Indeed.
P2P, E2EE, LoRa + HF + Inet bridge
Quote Tweet
We need an open source, multi-device, end-to-end encrypted messaging app that doesn't rely on phone numbers.
3
4
27
Conversation
It has a lot of issues. It uses long-term identity keys without automatic authorized key rotations, and even worse, it doesn't use session keys so there is no forward secrecy. It has a lot of bad cryptography including current generation keys still having SHA-1 fingerprints, etc.
1
It's not a good building block for anything else. It's massively overly complex and packed with weaknesses/vulnerabilities.
age is a proper standard and CLI tool for anonymous authenticated encryption. signify/minisign for simple signing or OpenSSH signing for more flexibility.
1
Shouldn't use those CLI tools for secure messaging which should have properties like forward secrecy and properly designed session verification.
Matrix E2EE is quite good for message data but metadata isn't encrypted and it's federated not P2P with most using enormous servers.
1
Briar has been perpetual alpha and has too many issues, along with not actually offering great privacy or security. Cwtch is another option and is also alpha quality, but advancing much faster and has much stronger privacy goals. Subjectively, Briar also has serious trust issues.
1
I personally won't ever use Briar since I don't trust it. I don't want to use software from people who have demonstrated they only care about themselves and