ip-address-protection-and-chat-themes" tabindex="-1">SimpleX network: private message routing, v5.8 released with IP address protection and chat themes</h1>
<li><a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html#protect-ip-address-when-downloading-files--media">protect IP address when downloading files &amp; media</a>.</li>
<li><a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html#chat-themes">chat themes</a> for better conversation privacy - in Android and desktop apps.</li>
<li><a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html#group-improvements">group improvements</a> - reduced traffic and additional preferences.</li>
<li>improved networking, message and file delivery.</li>
</ul>
<p>Also, we added Persian interface language to the Android and desktop apps, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<p>SimpleX network design has always been focussed on protecting user identity on the messaging protocol level - there is no user profile identifiers of any kind in the protocol design, not even random numbers or cryptographic keys.</p>
<p>Until this release though, SimpleX network had no built-in protection of user transport identities - IP addresses. As previously the users could only choose which messaging relays to use to receive messages, these relays could observe the IP addresses of the senders, and if these relays were controlled by the recipients, the recipients themselves could observe them too - either by modifying server code or simply by tracking all connecting IP addresses.</p>
<p>To work around this limitation, many users connected to SimpleX network relays via Tor or VPN - so that the recipients' relays could not observe IP addresses of the users when they send messages. Still, it was the most important and the most criticized limitation of SimpleX network for the users.</p>
<h3 id="why-didnt-we-just-embed-tor-in-the-app" tabindex="-1">Why didn't we just embed Tor in the app?</h3>
<p>Tor is the best transport overlay network in existence, and it provides network anonymity for millions of Internet users.</p>
<p>SimpleX Chat has many integration points with Tor:</p>
<li>it allows <a href="https://simplex.chat/blog/20220901-simplex-chat-v3.2-incognito-mode.html#using-onion-server-addresses-with-tor">dual server addresses</a>, when the same messaging relay can be reached both via Tor and via clearnet.</li>
<li>it utilises Tor's SOCKS proxy &quot;isolate-by-auth&quot; feature to create a new Tor circuit for each user profile, and with an additional option - for each contact. Per-contact <a href="https://simplex.chat/blog/20230204-simplex-chat-v4-5-user-chat-profiles.html#transport-isolation">transport isolation</a> is still experimental, as it doesn't work if you connect to groups with many members, and it's only available if you enable developer tools.</li>
<li>mitigation of <a href="https://simplex.chat/docs/glossary.html#man-in-the-middle-attack">MITM attack</a> on client-server connection is done in the same way as Tor relays do it - the fingerprint of offline certificate is included in server address and validated by the client.</li>
<li>the private routing itself uses the approach similar to onion routing, by adding encryption layers on each hop.</li>
<li>we are also considering to implement Tor's <a href="https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/">Proof-of-work DoS defence</a> mechanism.</li>
</ul>
<p>So why didn't we just embed Tor into the messaging clients to provide IP address protection?</p>
<p>We believe that Tor may be the wrong solution for some users for one of the reasons:</p>
<ul>
<li>much higher latency, error rate and resource usage.</li>
<li>people who want to use Tor are better served by specialized apps, such as <a href="https://guardianproject.info/apps/org.torproject.android/">Orbot</a>.</li>
<li>Tor usage is restricted in some networks, so it would require complex configuration in the app UI.</li>
<li>some countries have legislative restrictions on Tor usage, so embedding Tor would require supporting multiple app versions, and it would leave the original problem unsolved in these countries.</li>
</ul>
<p>Also, while Tor solves the problem of IP address protection, it doesn't solve the problem of meta-data correlation by user's transport session. When the client connects to the messaging relays via Tor, the relays can still observe which messaging queues a user sends messages to via a single TCP connection. The client can mitigate it with per-contact transport isolation, but it uses too much traffic and battery for most users.</p>
<p>So we believed we would create more value to the users of SimpleX network with private message routing. This new message routing protocol provides IP address and transport session protection out of the box, once released. It can also be extended to support delayed delivery and other functions, improving both usability and transport privacy in the future.</p>
<p>At the same time, we plan to continue supporting Tor and other overlay networks. Any overlay network that supports SOCKS proxy with &quot;isolate-by-auth&quot; feature will work with SimpleX Chat app.</p>
<h3 id="what-is-private-message-routing-and-how-does-it-work" tabindex="-1">What is private message routing and how does it work?</h3>
<p>Private message routing is a major milestone for SimpleX network evolution. It is a new message routing protocol that protects both users' IP addresses and transport sessions from the messaging relays chosen by their contacts. Private message routing is, effectively, a 2-hop onion routing protocol inspired by Tor design, but with one important difference - the first (forwarding) relay is always chosen by message sender and the second (destination) - by the message recipient. In this way, neither side of the conversation can observe IP address or transport session of another.</p>
<p>At the same time, the relays chosen by the sending clients to forward the messages cannot observe to which connections (messaging queues) the messages are sent, because of the additional layer of end-to-end encryption between the sender and the destination relay, similar to how onion routing works in Tor network, and also thanks to the protocol design that avoids any repeated or non-random identifiers associated with the messages, that would otherwise allow correlating the messages sent to different connections as sent by the same user. Each message forwarded to the destination relay is additionally encrypted with one-time ephemeral key, to be independent of messages sent to different connections.</p>
<p>The routing protocol also prevents the possibility of MITM attack by the forwarding relay, which provides the certificate the session keys of the destination server to the sending client that are cryptographically signed by the same certificate that is included in destination server address, so the client can verify that the messages are sent to the intended destination, and not intercepted.</p>
<p>The diagram below shows all the encryption layers used in private message routing:</p>
<p><strong>e2e</strong> - two end-to-end encryption layers between <strong>sending</strong> and <strong>receiving</strong> clients, one of which uses double ratchet algorithm. These encryption layers are present in the previous version of message routing protocol too.</p>
<p><strong>s2d</strong> - encryption between the <strong>sending</strong> client and recipient's <strong>destination</strong> relay. This new encryption layer hides the message metadata (destination connection address and message notification flag) from the forwarding relay.</p>
<p><strong>f2d</strong> - additional new encryption layer between <strong>forwarding</strong> and <strong>destination</strong> relays, protecting from traffic correlation in case TLS is compromised - there are no identifiers or cyphertext in common between incoming and outgoing traffic of both relays inside TLS connection.</p>
<p><strong>d2r</strong> - additional encryption layer between destination relay and the recipient, also protecting from traffic correlation in case TLS is compromised.</p>
<p><strong>TLS</strong> - TLS 1.3 transport encryption.</p>
<p>For private routing to work, both the forwardig and the destination relays should support the updated messaging protocol - it is supported from v5.8 of the messaging relays. It is already released to all relays preset in the app, and available as a self-hosted server. We updated <a href="https://simplex.chat/docs/server.html">the guide</a> about how to host your own messaging relays.</p>
<p>Because many self-hosted relays did not upgrade yet, private routing is not enabled by default. To enable it, you can open <em>Network &amp; servers</em> settings in the app and change the settings in <em>Private message routing</em> section. We recommend setting <em>Private routing</em> option to <em>Unprotected</em> (to use it only with unknown relays and when not connecting via Tor) and <em>Allow downgrade</em> to <em>Yes</em> (so messages can still be delivered to the messaging relays that didn't upgrade yet) or to <em>When IP hidden</em> (in which case the messages will fail to deliver to unknown relays that didn't upgrade yet unless you connect to them via Tor).<br />
See <a href="https://simplex.chat/faq/index.html#does-simplex-protect-my-ip-address">F.A.Q. section</a> for answers about private message routing.</p>
<p>Read more about the technical design of the private message routing in <a href="https://github.com/simplex-chat/simplexmq/blob/stable/rfcs/done/2023-09-12-second-relays.md">this document</a> and in <a href="https://github.com/simplex-chat/simplexmq/blob/stable/protocol/simplex-messaging.md#proxying-sender-commands">the messaging protocol specification</a>.</p>
<p>Even with very limited information available to the messaging relays, there are <a href="https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server">several things</a> that would reduce users' privacy that a compromised relay can do.</p>
<p>We <a href="https://github.com/simplex-chat/simplexmq/blob/master/rfcs/2024-03-20-server-metadata.md">wrote previously</a> that it is important that server operators commit to running unmodified server code or disclose any code modifications, and also disclose server ownership and any other relevant information.</p>
<p>While we cannot require the operators of self-hosted and private servers to disclose any information about them (apart from which server code they use - this is the requirement of the AGPLv3 license to share this information with users connecting to the server), as we add other server operators to the app, it is important for the users to have all important information about these operators and servers location.</p>
<p>This server release adds server information page where all this information can be made available to the users. For example, this is <a href="https://smp8.simplex.im/" target="_blank">the information</a> about one of the servers preset in the app.</p>
<p>The updated server guide also includes <a href="https://simplex.chat/docs/server.html#">the instruction</a> about how to host this page for your server. It is generated as a static page when the server starts. We recommend using Caddy webserver to serve it.</p>
<h2 id="more-new-things-in-v58" tabindex="-1">More new things in v5.8</h2>
<h3 id="protect-ip-address-when-downloading-files-and-media" tabindex="-1">Protect IP address when downloading files &amp; media</h3>
<p>This version added the protection of your IP address when receiving files from unknown file servers without Tor. Images and voice messages won't automatically download from unknown servers too until you tap them, and confirm that you trust the file server where they were uploaded.</p>
<p>In Android and desktop app you can now customize how the app looks by choosing wallpapers with one of the preset themes or choose your own image as a wallpaper.</p>
<p>But this feature is not only about customization - it allows to set different colors and wallpaper for different user profiles and even specific conversations. You can also choose different themes for different chat profiles.</p>
<p>In case you use different identities for different conversations, it helps avoiding mistakes.</p>
<p>This version adds additional group configuration options to allow sending images, files and media, and also SimpleX links only to group administrators and owners. So with this release group owners can have more control over content shared in the groups.</p>
<p>We also stopped unnecessary traffic caused by the members who became inactive without leaving the groups - it should substantially reduce traffic and battery consumption to the users who send messages in large groups.</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="help-us-with-donations" tabindex="-1">Help us with donations</h2>
<p>Huge thank you to everybody who donates to SimpleX Chat!</p>
<p>We are planning a 3rd party security audit for the protocols and cryptography design in July 2024, and also the security audit for an implementation in December 2024/January 2025, and it would hugely help us if some part of this $50,000+ expense is covered with donations.</p>
<p>We are prioritizing users privacy and security - it would be impossible without your support.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, - so anybody can build the future implementations of the clients and the servers. We are building SimpleX network based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds – any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<p>Recent anti-privacy legislations and proposals in <a href="https://www.theverge.com/2024/6/19/24181214/eu-chat-control-law-propose-scanning-encrypted-messages-csam">Europe</a>, <a href="https://theconversation.com/section-702-foreign-surveillance-law-lives-on-but-privacy-fight-continues-229253">the US</a> and <a href="https://www.theguardian.com/technology/article/2024/jun/20/meredith-walker-signal-boss-government-encryption-laws">Australia</a> threaten to infringe our fundamental right to privacy and to create grave risks to the <a href="https://simplex.chat/blog/20240601-protecting-children-safety-requires-e2e-encryption.html">safety</a> of children and vulnerable people. It's time we shift the focus: privacy should be a non-negotiable duty of technology providers, not just a right users must constantly fight to protect, and not something that users can be asked to consent away as a condition of access to a service.</p>
<p>Tech giants are trying to normalize surveillance capitalism, often with little to no consequences globally. These companies are contributing to a growing ecosystem where opting out of invasive data hoarding practices is becoming increasingly challenging, if not outright impossible. We are being gaslit by the technology executives who try to justify profiteering from AI theft, from <a href="https://www.computing.co.uk/news/4330395/microsoft-ai-chief-makes-questionable-claims-about-copyright-online-content">Microsoft</a> claiming all our content is fair game for their exploitation to unethical startups like <a href="https://www.theverge.com/2024/6/27/24187405/perplexity-ai-twitter-lie-plagiarism">Perplexity</a> turning the word “<a href="https://x.com/perplexity_ai/status/1789007907092066559">privacy</a>” into a marketable farce.</p>
<h2 id="the-ai-hypes-impact-on-privacy" tabindex="-1">The AI Hype’s Impact on Privacy</h2>
<p>The exaggeration of AI’s actual capabilities and the continuous promotion of its “intelligence” is creating a rat race where tech companies and well-funded startups are evading accountability, as they eagerly collect and exploit more data than ever.</p>
<p>They're prioritizing AI development over user privacy and rights, setting a dangerous precedent for current and future online engagements. They've already normalized the use of AI to scan and analyze supposedly private communications - from emails to instant messages - repackaging this intrusion as &quot;productivity tools”. Meanwhile, most consumers actually want <a href="https://iapp.org/news/a/most-consumers-want-data-privacy-and-will-act-to-defend-it">more data privacy</a>, not less, and are increasingly concerned by the lack of it.</p>
<p>The legal push towards “client-side scanning”, attacks on end-to-end encryption and the support for pro-surveillance legislation gives credibility to these highly intrusive practices that literally endanger lives. And we know that moral obligations mean nothing to corporations benefiting from these exploitative models, so we have to ensure that our demands for privacy are legally enforceable and non-negotiable.</p>
<p>We are encouraged to see more legal pressure on companies that exploit user data on a daily basis. For example, the European Center for Digital Rights’ (Noyb) <a href="https://noyb.eu/en/noyb-urges-11-dpas-immediately-stop-metas-abuse-personal-data-ai">complaints</a> against Meta’s abuse of personal data to train their AI and, and the demands from the Norwegian Consumer Council to data protection authority to ensure that applicable laws are enforced against Meta considering there is “<a href="https://www.forbrukerradet.no/side/legal-complaint-against-metas-use-of-personal-content-for-ai-training/">no way to remove personal data from AI models once Meta has begun the training</a>”.</p>
<p>Noyb is taking a strong stance against <a href="https://noyb.eu/en/project/cases">other companies</a> with similar exploitative models, including facial recognition surveillance tools often misused by law enforcement agencies. Consider <a href="https://noyb.eu/en/support">supporting</a> their ongoing efforts — we strongly believe legal action is one of the most effective means to hold these companies accountable for their persistent abuses, which are otherwise shielded by heavily funded self-serving lobby groups.</p>
<h2 id="privacy-as-a-legal-obligation" tabindex="-1">Privacy as a Legal Obligation</h2>
<p>We must shift from a defensive stance to a proactive one by proposing privacy legislation that puts users in direct control of their private data.</p>
<p>This legislation should:</p>
<ol>
<li>Establish non-negotiable provider duties for protecting user privacy, with hefty fines and consequences for service operators who do not comply.</li>
<li>Prevent providers from circumventing these duties through user consent clauses — it should be legally prohibited to ask for a consent to share user data or to use it for anything other than providing a service.</li>
<li>Prevent providers from asking for any more personal information from the users than technically necessary and legally required. For example, asking for a phone number as a condition of access to a service should be made illegal in most cases — it does not provide a sufficient security, exposes users' private information and allows simple aggregation of users' data across multiple services.</li>
<li>Create a strong legal framework that cannot be resisted or modified</li>
</ol>
<p>By codifying these principles into law, we can establish a strong technological framework that is built to create more value for end users, while protecting their privacy against data exploitation, criminal use and identity theft. We will continue the fight against illogical legislative proposals designed to normalize mass surveillance, but our efforts should equally gear towards creating and supporting new models and technological foundations that bring us far closer to the reality we urgently need.</p>
<p>There is great work being done by advocacy organizations, and service providers need to contribute to this fight as well by shifting the narrative and reclaiming the term “privacy” from the tech giants who co-opted and corrupted it. We must play a bigger role in supporting users in setting stronger boundaries, making demands, and refusing anything less than genuine privacy and data ownership, while getting comfortable with holding providers accountable for any violations.</p>
<p>Privacy should be seen as a fundamental obligation of technology providers, and legislators must actively enforce this expectation. The more consumers make this demand, the more pressure we put on anti-privacy lobbyists with rogue motives, the easier it will be to hold abusers accountable, and the more likely we can collectively ensure that a privacy-first web becomes a reality.</p>
<p>You can support privacy today by signing <a href="https://www.globalencryption.org/2024/05/joint-statement-on-the-dangers-of-the-may-2024-council-of-the-eu-compromise-proposal-on-eu-csam/">the petition</a> prepared by Global Encryption Coalition in support of communication privacy. You can also write to your elected representatives, explaining them how data privacy and encrypted communications protect children safety and reduce crime.</p>
<title>SimpleX network: the investment from Jack Dorsey and Asymmetric, v6.0 released with the new user experience and private message routing.</title>
<content type="html"><h1 id="simplex-network-the-investment-from-jack-dorsey-and-asymmetric-v60-released-with-the-new-user-experience-and-private-message-routing" tabindex="-1">SimpleX network: the investment from Jack Dorsey and Asymmetric, v6.0 released with the new user experience and private message routing.</h1>
<p><strong>Published:</strong> Aug 14, 2024</p>
<p><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#simplex-chat-vision-and-funding-20">SimpleX Chat: vision and funding 2.0</a>:</p>
<ul>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#the-past-investment-from-village-global">The past</a>: investment from Village Global.</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#the-present-announcing-the-investment-from-jack-dorsey-and-asymmetric">The present</a>: announcing the investment from Jack Dorsey and Asymmetric Capital Partners.</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#the-future-faster-development-and-transition-to-non-profit-governance">The future</a>: faster development and the path to non-profit governance.</li>
</ul>
<p><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#whats-new-in-v60">What's new in v6.0</a>:</p>
<ul>
<li>Private message routing — now enabled by default.</li>
<li>archive contacts to chat later.</li>
<li>new way to start chat.</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#moderate-like-a-pro">moderate like a pro</a>: delete many messages at once.</li>
<li>increase font size<sup>**</sup>.</li>
</ul>
</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#new-media-options">New media options</a>:
<ul>
<li>play from the chat list.</li>
<li>blur for better privacy.</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#share-from-other-apps">share from other apps</a><sup>*</sup>.</li>
</ul>
</li>
<li><a href="https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html#improved-networking-and-reduced-battery-usage">Improved networking and reduced battery usage</a></li>
</ul>
<p>* New for iOS app.</p>
<p>** Android and desktop apps.</p>
<h2 id="simplex-chat-vision-and-funding-20" tabindex="-1">SimpleX Chat: vision and funding 2.0</h2>
<h3 id="the-past-investment-from-village-global" tabindex="-1">The past: investment from Village Global</h3>
<p>Last year <a href="https://simplex.chat/blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.html#how-is-it-funded-and-what-is-the-business-model">we announced</a> pre-seed funding from several angel investors and Village Global. Some of our users were very excited that we have funds to continue developing SimpleX network. But as some of Village Global LPs (Limited Partners) are <a href="https://www.villageglobal.vc/">the founders of very large technology companies</a>, some of our users were worried about any negative influence this investment might have on the project.</p>
<p><a href="https://www.villageglobal.vc/team/ben-casnocha">Ben Casnocha</a>, the founder and general partner of Village Global, commented on their investment:</p>
<blockquote>
<p>I believe in SimpleX Chat vision and team’s ability to execute it. The growing number of Internet users who demand privacy of their data and contacts will make SimpleX Chat profitable, which is critically important for any sustainable organization.</p>
<p>We are fortunate to have LPs who founded many iconic Internet ventures. But they don’t have any influence on the 400+ companies we invested in. They are financial investors in our fund and exert no control or influence on any of the underlying portfolio companies.</p>
<p>What's more, we believe that founders should lead their ventures, as it yields better results – our investment in SimpleX Chat has no control provisions. We are happy to help, but we don’t control any decisions nor have a board seat. Evgeny runs the company independently.</p>
</blockquote>
<p>Ben, thank you for believing in our vision – without it SimpleX Chat would simply not exist, as most other investors at the time did not believe that privacy could ever escape the niche of privacy enthusiasts – and we already see the first signs of it happening.</p>
<h3 id="the-present-announcing-the-investment-from-jack-dorsey-and-asymmetric" tabindex="-1">The present: announcing the investment from Jack Dorsey and Asymmetric</h3>
<p>The Android app recently hit <a href="https://play.google.com/store/apps/details?id=chat.simplex.app">100,000 downloads on Google Play Store</a>, and our users naturally ask for improved reliability, privacy, security, better user experience and design – all at the same time, and as soon as possible. This requires more funding.</p>
<p>We are very happy to announce that we now have funds to move faster – we raised a $1.3 million pre-seed round led by <a href="https://en.wikipedia.org/wiki/Jack_Dorsey">Jack Dorsey</a>, with participation of <a href="https://www.acp.vc/">Asymmetric Capital Partners</a> (ACP) VC fund.</p>
<p>When Jack discovered SimpleX Chat last year, he <a href="https://x.com/jack/status/1661681076983529479">posted on Twitter</a>:</p>
<blockquote>
<p>Better than Signal? Looks promising.<br />
A few bugs and UX issues but great foundation. Love that it’s public domain.</p>
<p>A full day with @SimpleX Chat. Solid overall. TestFlight is not recommended. There are some scaling issues today. And not the most intuitive onboarding for everyone. Name still reminds everyone of herpes. All fixable. It’s fast and doesn’t require a phone number or email and I do believe people will eventually see the value of that. Finally, some competition for Signal, and in a permissionless way. And def a solid path so apps don’t have to build their own DM experiences.</p>
</blockquote>
<p>Jack, we are super lucky to have your support and investment – thank you for believing in our ability to build a better messaging network! It is a hard work, and we’ve made a lot of progress since your note was written, and a lot of work is ongoing!</p>
<p>The ACP investment is strategically important – it is a fund that only invests in B2B startups, and SimpleX Chat currently is mostly used by individual users. Making a private communication network sustainable requires its adoption by businesses, and we already see a growing usage by the small teams.</p>
<p><a href="https://www.acp.vc/team/rob-biederman">Rob Biederman</a> and <a href="https://www.acp.vc/team/sam">Sam Clayman</a>, the partners of ACP, commented:</p>
<blockquote>
<p>We believe that SimpleX Chat network can grow into a de facto Internet standard for private and secure communications for both businesses and individual users, unifying instant and email-like messaging into a single product.</p>
<p>Emails no longer provide privacy and security that businesses require, particularly given the emerging threat of AI-led phishing and social engineering attacks. We look forward to SimpleX network providing a secure alternative.</p>
</blockquote>
<p>I was lucky to have met Rob, Sam and the ACP team when I was presenting SimpleX Chat in London – thank you all for your support and believing that the future of communication requires a single product, both for businesses and individual users.</p>
<h3 id="the-future-faster-development-and-the-path-to-non-profit-governance" tabindex="-1">The future: faster development and the path to non-profit governance</h3>
<p>Jack Dorsey and ACP support enable us to make huge product improvements, thanks to a bigger team, and provide us with medium-term funding to get to the next stage of product and business evolution. Like with Village Global, this is a financial investment, without control or board seat provisions – so the users can be certain that SimpleX remains true to our vision of privacy first communication network.</p>
<p>We already added two great engineers to the team and are about to hire a UX/UI designer.</p>
<p><a href="https://www.trailofbits.com/about/">Trail of Bits</a> has just completed the protocols design security review and will be doing implementation security review in the end of the year. We will publish the first report soon.</p>
<p>This year we will launch group improvements that we presented in the <a href="https://www.youtube.com/watch?v=7yjQFmhAftE">live-stream last year</a>. While the main problem explained in this video was solved with the current design, the issue of group scalability remains – to send a message to a group your client needs to send it to each member, creating substantial traffic.</p>
<p>We will also launch long-form email-like messaging over SimpleX network this year, together with optional short public addresses that show profile you are connecting to before the connection – this is important for any public users and businesses.</p>
<p>The last but not the least, we started the work with <a href="https://www.techlawpartners.com/heather">Heather Meeker</a>, a great legal expert on intellectual property matters and one of the earliest advocates of the open-source software development in businesses, to setup open-source governance model, to some extent similar to how Matrix did it. We believe, and our investors agree, that it would both increase the company value and also create more value for the users community.</p>
<h2 id="whats-new-in-v60" tabindex="-1">What's new in v6.0</h2>
<p>v6.0 is one of our biggest releases ever, with a lot of focus on UX and stability improvements, and the new features the users asked for.</p>
<p>The private message routing <a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html">we announced before</a> is now enabled for all users by default – it protects users IP addresses and sessions from the destination servers.</p>
<h4 id="connect-to-your-friends-faster" tabindex="-1">Connect to your friends faster</h4>
<p>This version includes messaging protocol improvements that reduce twice the number of messages required for two users to connect. Not only it means connecting faster and using less traffic, this change allows to start sending messages sooner, so you would see &quot;connecting&quot; in the list of the chats for a much shorter time than before.</p>
<p>It will be improved further in the next version: you will be able to send messages straight after using the invitation link, without waiting for your contact to be online.</p>
<p>Like with the most innovative mobile browsers (e.g., Safari and Firefox), SimpleX Chat users now can use the app with one hand by moving the toolbar and search bar to the bottom of the screen, and ordering the chats with the most recent conversations in the bottom too, where they can be more easily reached on a mobile screen.</p>
<p>This layout is enabled by default, and you can disable it right from the list of chats when you install the new version if you prefer to use conventional UI.</p>
<p>Give it a try – our experience is that that after less than a day of using it, it starts feeling as the only right way. You can always toggle it in the Appearance settings.</p>
<h4 id="archive-contacts-to-chat-later" tabindex="-1">Archive contacts to chat later</h4>
<p>Now you have two new options when deleting a conversation:</p>
<ul>
<li>only delete conversation, and archive contact. We will add archiving conversation without clearing it in the next version, as some users of our beta version asked.</li>
<li>delete contact but keep the conversation.</li>
</ul>
<p>Also, deleting a contact now requires double confirmation, so you are less likely to delete the contact accidentally. This deletion is irreversible, and the only way to re-connect would be using a new link.</p>
<h4 id="new-way-to-start-chat" tabindex="-1">New way to start chat</h4>
<p>When you tap pencil button, you will see a large <em>New message</em> sheet, that adds new functions to the options you had before.</p>
<p>Old options:</p>
<ul>
<li><em>Add contact</em> to create a new 1-time invitation link,</li>
<li><em>Scan / paste link</em>: to use the link you received. It can be 1-time invitation, a public SimpleX address, or a link to join the group.</li>
<p>We released the new themes <a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html">for Android and desktop apps</a> in the previous version, and now they are available for iOS too.</p>
<p>You can set different themes for different chat profiles you have, and for different conversations – it can help avoid mistakes about which conversation you are in.</p>
<p>Also, these themes are compatible between platforms, so you can import the theme created on Android into iOS app and vice versa.</p>
<h4 id="moderate-like-a-pro" tabindex="-1">Moderate like a pro</h4>
<p>As much as we disagree with the attacks on the freedom of speech on the society level – all people must be able to express their opinions – we also believe that the small community owners should have full control over which content is allowed and which is not. But as communities grow, bad actors begin to join in order to disrupt, subvert and troll the conversations. So, the moderation tools are critical for small public communities to thrive.</p>
<p>SimpleX Chat already has several moderation tools available for community owners:</p>
<li>Set the default role of the new members to &quot;observer&quot; — they won't be able to send messages until you allow it. In addition to that, by enabling default messages for admins and owners only you can reach out to the new members and ask some questions before allowing to send messages.</li>
<li>Block messages of a member for yourself only.</li>
<li>Block a member for all other members — only admins and group owners can do that.</li>
</ul>
<p>With this version you can now select multiple messages at once and delete or moderate them, depending on your role in the community. The current version limits the number of messages that can be deleted to 20 — this limit will be increased to 200 messages in the next version.</p>
<p>Also, this version makes profile images of the blocked members blurred, to prevent the abuse via inappropriate profile images.</p>
<h4 id="increase-font-size" tabindex="-1">Increase font size</h4>
<p>Android and desktop apps now allow to increase font size inside the app, without changing the system settings. Desktop app also allows to zoom the whole screen — it can be helpful on some systems with a limited support of high density displays.</p>
<p>These settings can be changed via Appearance settings.</p>
<h3 id="new-media-options" tabindex="-1">New media options</h3>
<h4 id="play-from-the-chat-list" tabindex="-1">Play from the chat list</h4>
<p>Now you can interact with the media directly from the list of the chats.</p>
<p>This is very convenient – when somebody sends you a voice message or a video, they can be played directly from the list of chats, without opening a conversation. Similarly, an image can be opened, a file can be saved, and the link with preview can be opened in the browser.</p>
<p>And, in some circumstances, this is also more private, as you can interact with the media, without opening the whole conversation.</p>
<p>We will add the option to return missed calls from the chat list in the next version.</p>
<h4 id="blur-for-better-privacy" tabindex="-1">Blur for better privacy</h4>
<p>You can set all images and videos to blur in your app, and unblur them on tap (or on hover in desktop app). The blur level can be set in Privacy and security settings.</p>
<h4 id="share-from-other-apps" tabindex="-1">Share from other apps</h4>
<p>Not much to brag about, as most iOS messaging apps allow it, and users expected it to be possible since the beginning.</p>
<p>But iOS makes it much harder to develop the capability to share into the app than Android, so it's only in this version you can share images, videos, files and links into SimpleX Chat from other apps.</p>
<h3 id="improved-networking-and-reduced-battery-usage" tabindex="-1">Improved networking and reduced battery usage</h3>
<p>This version includes the statistics of how your app communicates with all servers when sending and receiving messages and files. This information also includes the status of connection to all servers from which you receive messages — whether the connection is authorized to push messages from server to your device, and the share of these active connections.</p>
<p>Please note, that when you send a message to a group, your app has to send it to each member separately, so sent message statistics account for that — it may seem to be quite a large number if you actively participate in some large groups. Also, message counts not only include visible messages you receive and send, but also any service messages, reactions, message updates, message deletions, etc. — this is the correct reflection of how much traffic your app uses.</p>
<p>This information is only available to your device, we do NOT collect this information, even in the aggregate form.</p>
<p>While the main reason we added this information is to reduce traffic and battery usage, to be able to identify any cases of high traffic, this version already reduced a lot battery and traffic usage, as reported by several beta-version users.</p>
<p>Some links to answer the most common questions:</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="please-support-us-with-your-donations" tabindex="-1">Please support us with your donations</h2>
<p>Huge thank you to everybody who donated to SimpleX Chat!</p>
<p>You might ask: <em>Why do you need donations if you've just raised the investment?</em></p>
<p>Prioritizing users privacy and security, and also raising the investment, would have been impossible without your support and donations.</p>
<p>Also, funding the work to transition the protocols to non-profit governance model would not have been possible without the donations we received from the users.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds — any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<title>SimpleX network: cryptographic design review by Trail of Bits, v6.1 released with better calls and user experience.</title>
<content type="html"><h1 id="simplex-network-security-review-of-protocols-design-by-trail-of-bits-v61-released-with-better-calls-and-user-experience" tabindex="-1">SimpleX network: security review of protocols design by Trail of Bits, v6.1 released with better calls and user experience.</h1>
<p><strong>Published:</strong> Oct 14, 2024</p>
<li><a href="https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#review-findings-our-comments-and-improvements">review findings</a>, our comments and improvements.</li>
<li><a href="https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#next-security-audit-in-2025">next</a>: security audit in early 2025.</li>
</ul>
<p><a href="https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#whats-new-in-v61">What's new in v6.1</a>:</p>
<li><a href="https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#better-user-experience">better user experience</a>.</li>
</ul>
<h2 id="simplex-cryptographic-design-review-by-trail-of-bits" tabindex="-1">SimpleX cryptographic design review by Trail of Bits</h2>
<p>It's been almost two years since Trail of Bits did the first security assessment of SimpleX Chat.</p>
<p>Since then SimpleX Chat grew a lot, both in the number of users and in its functionality. We added XFTP — a protocol for sending files, — and XRCP — the protocol for using a mobile app profile from a desktop app. Messaging protocols also evolved a lot, adding private message routing and quantum resistant encryption.</p>
<p>Trail of Bits reviewed the design of protocols used in SimpleX network and applications in July 2024. Even though there are no critical issues, we made some security improvements based on this report.</p>
<p><a href="https://www.trailofbits.com/about">Trail of Bits</a> is a US based security and technology consultancy whose clients include big tech companies, governmental agencies and major blockchain projects. Its engineers reviewed the cryptographic design of the protocols used in SimpleX network and applications over a week:</p>
<ul>
<li>SimpleX Messaging Protocol (SMP), including a formal verification of currently used message queue negotiation protocol,</li>
<li>the file transfer protocol (XFTP),</li>
<li>the remote control protocol (XRCP),</li>
<li>and the chat protocol.</li>
</ul>
<p>There are 3 medium and 1 low severity findings, all of which require a high difficulty attack to exploit — the attacker would need to have a privileged access to the system, may need to know complex technical details, or must discover other weaknesses to exploit them. Additionally, there are 3 informational findings.</p>
<p>3 of these issues are improved in v6.1, and the remaining issues are accepted. Below we are commenting on these findings in detail, and also on the released improvements.</p>
<p>The full cryptographic design review is available <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SimpleX_Design_Review_2024_Summary_Report_12_08_2024.pdf">here</a>.</p>
<p>We are very thankful to Trail of Bits and their engineers for their work identifying these issues and helping us make SimpleX Chat more secure.</p>
<h3 id="review-findings-our-comments-and-improvements" tabindex="-1">Review findings, our comments and improvements</h3>
<p>The review finding #1 is that the protocols specification is informal. We addressed <a href="https://github.com/simplex-chat/simplexmq/commit/7b6c86c6c1093cdae5ad2ee566655828076bc25c">reported</a> <a href="https://github.com/simplex-chat/simplex-chat/commit/1cb3c25478db0f2a42c943f7469f5f9f75752a27">inconsistencies</a>, and we accept that we need to improve specification beyond verbose descriptions and ABNF syntax specification, and add algebraic notations and sequence diagrams. Having said that, the current specification correctly describes the implemented protocol, without any contradictions.</p>
<h4 id="user-correlating-attacks-via-introduced-latency-or-via-get-command-of-messaging-protocol-medium-and-low-severity" tabindex="-1">User-correlating attacks via introduced latency or via GET command of messaging protocol (medium and low severity)</h4>
<p>These two findings #7 and #2 of the report relate to the attacks confirming that two known users communicate via observing their internet traffic.</p>
<p>The first attack is possible for a party that can introduce the latency in the network traffic. This attacker has to control some network node that passes the traffic of the sender — for example, it could be the sender's ISP, VPN provider, Tor entry node operator, the operator of the forwarding SMP server or a server hosting provider, etc. Such attacker can correlate delays in sender's traffic and the suspected recipient's traffic to confirm that they communicate.</p>
<p>The second attack relates to GET command used by iOS clients receiving notifications — depending on whether the server has the message, there will be a different number of packets sent, allowing the observer to determine if there was the message. While this comment is correct, in practice iOS clients only send GET commands when they receive notification, which also happens only when there is a message on the server, so in absolute majority of cases the number of packets will be the same.</p>
<p>These are not new findings — this type of attacks is covered in <a href="https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#a-passive-adversary-able-to-monitor-a-set-of-senders-and-recipients">threat model</a>: <em>a passive adversary able to monitor a set of senders and recipients <strong>can</strong> perform traffic correlation attacks against senders and recipients and correlate senders and recipients within the monitored set, frustrated by the number of users on the servers</em>.</p>
<p>As threat model states, this attack is more likely to be successful with the less busy servers, and also for the users with few connections.</p>
<p>The recommendation of the review is to add optional randomized latency to message delivery that would reduce the opportunities for traffic correlation attacks — we consider adding it in the future.</p>
<h4 id="a-compromised-transport-protocol-allows-more-efficient-correlation-attacks-medium-severity" tabindex="-1">A compromised transport protocol allows more efficient correlation attacks (medium severity)</h4>
<p>The finding #3 is about the incorrect statement in threat model for SMP and XFTP protocols: <em>a passive adversary, able to monitor a set of senders and recipients, <strong>cannot</strong>, even in case of a compromised transport protocol perform traffic correlation attacks with any increase in efficiency over a non-compromised transport protocol</em>.</p>
<p>For protocols prior to v6.1 it is only partially correct, as responses to the commands that create a messaging queue or a file chunk include the identifiers both for senders and for the recipients, so if any observers were to compromise transport protocol (TLS) and record these identifiers, then they were able to correlate message senders with the recipients (and file recipients with the file senders).</p>
<p>The solution to make this correlation impossible even in case of compromised TLS is to encrypt these identifiers, as proposed in the review, or, better, encrypt the whole transmission inside TLS.</p>
<p>However unlikely is TLS being compromised, we added additional <a href="https://github.com/simplex-chat/simplexmq/pull/1317/files">transport encryption layer in SMP protocol</a>, where it can be more important, and we are going to add the same layer of encryption in XFTP protocol later, where we <a href="https://github.com/simplex-chat/simplexmq/commit/7b6c86c6c1093cdae5ad2ee566655828076bc25c">amended the threat model</a>.</p>
<p>XRCP protocol is used for connecting desktop and mobile. There are two findings in the review:</p>
<ul>
<li>SHA256 was used as a KDF in XRCP (#4).</li>
<li>there was no forward secrecy or break-in recovery between sessions (#5).</li>
</ul>
<p>SHA256 is now <a href="https://github.com/simplex-chat/simplexmq/pull/1302/files">replaced with SHA3-256</a>, as was <a href="https://www.ietf.org/archive/id/draft-josefsson-ntruprime-hybrid-01.html">recommended</a> by the internet draft about hybrid key agreement that XRCP uses.</p>
<p>Even though XRCP sessions are short lived, and usually the connection happens over local network, we added forward secrecy to XRCP sessions <a href="https://github.com/simplex-chat/simplexmq/pull/1328/files">here</a> and <a href="https://github.com/simplex-chat/simplex-chat/pull/4926/files">here</a> — each request from desktop app to mobile app is now encrypted with a new key derived from chain ratchets. This improves security of this connection.</p>
<p>We believe that it is unnecessary to have in-session break-in recovery in XRCP protocol, as there is break-in recovery between the sessions.</p>
<h4 id="device-compromise-can-be-hidden-in-some-scenarios-medium" tabindex="-1">Device compromise can be hidden in some scenarios (medium)</h4>
<p>The finding #6 in the report is about an attacker who was not only able to break into the device and get a copy of the database, which would be mitigated by break-in recovery in <a href="https://simplex.chat/docs/glossary.html#double-ratchet-algorithm">double ratchet protocol</a>, but also was able to modify the state of the app database and to substitute the addresses and cryptographic keys of the messaging queues used with some contact with other message queues that the attacker controls.</p>
<p>Even though this is a very hard attack, if successful, it would allow the attacker intercepting all messages with this contact.</p>
<p>Effectively, it is a <a href="https://simplex.chat/docs/glossary.html#man-in-the-middle-attack">man-in-the-middle attack</a>, where an intermediary is inserted via the app database modification. Such attack can be mitigated by periodic verification of security codes. Although, the attacker who was able to modify the state of the device, could have also modified the app itself, making it show the same security code as the compromised contact has, thus avoiding detection.</p>
<p>We accept that such an attack is possible, and we don't believe there is any viable defense against the attacker who can modify the device state. We may consider adding the measures to validate the database integrity, but they may be ineffective in case the app and/or operating system are compromised.</p>
<h3 id="next-security-audit-in-2025" tabindex="-1">Next: security audit in 2025</h3>
<p>We are planning the implementation security assessment with Trail of Bits in the beginning of 2025. It will be a twice bigger assessment than we did in 2022 — it will cover both the core of the app and the handling of cryptographic secrets in the mobile applications.</p>
<h2 id="whats-new-in-v61" tabindex="-1">What's new in v6.1</h2>
<p>This release has many user experience and stability improvements.</p>
<p>This release improves reliability and usability of the calls. Now you can enable the camera and share the screen from the desktop app even if the call started as a voice call. We've also fixed several issues that prevented calls from connecting.</p>
<p>This is a substantial change, and some issues may have been introduced - please report them.</p>
<p>We will be further improving the calls interface in the app in the next versions.</p>
<p>iOS notifications were added <a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html">more than 2 years ago</a>, based on this <a href="https://simplex.chat/blog/20220404-simplex-chat-instant-notifications.html">system design</a>. Until recently we made almost no improvements to them. As the number of iOS users is growing, their reliability is insufficient. In addition to that, once we started the work on improving them, we have found several important issues, one of which was introduced recently, when we improved the speed of creating new connections.</p>
<p>This release fixes many important issues with iOS notifications delivery in iOS app, improves app performance and reduces traffic required to manage notifications.</p>
<p>We also fixed several notification server issues, made change that almost completely prevents losing notifications when notification servers are restarted, and added real-time monitoring to diagnose any issues with iOS notifications delivery.</p>
<p>This work is not over – iOS notifications in a decentralized network are complex and require more work. We will be further improving both client apps and servers to make their delivery stable.</p>
<h3 id="better-user-experience" tabindex="-1">Better user experience</h3>
<h4 id="new-conversation-layout-and-customizable-messages" tabindex="-1">New conversation layout and customizable messages</h4>
<p>Messages are now grouped when they are sent sequentially, with less than 60 seconds between them. We also made message shapes configurable, and separated the messages in different days. When you scroll conversation quickly, there will be a floating date indication, allowing to find messages faster.</p>
<h4 id="improved-switching-between-user-profiles" tabindex="-1">Improved switching between user profiles</h4>
<p>Another improvement relates to switching between chat profiles. Previously, when you added multiple chat profiles to the app, there were two problems:</p>
<ul>
<li>you had to tap twice to get to some important functions in the app,</li>
<li>anybody who could see your screen, could also see all your chat profiles.</li>
</ul>
<p>We changed this design by making important functions available after tapping profile image once, and by only showing the previously used profile image to switch to it quickly, while switching to other profiles now requires scrolling to them or opening <em>Your chat profiles</em> screen.</p>
<p>You also can switch chat profile when creating a one-time invitation link.</p>
<h4 id="faster-deletion-moderation-and-forwarding-of-messages" tabindex="-1">Faster deletion, moderation and forwarding of messages</h4>
<p>You now can forward multiple messages at once - up to 20. If you are forwarding messages with files or media, and they were not received, the app will offer you to download them, and it will also allow forwarding messages without files. These messages will be &quot;packed&quot; into the smallest number of sent messages as possible. If there are no images and messages are not too large, it will be just one sent message containing all forwarded messages.</p>
<p>The previous version allowed deleting and moderating multiple messages. As most users now upgraded the app, we increased the maximum number of messages that can be deleted or moderated to 200 messages - in most cases all these deletions will be packed into one sent message.</p>
<p>Some links to answer the most common questions:</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="please-support-us-with-your-donations" tabindex="-1">Please support us with your donations</h2>
<p>Huge <em>thank you</em> to everybody who donated to SimpleX Chat!</p>
<p>Prioritizing users privacy and security, and also raising the investment, would have been impossible without your support and donations.</p>
<p>Also, funding the work to transition the protocols to non-profit governance model would not have been possible without the donations we received from the users.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds — any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/tree/master#help-us-with-donations">this section</a> for the ways to donate.</p>
<p>The <a href="https://www.wired.com/story/neo-nazis-flee-telegram-encrypted-app-simplex/">Wired article</a> by David Gilbert focusing on neo-Nazis moving to SimpleX Chat following the Telegram's changes in privacy policy is biased and misleading. By cherry-picking information from <a href="https://www.isdglobal.org/digital_dispatches/neo-nazi-accelerationists-seek-new-digital-refuge-amid-looming-telegram-crackdown/">the report</a> by the Institute for Strategic Dialogue (ISD), Wired fails to mention that SimpleX network design prioritizes privacy in order to protect human rights defenders, journalists, and everyday users who value their privacy — many people feel safer using SimpleX than non-private apps, being protected from strangers contacting them.</p>
<p>Yes, privacy-focused SimpleX network offers encryption and anonymity — that’s the point. To paint this as problematic solely because of who may use such apps misses the broader, critical context.</p>
<p>SimpleX’s true strength lies in protection of <a href="https://simplex.chat/blog/20240416-dangers-of-metadata-in-messengers.html">users' metadata</a>, which can reveal sensitive information about who is communicating, when, and how often. SimpleX protocols are designed to minimize metadata collection. For countless people, especially vulnerable groups, these features can be life-saving. Wired article ignores these essential protections, and overlooks the positive aspects of having such a unique design, as noted in the publication which <a href="https://www.maargentino.com/is-telegrams-privacy-shift-driving-extremists-toward-simplex/">they link to</a>:</p>
<blockquote>
<p><em>“SimpleX also has a significant advantage when it comes to protecting metadata — the information that can reveal who you’re talking to, when, and how often. SimpleX is designed with privacy at its core, minimizing the amount of metadata collected and ensuring that any temporary data necessary for functionality is not retained or linked to identifiable users.”</em></p>
</blockquote>
<p>Both publications referenced by Wired also explore how SimpleX design actually hinders extremist groups from spreading propaganda or building large networks. SimpleX design restricts message visibility and file retention, making it far from ideal for those looking to coordinate large networks. Yet these important qualities are ignored by Wired in favor of fear-mongering about encryption — an argument we've seen before when apps like Signal <a href="https://foreignpolicy.com/2021/03/13/telegram-signal-apps-right-wing-extremism-islamic-state-terrorism-violence-europol-encrypted/">faced similar treatment</a>. Ironically, Wired just a month earlier encouraged its readers to <a href="https://www.wired.com/story/gadget-lab-podcast-657/">adopt encrypted messaging apps</a>, making its current stance even more contradictory.</p>
<p>The vilification of apps that offer critically important privacy, anonymity, and encryption must stop. That a small share of users may abuse these tools doesn’t justify broad criticism. Additionally, the lobbying for client-side scanning, which Wired’s article seems to indirectly endorse, is not only dangerous but goes against fundamental principles of free speech and personal security. We strongly oppose the use of private communications for any kind of monitoring, including AI training, which would undermine the very trust encryption is designed to build.</p>
<p>It’s alarming to see Wired not only criticize SimpleX for its strong privacy protections but also subtly blame the European Court of Human Rights for <a href="https://www.theregister.com/2024/02/15/echr_backdoor_encryption/">upholding basic human rights</a> by rejecting laws that would force encrypted apps to scan and hand over private messages before encryption. Wired writes:</p>
<blockquote>
<p><em>…European Court of Human Rights decision in February of this year ruled that forcing encrypted messaging apps to provide a backdoor to law enforcement was illegal. This decision undermined the EU’s controversial proposal that would potentially force encrypted messaging apps to scan all user content for identifiers of child sexual abuse material.</em></p>
</blockquote>
<p>This commentary is both inappropriate and misguided — it plays into the hands of anti-privacy lobbyists attempting to criminalize access to private communications. Framing privacy and anonymity as tools for criminals ignores the reality that these protections are essential for millions of legitimate users, from activists to journalists, to ordinary citizens. Client-side scanning can't have any meaningful effect on reducing CSAM distribution, instead resulting in increase of crime and abuse when criminals get access to this data.</p>
<p>We need to correct this narrative. The real danger lies not in protecting communication, but in failing to do so. Privacy apps like SimpleX are crucial, not just for those resisting mass surveillance, but for everyone who values the right to communicate without fear of their conversations being monitored or misused. This is a right we must defend and incorporate into law, <a href="https://simplex.chat/blog/20240704-future-of-privacy-enforcing-privacy-standards.html">as we wrote before</a>.</p>
<p>Wired could have stood on the right side of this battle and helped normalize the demand for privacy, genuinely protecting people from criminals and from the exploitation of the increasingly AI-enabled mass surveillance. Instead they chose the path of spreading fear and uncertainty of encrypted messaging and tools that enable privacy and anonymity.</p>
<p>Spreading misinformation about privacy and security undermines trust in the tools that protect us, making it easier to justify more invasive surveillance measures that chip away at our civil liberties.</p>
<p>Wired did not respond to our request for comment.</p>
<title>Servers operated by Flux - true privacy and decentralization for all users</title>
<content type="html"><h1 id="servers-operated-by-flux-true-privacy-and-decentralization-for-all-users" tabindex="-1">Servers operated by Flux — true privacy and decentralization for all users</h1>
<p><strong>Published:</strong> Nov 25, 2024</p>
<ul>
<li><a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html#welcome-flux--the-new-servers-in-v62-beta1">Welcome, Flux</a> — the new servers in v6.2-beta.1!</li>
<li><a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html#whats-the-problem">What's the problem</a>?</li>
<li><a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html#using-two-operators-improves-connection-privacy">Using two operators improves connection privacy</a>.</li>
<li><a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html#simplex-decentralization-compared-with-matrix-session-and-tor">SimpleX decentralization</a> compared with Matrix, Session and Tor.</li>
<li><a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html#whats-next-for-simplex-network-decentralization">What's next</a> for SimpleX network decentralization?</li>
</ul>
<h2 id="welcome-flux-the-new-servers-in-v62-beta1" tabindex="-1">Welcome, Flux – the new servers in v6.2-beta.1!</h2>
<p><a href="https://runonflux.com/">Flux</a> is a decentralized cloud infrastructure that consists of user-operated nodes [1]. With this beta release all SimpleX Chat users can use pre-configured Flux servers to improve metadata privacy and decentralization.</p>
<p>We are very grateful to <a href="https://x.com/dak_flux">Daniel Keller</a>, CEO and co-founder of Flux, for supporting SimpleX network, and betting on our vision of extreme decentralization of communication. Flux investing their infrastructure in our vision is a game changer for us and our users.</p>
<p>Download new mobile and desktop SimpleX apps from <a href="https://testflight.apple.com/join/DWuT2LQu">TestFlight</a> (iOS), <a href="https://play.google.com/store/apps/details?id=chat.simplex.app">Play Store</a>, our <a href="https://simplex.chat/fdroid/">F-Droid repo</a> or <a href="https://github.com/simplex-chat/simplex-chat/releases/tag/v6.2.0-beta.1">GitHub</a>.</p>
<p>Read on to learn why it is important and how using several operators improves metadata privacy.</p>
<h2 id="whats-the-problem" tabindex="-1">What's the problem?</h2>
<p>SimpleX network is fully decentralized, without any central component or bootstrap nodes — you could use your own servers from day one. While there is no full list of SimpleX network servers, we see many hundreds of servers in public groups.</p>
<p>But a large number of SimpleX app users use the servers pre-configured in the app. Even though the app randomly chooses 4 servers in each connection to improve privacy and security, prior to v6.2 for these users the servers were operated by the same company — ourselves.</p>
<p>Our open-source code that we are <a href="https://simplex.chat/blog/20240426-simplex-legally-binding-transparency-v5-7-better-user-experience.html#legally-binding-transparency">legally bound to use</a> doesn't provide any metadata that could be used to learn who connects to whom. But the privacy of users' connections still depends on us honouring our promises and <a href="https://simplex.chat/blog/https%3A//github.com/simplex-chat/simplex-chat/blob/stable/simplex-chat/PRIVACY.md">privacy policy</a>. Flux servers in the app improve that.</p>
<h2 id="using-two-operators-improves-connection-privacy" tabindex="-1">Using two operators improves connection privacy</h2>
<p>To ensure that the users' metadata from different servers cannot be combined to discover who talks to whom, the servers in each connection have to be operated by different independent organizations.</p>
<p>Before this version the app was choosing servers randomly. Now, when both SimpleX Chat and Flux servers are enabled it will always choose servers of different operators in each connection to receive messages and for <a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html">private message routing</a>, increasing metadata privacy for all users.</p>
<p>Flux servers are configured as opt-in, and the privacy policy and conditions of use that apply to Flux servers are the same as for SimpleX Chat servers, to make it simple for the users.</p>
<p>To improve connection privacy by using Flux servers all you have to do is to enable Flux once the app offers it, or later, via Network &amp; servers settings, and accept that the same conditions apply.</p>
<p>By default, if both Flux and SimpleX servers are enabled in this version, you will be using SimpleX Chat servers to receive messages, Flux servers to forward messages to SimpleX Chat servers, and the servers of both to forward messages to unknown servers. We will enable Flux to receive messages by default a bit later, or you can change it now via settings.</p>
<p>Any additional servers you add to app configuration are treated as belonging to another operator, so they will also be used to improve connection privacy, together with pre-configured servers, unless you disable them.</p>
<h2 id="simplex-decentralization-compared-with-matrix-session-and-tor" tabindex="-1">SimpleX decentralization compared with Matrix, Session and Tor</h2>
<p>SimpleX network decentralization model is different from other decentralized networks in several important aspects.</p>
<p>Fully decentralized networks do not have a central component, bootstrap nodes or any global shared state, like in cryptocurrency/blockchain-based communication networks. The presence of any central component or shared state introduces an attack vector that undermines privacy and security of the network.</p>
<p><strong>No user profile identity</strong></p>
<p>User profile identities, even if it is only a random number or a long-term key, undermine privacy of users connections, because in some cases they may allow network operators, observers and users to find out who talks to whom.</p>
<p>Most communication networks rely on fixed user profile identities. It includes Matrix and communication networks with onion routing.</p>
<p>SimpleX network design avoids the need for profile identities or keys, while still allowing optional long-term addresses for users and groups for convenience. It protects users from being discovered and approached by malicious parties, and many family users chose to use SimpleX with children because of it.</p>
<p>SimpleX network has <a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html">private message routing</a> (2-hop onion routing) — it prevents server operators from discovering who connects to whom via network traffic metadata. Onion routing used in Tor-based messengers and in Session also hides it. But because neither Tor nor Session users have knowledge about who operates servers, in some cases the clients may connect via the servers controlled by one entity, that may learn the IP addresses of both parties.</p>
<p>Statistically, if traffic metadata from 2% of onion network servers is available to an attacker, and the client chooses servers randomly, after about 1750 of such choices the probability of choosing attacker's servers as both entry and exit nodes, and connection privacy being compromised becomes over 50% [2].</p>
<p>Matrix network does not provide connection privacy, as not only user identity exists, it is tied to a specific server that knows all user connections and a part of user's contacts connections. What is worse, Element — the most widely used Matrix app — offers the servers of only one organization to create an account, resulting in some degree of network centralization.</p>
<p>Operator transparency means that network users know who operates the servers they use.</p>
<p>You may argue that when the operators are known, the servers data can be requested by the authorities. But such requests, in particular when multiple operators are used by all users, will follow a due legal process, and will not result in compromising the privacy of all users.</p>
<p>With Tor and Session networks such legal process becomes impossible, and some users may see it as advantage. But nothing prevents the attackers, both criminal and corporate- or state-funded, to compromise the privacy of Tor or Session users by running many servers, or by purchasing traffic metadata from the existing server owners — there are no legal conditions that prohibit server owners of these networks to share or sell traffic data.</p>
<p>Because of that, we see operator transparency in SimpleX network as a better trade-off for privacy of most users than operator anonymity provided by Session and Tor. You can see privacy of network participants as a zero sum game — for the end users to have it, server operators should be known.</p>
<h2 id="whats-next-for-simplex-network-decentralization" tabindex="-1">What's next for SimpleX network decentralization</h2>
<p>SimpleX network is designed for extreme decentralization — not only users are distributed across network operators, as happens with federated networks, but each conversation will be relying on servers of 4-6 independent operators, and these operators will be regularly and automatically changed in the near future.</p>
<p>We believe that the only viable commercial model is freemium — a small share of paying users, who have better service quality and additional features, sponsors free users. This model doesn't have downsides of exploitative &quot;provide service, sell data&quot; approaches, that technology monopolies practice, and it also doesn't have problems of cryptocurrency blockchains, that have shared and immutable state, and also have regulatory problems.</p>
<p>To provide this extreme decentralization with freemium model we will create the system of payments allowing server operators to receive money for infrastructure certificates that will be used with any other participating network operators without compromising privacy of the paying users. You can read about this model <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/rfcs/2024-04-26-commercial-model.md">here</a>. We will be writing more about it as this development progresses.</p>
<p>Some links to answer the most common questions:</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="please-support-us-with-your-donations" tabindex="-1">Please support us with your donations</h2>
<p>Huge <em>thank you</em> to everybody who donated to SimpleX Chat!</p>
<p>Prioritizing users privacy and security, and also raising the investment, would have been impossible without your support and donations.</p>
<p>Also, funding the work to transition the protocols to non-profit governance model would not have been possible without the donations we received from the users.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds — any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/#please-support-us-with-your-donations">this section</a> for the ways to donate.</p>
<p>Thank you,</p>
<p>Evgeny</p>
<p>SimpleX Chat founder</p>
<p>[1] You can also to self-host your own SimpleX servers on <a href="https://home.runonflux.io/apps/marketplace?q=simplex">Flux decentralized cloud</a>.</p>
<p>[2] The probability of connection being de-anonymized and the number of random server choices follow this equation: <code>(1 - s ^ 2) ^ n = 1 - p</code>, where <code>s</code> is the share of attacker-controlled servers in the network, <code>n</code> is the number of random choices of entry and exit nodes for the circuit, and <code>p</code> is the probability of both entry and exit nodes, and the connection privacy being compromised. Substituting <code>0.02</code> (2%) for <code>s</code>, <code>0.5</code> (50%) for <code>p</code>, and solving this equation for <code>n</code> we obtain that <code>1733</code> random circuits have 50% probability of privacy being compromised.</p>
<p>Also see <a href="https://ritter.vg/p/tor-v1.6.pdf">this presentation about Tor</a>, specifically the approximate calculations on page 76, and also <a href="https://blog.torproject.org/announcing-vanguards-add-onion-services/">Tor project post</a> about the changes that made attack on hidden service anonymity harder, but still viable in case the it is used for a long time.</p>
<title>SimpleX network: preset servers operated by Flux, business chats and more with v6.2 of the apps</title>
<content type="html"><h1 id="simplex-network-preset-servers-operated-by-flux-business-chats-and-more-with-v62-of-the-apps" tabindex="-1">SimpleX network: preset servers operated by Flux, business chats and more with v6.2 of the apps</h1>
<p><strong>Published:</strong> Dec 10, 2024</p>
<p>What's new in v6.2:</p>
<ul>
<li><a href="https://simplex.chat/blog/20241210-simplex-network-v6-2-servers-by-flux-business-chats.html#simplex-chat-and-flux-improve-metadata-privacy-in-simplex-network">SimpleX Chat and Flux</a> improve metadata privacy in SimpleX network.</li>
<li><a href="https://simplex.chat/blog/20241210-simplex-network-v6-2-servers-by-flux-business-chats.html#business-chats">Business chats</a> to provide support from your business to users of SimpleX network.</li>
<li><a href="https://simplex.chat/blog/20241210-simplex-network-v6-2-servers-by-flux-business-chats.html#better-user-experience">Better user experience</a>: open on the first unread, jump to quoted messages, see who reacted.</li>
<li><a href="https://simplex.chat/blog/20241210-simplex-network-v6-2-servers-by-flux-business-chats.html#improving-notifications-in-ios-app">Improving notifications in iOS app</a>.</li>
</ul>
<h2 id="whats-new-in-v62" tabindex="-1">What's new in v6.2</h2>
<h3 id="simplex-chat-and-flux-improve-metadata-privacy-in-simplex-network" tabindex="-1">SimpleX Chat and Flux improve metadata privacy in SimpleX network</h3>
<p>SimpleX Chat and <a href="https://runonflux.com/">Flux</a> (Influx Technology Limited) made an agreement to include messaging and file servers operated by Flux into the app.</p>
<p>SimpleX network is decentralized by design, but in the users of the previous app versions had to find other servers online or host servers themselves to use any other servers than operated by us.</p>
<p>Now all users can choose between servers of two companies, use both of them, and continue using any other servers they host or available online.</p>
<p>To use Flux servers enable them when the app offers it, or at any point later via Network &amp; servers settings in the app.</p>
<p>When both SimpleX Chat and Flux servers are enabled, the app will use servers of both operators in each connection to receive messages and for <a href="https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html">private message routing</a>, increasing metadata privacy for all users.</p>
<p>Read more about why SimpleX network benefits from multiple operators in <a href="https://simplex.chat/blog/20241125-servers-operated-by-flux-true-privacy-and-decentralization-for-all-users.html">our previous post</a>.</p>
<p>You can also read about our plan <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/rfcs/2024-04-26-commercial-model.md">how network operators will make money</a>, while continuing to protect users privacy, based on network design rather than on trust to operators, and without any cryptocurrency emission.</p>
<p>We use SimpleX Chat to provide support to SimpleX Chat users, and we also see some other companies offering SimpleX Chat as a support channel.</p>
<p>One of the problem of providing support via general purpose messengers is that the customers don't see who they talk to, as they can in all dedicated support systems.</p>
<p>It is not possible in most messengers, including SimpleX Chat prior to v6.2 - every new customer joins a one-to-one conversation, where the customers see that they talk to a company, not knowing who they talk to, and if it's a bot or a human.</p>
<p>The new business chats in SimpleX Chat solve this problem: to use them enable the toggle under the contact address in your chat profile. It is safe to do, and you can always toggle it off, if needed - the address itself does not change.</p>
<p>Once you do it, the app will be creating a new business chat with each connecting customer where multiple people can participate. Business chat is a hybrid of one-to-one and group conversation. In the list of chats you will see customer names and avatars, and the customer will see your business name and avatar, like with one-to-one conversations. But inside it works as a group, allowing customer to see who sent the message, and allowing you to add other participants from the business side, for delegation and escalation of customer questions.</p>
<p>This can be done manually, or you can automate these conversations using bots that can answer some customer questions and then add a human to the conversation when appropriate or requested by the customer. We will be offering more bot-related features to the app and a simpler way to program bots very soon - watch our announcements.</p>
<h3 id="better-user-experience" tabindex="-1">Better user experience</h3>
<p>This has been a long-standing complaint from the users: <em>why does the app opens conversations on the last message, and not on the first unread message</em>?</p>
<p>Android and desktop apps now open the chat on the first unread message. It will soon be done in the iOS app too.</p>
<p>Also, the app can scroll to the replied message anywhere in the conversation (when you tap it), even if it was sent a very long time ago.</p>
<p><strong>See who reacted!</strong></p>
<p>This is a small but important change - you can now see who reacted to your messages!</p>
<h3 id="improving-notifications-in-ios-app" tabindex="-1">Improving notifications in iOS app</h3>
<p>iOS notifications in a decentralized network is a complex problem. We <a href="https://simplex.chat/blog/20220404-simplex-chat-instant-notifications.html#ios-notifications-require-a-server">support iOS notifications</a> from early versions of the app, focussing on preserving privacy as much as possible. But the reliability of notifications was not good enough.</p>
<p>We solved several problems of notification delivery in this release:</p>
<ul>
<li>messaging servers no longer lose notifications while notification servers are restarted.</li>
<li>Apple can drop notifications while your device is offline - about 15-20% of notifications are dropped because of it. The servers and the new version of the app work around this problem by delivering several last notifications, to show notifications correctly even when Apple drops them.</li>
</ul>
<p>With these changes the iOS notifications remained as private and secure as before. The notifications only contain metadata, without the actual messages, and even the metadata is end-to-end encrypted between SimpleX notification servers and the client device, inaccessible to Apple push notification servers.</p>
<p>There are two remaining problems we will solve soon:</p>
<ul>
<li>iOS only allows to use 25mb of device memory when processing notifications in the background. This limit didn't change for many years, and it is challenging for decentralized design. If the app uses more memory, iOS kills it and the notification is not shown – approximately 10% of notifications can be lost because of that.</li>
<li>for notifications to work, the app communicates with the notification server. If the user puts the app in background too quickly, the app may fail to enable notification for the new contacts. We plan to change clients and servers to delegate this task to messaging servers, to remove the need for this additional communication entirely, without any impact on privacy and security. This will happen early next year.</li>
<p>Some links to answer the most common questions:</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="please-support-us-with-your-donations" tabindex="-1">Please support us with your donations</h2>
<p>Huge <em>thank you</em> to everybody who donated to SimpleX Chat!</p>
<p>Prioritizing users privacy and security, and also raising the investment, would have been impossible without your support and donations.</p>
<p>Also, funding the work to transition the protocols to non-profit governance model would not have been possible without the donations we received from the users.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds — any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/#please-support-us-with-your-donations">this section</a> for the ways to donate.</p>
<title>Oppose digital IDs – they break the law and lead to mass scale surveillance</title>
<content type="html"><h1 id="oppose-digital-ids-they-break-the-law-and-lead-to-mass-scale-surveillance" tabindex="-1">Oppose digital IDs – they break the law and lead to mass scale surveillance</h1>
<p><strong>Published:</strong> Dec 18, 2024</p>
<p>Starting next year, the UK government plans to introduce <a href="https://www.telegraph.co.uk/politics/2024/12/08/digital-id-to-be-introduced-for-pubs-and-clubs/">digital ID cards</a> for the young people to prove their age when visiting pubs. While officials claim this system will remain optional, it's part of a broader government initiative to move more state functions online so that people can prove their identity for everything from paying taxes to opening a bank account using the government-backed app. This will be a step toward a society where every pub visit, purchase, and social interaction becomes a permanent digital record linked to a government-issued ID – a step to normalizing mass surveillance at scale.</p>
<p>Digital IDs are promoted as a way to fight law violations, and some politicians support them as <a href="https://www.telegraph.co.uk/politics/2024/07/10/id-cards-inevitable-tackle-immigration-lord-blunkett-labour/">a way to tackle illegal immigration</a>. But digital IDs themselves break the law. Article 8 of the European Convention of Human Rights says: “Everyone has the right to respect for his private and family life”. It means that not only our right to privacy is enshrined in the law, but the right to have our privacy respected is also part of the law. Asking to present a digital ID when visiting a pub, even if it is optional, disrespects our privacy, and is therefore illegal.</p>
<p>Digital IDs would not stop people who decide to break laws. Pubs already can refuse to serve alcohol to young people and require the ID in case the age is in doubt. And illegal immigration can also be reduced without any digital IDs. But introducing digital IDs and collecting our actions, names and locations in one government-controlled database will result in making this information easier to access for criminals, and being exploited for financial and identity crimes.</p>
<p>What starts as a &quot;convenient option&quot; is likely to end as a mandatory requirement. The digital ID systems being pushed by governments and corporations aren't about making our lives easier. They're about tracking, monitoring, and controlling every move we make. And we can see <a href="https://www.wired.com/story/china-social-credit-system-explained/">where this road leads in China</a>, when IDs and social scores created for convenience are used to prevent access to basic services and bank accounts as a punishment for legal social media posts that the government disagrees with. What started as a convenience, is now trialed <a href="https://www.thesun.ie/news/13154812/china-installs-toilet-timers-to-broadcast-time-spent/">to track the duration of public toilet visits</a>.</p>
<p>The United Kingdom is a democratic country, and the law protects our right to privacy and freedom of speech. If we accept digital IDs as something required for simple things, like buying a drink, it leaves the door wide open to a range of privacy violations.</p>
<p>We call on everyone to oppose the digital ID systems. Do not use them. Do not install these systems in your pub, for as long as it is not legally required. Support local businesses that don’t use them. Protect your privacy and freedom by using software that respects them. Demand that your privacy is respected, as required by law.</p>
<p>To make your voice heard, email your MP expressing your rejection of digital IDs as a violation of European Convention of Human Rights in three simple steps:</p>
<ol>
<li><strong>Copy the text below</strong> or <a href="mailto:?subject=Please%20oppose%20the%20plan%20for%20Digital%20IDs&amp;body=Dear%20%E2%80%A6%2C%0A%0AI%20object%20to%20the%20introduction%20of%20digital%20IDs%20in%20pubs%20or%20any%20other%20public%20places%20for%20these%20reasons%3A%0A%0A1.%20It%20violates%20the%20European%20Convention%20of%20Human%20Rights%2C%20article%208%3A%20%E2%80%9CEveryone%20has%20the%20right%20to%20respect%20for%20his%20private%20and%20family%20life%E2%80%9D%20(https%3A%2F%2Ffra.europa.eu%2Fen%2Flaw-reference%2Feuropean-convention-human-rights-article-8-0).%0AAsking%20to%20present%20digital%20IDs%20when%20proof%20of%20identity%20is%20not%20legally%20required%2C%20even%20if%20it%20is%20optional%2C%20disrespects%20our%20privacy%2C%20and%20is%20therefore%20illegal.%0A%0A2.%20It%20will%20not%20be%20an%20effective%20measure%20in%20reducing%20the%20violations%20of%20the%20law.%20People%20who%20want%20to%20circumvent%20it%2C%20will%20find%20a%20way.%0A%0A3.%20It%20will%20increase%20crime%2C%20because%20combining%20a%20large%20amount%20of%20private%20information%20in%20a%20single%20system%20increases%20the%20risks%20of%20this%20information%20becoming%20available%20to%20criminals%2C%20who%20will%20exploit%20it%20for%20financial%20crimes%20and%20identity%20theft.%0A%0AI%20kindly%20ask%20you%20to%20oppose%20this%20plan%2C%20both%20publicly%20and%20during%20any%20discussions%20in%20the%20UK%20Parliament.%0A%0ASincerely%20yours%2C%0A%E2%80%A6">click this link</a> to copy it into email app:</li>
</ol>
<p><em>Dear …,</em></p>
<p><em>I object to the introduction of digital IDs in pubs or any other public places for these reasons:</em></p>
<ol>
<li><em>It violates the European Convention of Human Rights, article 8: “Everyone has the right to respect for his private and family life” (<a href="https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-8-0">https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-8-0</a>).</em><br />
<em>Asking to present digital IDs when proof of identity is not legally required, even if it is optional, disrespects our privacy, and is therefore illegal.</em></li>
<li><em>It will not be an effective measure in reducing the violations of the law. People who want to circumvent it, will find a way.</em></li>
<li><em>It will increase crime, because combining a large amount of private information in a single system increases the risks of this information becoming available to criminals, who will exploit it for financial crimes and identity theft.</em></li>
</ol>
<p><em>I kindly ask you to oppose this plan, both publicly and during any discussions in the UK Parliament.</em></p>
<p><a href="https://members.parliament.uk/members/Commons"><strong>Find the email address of your MP</strong></a> and copy it to the email.</p>
</li>
<li>
<p>Fill in the blanks, edit the text if needed, and <strong>send it</strong>!</p>
</li>
</ol>
<p>Public opposition changed government decisions in many cases.</p>
<p>It is your opportunity to tell the government which country you want to live in — please use it!</p>
<title>SimpleX network: large groups and privacy-preserving content moderation</title>
<content type="html"><h1 id="simplex-network-large-groups-and-privacy-preserving-content-moderation" tabindex="-1">SimpleX network: large groups and privacy-preserving content moderation</h1>
<p>Many people believe that it is impossible to moderate and prevent abuse in end-to-end encrypted conversations. This belief is incorrect — there is a way to prevent abuse and distribution of illegal content without any compromises to users' privacy and security of end-to-end encryption.</p>
<p>Anti-privacy lobbyists use this incorrect belief to advocate for scanning of private communications, which not only would fail to prevent abuse, but would make it worse — because our private data will become available to criminals.</p>
<p>So it's very important to understand how privacy preserving content moderation works, and educate the politicians who you voted for, and who is currently in the office, that we do not need to compromise privacy and security in any way to substantially reduce online crime and abuse.</p>
<p>This post answers these questions:</p>
<ul>
<li>Why <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#large-groups-on-simplex-network">large groups on SimpleX network</a> don't work well?</li>
<li>How do we plan to <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#can-large-groups-scale">make them scale</a>?</li>
<li>How do <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#preventing-abuse-with-anonymous-participation">group owners prevent abuse</a> when people participate anonymously?</li>
<li>How do server operators <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#preventing-server-abuse-without-compromising-e2e-encryption">prevent abuse of their servers</a> and <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#privacy-preserving-content-moderation">how these measures will evolve</a> without any compromises to privacy and end-to-end encryption?</li>
<li>Which <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#privacy-and-security-improvements-we-plan-this-year">privacy and security improvements</a> we plan this year?</li>
</ul>
<h2 id="large-groups-on-simplex-network" tabindex="-1">Large groups on SimpleX network</h2>
<p>When we designed groups, we expected them to be used primarily for small groups where people know each other, with not more than 100 or so members.</p>
<p>But we learnt that people want to participate in public discussions remaining anonymous — it protects their freedom of speech. As an experiment, we are curating a small <a href="https://simplex.chat/docs/directory.html">directory of groups</a> that currently has almost 400 public groups, with the largest ones having thousands of members. You can connect to this experimental directory via <a href="https://simplex.chat/contact#/?v=2-4&amp;smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2FeXSPwqTkKyDO3px4fLf1wx3MvPdjdLW3%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAaiv6MkMH44L2TcYrt_CsX3ZvM11WgbMEUn0hkIKTOho%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion">SimpleX chat address</a>.</p>
<h2 id="can-large-groups-scale" tabindex="-1">Can large groups scale?</h2>
<p>Currently the groups are fully decentralized, and every time you send the message to some group your client has to send it to each group member, which is very costly for traffic and battery in large groups.</p>
<p>We are currently working on the new group architecture when dedicated group members that run their clients on the server or on desktop with good internet connection will re-broadcast messages to all members — these members are &quot;super-peers&quot;.</p>
<p>We will be offering pre-configured super-peers via the app, and you will be able to use your own super-peers, in case you are hosting a large private group, and to have a better control and ownership of the group — e.g., if we decide to remove our super peer from the group, it will continue to function thanks to your super-peer re-broadcasting messages.</p>
<p>This new design improves both privacy of group participation and censorship resistance of the groups, and also makes abusing the group harder.</p>
<p>All public discussions are abused by spammers and trolls, whether anonymous or not. We have been evolving ability of group owners to moderate conversations by allowing to remove inappropriate and off-topic messages, to block members who send spam, and to make all new members who join their group unable to send messages until approved.</p>
<p>As support for large groups improves, we expect that the attempts to abuse may increase too, unless we add better moderation capabilities in advance.</p>
<p>v6.3 will add ability of the group members to send reports to the group owners and administrators — the beta version we just released adds ability to manage these reports, so group admins won't miss reports when members start sending them.</p>
<p>Other features that we plan to add this year to improve both usability and safety of the groups:</p>
<li>message comments — some groups may choose to allow only comments, when ability to send messages is restricted to group owners or admins.</li>
<h2 id="preventing-server-abuse-without-compromising-e2e-encryption" tabindex="-1">Preventing server abuse without compromising e2e encryption</h2>
<p>Some categories of content may be prohibited by servers operators. An extreme case would be child sexual abuse materials (CSAM).</p>
<p>Many people believe that when conversation is end-to-end encrypted, the problem is unsolvable. This incorrect belief is used by unscrupulous lobbyists and politicians who attempt to mandate various types of content scanning under the guise of preventing CSAM distribution.</p>
<p>We <a href="https://simplex.chat/blog/20240601-protecting-children-safety-requires-e2e-encryption.html">wrote before</a> about how such measures not only would fail to solve the problem, but would make it worse. If our private photos become available to service providers, they will eventually become available to criminals too, and will be used to abuse and exploit the users and their children.</p>
<p>An absolute majority of CSAM distributed online is publicly accessible. Many large tech companies failed to act on it and to remove CSAM from their services before it became an epidemic. We see it as a very important objective to eliminate the possibility to distribute CSAM from publicly accessible groups, even if it hurts network growth.</p>
<p>When we receive a user complaint about CSAM shared in any group, we remove the files and, in some cases, the links to join the group from our servers. Our approach to moderation preserves user privacy and security of end-to-end encryption.</p>
<p>How does it work? Let's go over the process step by step.</p>
<ol>
<li>
<p>A user discovered the link to join the group that distributes CSAM and sent a complaint to our support email address or via the app to <a href="simplex:/contact#/?v=1&amp;smp=smp%3A%2F%2FPQUV2eL0t7OStZOoAsPEV2QYWt4-xilbakvGUGOItUo%3D%40smp6.simplex.im%2FK1rslx-m5bpXVIdMZg9NLUZ_8JBm8xTt%23MCowBQYDK2VuAyEALDeVe-sG8mRY22LsXlPgiwTNs9dbiLrNuA7f3ZMAJ2w%3D">SimpleX Chat team</a> contact.</p>
<p>Once we received the link to join the group, we instruct our automated bot to join it. If the complaint is confirmed as valid, the bot sends the information about the files sent in this group to the servers that store these files.</p>
<p>File servers cannot look inside end-to-end encrypted files, and they don't even know file sizes — they are securely locked, and sent in chunks, across multiple servers. But if the bot that joined the group provides the address of the particular file, the server can delete this file. It doesn't allow the servers to access any other files.</p>
<p>In this way, the moderation is possible without any content scanning, and it preserves privacy and security of end-to-end encryption.</p>
<p>Right now, when we act on user complaints, we delete uploaded files or the links to join the groups from our servers, and to the users it looks as if something stopped working.</p>
<p>We are currently rolling out the change to the servers that would mark these files and group links as blocked, so that users who try to download them or to join blocked groups can see that they were blocked for violating server operator conditions of use. This will improve transparency of moderation and reliability of the network.</p>
<p>Later this year we plan to do more than that — client-side restrictions on the clients that violated conditions of use by uploading prohibited content.</p>
<p>How would it work? When the client discovers that the uploaded file was blocked, it may, optionally, depending on the information in the blocking record, disable further uploads from the app to the servers of the operator that blocked the file. Also, when the client that tried to receive the file sees that the file is blocked, it may also refuse to receive further files from the same group member via the same servers.</p>
<p>In this way, the servers can restrict the future actions of the users who violate the conditions of use, while preserving privacy and security of the users and content – even of those users who violated the conditions.</p>
<p>We discussed this plan with the users, and we really appreciate their feedback. The current plan is quite different from our initial ideas, the users had a real impact. Users asked the questions below.</p>
<p>Yes, they can, but for this to work both sender and recipient would have to modify their clients. It's technically complex, so most users won't do it, and it is also hard to coordinate between users who don't know and don't trust each other.</p>
<p>Other services that identify users reduce abuse by blocking the user account. It is even easier to circumvent than changing the client code, and yet these measures reduce abuse.</p>
<p>Yes, they can. But in the same way as web browser is not responsible for the content you can access, SimpleX app should not restrict your communications with other servers based on blocking action from just one server.</p>
<p>That approach allows different server operators to have different content policies, depending on their jurisdiction and other factors. It also prevents the possibility of abuse by server operators.</p>
<p>With the proposed changes, server operators will only be able to prevent uploads to their own servers, which prevents any impact on other communications.</p>
<p>In the future we plan to increase the resilience to any server malfunction or abuse by using multiple different servers with each contact.</p>
<p>If servers were to apply any upload restrictions unreasonably, the users would simply stop using them.</p>
<p>At the same time, server operators need to have technical means to protect their servers from users' abuse, and the proposed client-side restrictions achieve it.</p>
<p>We published other technical ideas that could be used to prevent distribution of illegal content in <a href="https://github.com/simplex-chat/simplex-chat/blob/stable/docs/rfcs/2024-12-30-content-moderation.md">this document</a>. None of these measures compromise users' privacy or end-to-end encryption, and they can (and should) only be applied to publicly accessible content that other users complained about.</p>
<p>We technically cannot, and we won't scan all content. We actively <a href="https://simplex.chat/blog/20240704-future-of-privacy-enforcing-privacy-standards.html">campaign against any content-scanning proposals</a>, because it violates our right to privacy, and it would result in huge increase of online crime.</p>
<p>The belief that it is impossible to moderate conversations when they are e2e encrypted is incorrect. It is possible when users themselves share conversation contents with server operators, in which case the operators can identify and, if necessary, remove this content. It is also possible to moderate conversations that users made publicly accessible.</p>
<h2 id="send-us-comments-and-questions" tabindex="-1">Send us comments and questions</h2>
<p>Let us know any comments and feedback to the proposed measures. This is still an evolving design, and it won't be implemented until later this year.</p>
<p>Your comments will help to find the right balance between users' and server operators' requirements.</p>
<h2 id="privacy-and-security-improvements-we-plan-this-year" tabindex="-1">Privacy and security improvements we plan this year</h2>
<p>We see privacy and security as necessary for online safety, and prevention of abuse. If you don't already use SimpleX network, try it now, and let us know what you need to make it better.</p>
<title>SimpleX Chat v6.3: new user experience and safety in public groups</title>
<content type="html"><h1 id="simplex-chat-v63-new-user-experience-and-safety-in-public-groups" tabindex="-1">SimpleX Chat v6.3: new user experience and safety in public groups</h1>
<p><strong>Published:</strong> Mar 8, 2025</p>
<p><strong>What's new in v6.3</strong>:</p>
<ul>
<li><a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#preventing-spam-and-abuse-in-public-groups">preventing spam and abuse in public groups</a>.</li>
<li><a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#group-improvements">group improvements</a>: <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#mention-other-members-and-get-notified-when-mentioned">mention other members</a>, <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#better-group-performance">improved performance</a>.</li>
<li><a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#better-chat-navigation">better chat navigation</a>: <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#organize-chats-into-lists">organize chats into lists</a> and <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#jump-to-found-and-forwarded-messages">jump to found and forwarded messages</a>.</li>
<li><a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#privacy-and-security-improvements">privacy and security improvements</a>: <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#set-message-retention-period-in-chats">chat retention period</a> and <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#private-media-file-names">private media file names</a>.</li>
</ul>
<p>Also, we added Catalan interface language to Android and desktop apps, thanks to <a href="https://github.com/simplex-chat/simplex-chat#help-translating-simplex-chat">our users and Weblate</a>.</p>
<p>The last but not the least - <a href="https://simplex.chat/blog/20250308-simplex-chat-v6-3-new-user-experience-safety-in-public-groups.html#reproducible-server-builds">server builds are now reproducible</a>.</p>
<h2 id="whats-new-in-v63" tabindex="-1">What's new in v6.3</h2>
<h2 id="preventing-spam-and-abuse-in-public-groups" tabindex="-1">Preventing spam and abuse in public groups</h2>
<p><a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html">We wrote before</a>: as the network grows, it becomes more attractive to attackers. This release adds several features that reduce the possibility of attacks and abuse.</p>
<h3 id="spam-in-groups-that-are-listed-in-our-group-directory" tabindex="-1">Spam in groups that are listed in our group directory</h3>
<p>There is no built-in group discovery in SimpleX Chat apps. Instead, we offer an experimental chat bot that allows to submit and to discover public groups. Not so long ago, spammers started sending messages via bots attempting to disrupt these groups.</p>
<p>We released several changes to the groups directory to protect from spam attacks.</p>
<p>Group owners can enable the requirement to pass captcha challenge before joining the group. Captcha is generated in the directory bot itself, without any 3rd party servers, and is sent to the joining member. The new member must reply with the text in the image to be accepted to the group. While not a perfect protection, this basic measure complicates programming automatic bots to join public groups. It also provides a foundation to implement &quot;knocking&quot; - a conversation with dedicated group admins prior to joining the group. We plan to release support for knocking in March.</p>
<p><strong>Profanity filter for member names</strong></p>
<p>While group settings support giving all joining member an &quot;observer&quot; role - that is, without the right to send messages - the attackers tried spaming groups by joining and leaving. We added an optional filter for member names that group owners can enable for groups listed in directory - if a member name contains profanity, they will be rejected. Further improvements will be released in March as well.</p>
<p>The current SimpleX directory chatbot is a hybrid of <a href="https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html#can-large-groups-scale">future chat relays</a> (a.k.a. super-peers) we are now developing to support large groups, and of a directory service that will be embedded in the app UI later this year, allowing to search and to discover public groups. Anybody is able to run their own directory bots now, and there will be possibility to use third party directories via the app UI in the future too.</p>
<p>Read more about <a href="https://simplex.chat/docs/directory.html">SimpleX group directory</a>, how to submit your groups, and which groups we now accept. Currently we accept groups related to a limited list of topics that will be expanded once we have better moderation functionality for the groups.</p>
<h3 id="more-power-to-group-owners-and-moderators" tabindex="-1">More power to group owners and moderators</h3>
<p>This release includes two new features to help group moderators.</p>
<p>Group members can privately bring to group moderators attention specific messages and members, even if the group does not allow direct messages. The simply need to choose report in the message context menu and choose the report reason. This report will be visible to all group owners and moderators, but not to other members.</p>
<p>Group moderators can see all member reports in a separate view, and quickly find the problematic messages, making moderation much easier in public groups. These reports are private to groups, they are not sent to server operators.</p>
<p>Please note: in the groups listed in our directory, the directory bot acts as admin, so it will receive all reports as well.</p>
<p><strong>Acting on multiple members at once</strong></p>
<p>When attackers come, they often use multiple profiles. This version allows selecting multiple members at once and perform these actions on all selected members:</p>
<ul>
<li>switch members role between &quot;observer&quot; and &quot;member&quot;.</li>
<li>block and unblock members - this is a &quot;shadow&quot; block, so when you block multiple members who you believe are attackers, their messages will be blocked for all other members but not for them.</li>
<li>remove members from the group.</li>
</ul>
<p>The next version will also allow to remove members together with all messages they sent - for example, if a spam bot joined and sent a lot of spam, but nothing of value.</p>
<h3 id="mention-other-members-and-get-notified-when-mentioned" tabindex="-1">Mention other members and get notified when mentioned</h3>
<p>This feature allows you to mention other members in the group in the usual way - type <code>@</code> character, and choose the member you want to mention from the menu. Even that there is no user accounts and persistent identities we made it work by referencing members by their random group ID that is also used for replies and all other interactions in the group.</p>
<p>You can also now switch message notifications in the group to &quot;mentions only&quot; mode. You will be notified only when you are mentioned in a message, or when somebody replies to your message. Simply choose &quot;Mute&quot; in the context menu of the group in the list of chats to switch group notifications to &quot;mentions only&quot; mode. After that you can choose &quot;Mute all&quot; to disable all notifications, including mentions.</p>
<h3 id="better-group-performance" tabindex="-1">Better group performance</h3>
<p>We didn't reduce the required network traffic to send messages to large groups yet - your client still has to send message to each member individually. But we redesigned the process of sending a message, reducing temporary storage required to schedule the message for delivery by about 100x. This creates a significant storage saving - e.g, to send one message to a group of 1,000 members previously required ~20Mb, and now it is reduced to ~200kb. It also reduces the time and battery used to send a message.</p>
<p><strong>Faster group deletion</strong></p>
<p>When you leave the group, the app preserves a copy of all your communications in the group. You can choose to keep it or to delete it completely. This final group deletion was very slow prior to this release - depending on the number of groups on your device it could sometimes take several minutes.</p>
<p>This release solved this problem – the time it takes to delete the group is reduced to seconds, and even in cases when the app is terminated half-way, it either rolls back or completes, but it cannot leave the group in a partially deleted state. It improves both user experience and privacy, as gives you better control over your data.</p>
<p>It is a common feature in many messengers – it helps organizing your conversations.</p>
<p>The lists also show a blue mark when any chat in the list has new messages.</p>
<p>There are several preset lists: contacts, groups, private notes, business chats, favourite chats and also groups with member reports - the last list is automatically shown if members of any groups where you are the moderator or the owner sent private reports, until these reports are acted on or archived.</p>
<h3 id="jump-to-found-and-forwarded-messages" tabindex="-1">Jump to found and forwarded messages</h3>
<p>This version allows to quickly navigate from message in the search results to the point in the conversation when it was sent.</p>
<p>You can also navigate from the forwarded message (or from the message saved to private notes) to the original message in the chat where it was forwarded or saved from.</p>
<h2 id="privacy-and-security-improvements" tabindex="-1">Privacy and security improvements</h2>
<h3 id="set-message-retention-period-in-chats" tabindex="-1">Set message retention period in chats</h3>
<p>Before this version, you could enable message retention period for all chats in your profile. While helpful in some cases, many of us have conversations that we want to keep for a long time, and some other conversations that we want to remove quicker.</p>
<p>This version allows it - you can set different retention periods in different conversations. It can be 1 day, 1 week, 1 month or 1 year. We may allow custom retention time in the future.</p>
<h3 id="private-media-file-names" tabindex="-1">Private media file names</h3>
<p>Previously there were scenarios when original media file names were preserved - e.g., when sending a video file or when forwarding any media file. The latter problem was worse, as media file name is generated automatically, and includes timestamp. So the same name could have been used to correlate files between conversations, as one of our users pointed out.</p>
<p>This version fixes this problem - media file name is now changed when forwarding it to match the time of forwarding, so no additional metadata is revealed.</p>
<p>Please also note:</p>
<ul>
<li>the apps remove metadata from all static images,</li>
<li>iOS app removes metadata from videos, but android and desktop apps do not do it yet,</li>
<li>animated images are sent as is,</li>
<li>other file types are sent as is, and their names are left unchanged - we believe that for ordinary files their name is part of their content.</li>
</ul>
<p>We plan further improvements to reduce metadata in files in the near future – please let us know what you believe is the most important to reduce first.</p>
<h2 id="reproducible-server-builds" tabindex="-1">Reproducible server builds</h2>
<p>Starting from v6.3 server releases are reproducible!</p>
<p><strong>Why it is important</strong></p>
<p>With reproducible builds anybody can build servers from our code following the same process, and the build would produce identical binaries.</p>
<p>This also allows us to sign releases, as we reproduce GitHub builds ourselves and by signing them we attest that our builds resulted in identical binaries.</p>
<p><strong>How to reproduce builds</strong></p>
<p>You can reproduce our builds on Linux with x86 CPU in docker container - please follow the instructions <a href="https://simplex.chat/docs/server.html#reproduce-builds">here</a>.</p>
<p>We are looking for support from open-source contributors or security researchers who would also reproduce and sign our releases.</p>
<p><strong>How to verify release signature</strong></p>
<p>Please see the instructions <a href="https://simplex.chat/docs/server.html#verifying-server-binaries">here</a>.</p>
<p>Some links to answer the most common questions:</p>
<p><a href="https://simplex.chat/blog/20220511-simplex-chat-v2-images-files.html#the-first-messaging-platform-without-user-identifiers">How can SimpleX deliver messages without user identifiers</a>.</p>
<p><a href="https://simplex.chat/blog/20220711-simplex-chat-v3-released-ios-notifications-audio-video-calls-database-export-import-protocol-improvements.html#why-having-users-identifiers-is-bad-for-the-users">What are the risks to have identifiers assigned to the users</a>.</p>
<p><a href="https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations">Technical details and limitations</a>.</p>
<p>Please also see our <a href="https://simplex.chat/">website</a>.</p>
<h2 id="please-support-us-with-your-donations" tabindex="-1">Please support us with your donations</h2>
<p>Huge <em>thank you</em> to everybody who donated to SimpleX Chat!</p>
<p>Prioritizing users privacy and security, and also raising the investment, would have been impossible without your support and donations.</p>
<p>Also, funding the work to transition the protocols to non-profit governance model would not have been possible without the donations we received from the users.</p>
<p>Our pledge to our users is that SimpleX protocols are and will remain open, and in public domain, so anybody can build the future implementations of the clients and the servers. We are building SimpleX platform based on the same principles as email and web, but much more private and secure.</p>
<p>Your donations help us raise more funds — any amount, even the price of the cup of coffee, makes a big difference for us.</p>
<p>See <a href="https://github.com/simplex-chat/simplex-chat/#please-support-us-with-your-donations">this section</a> for the ways to donate.</p>
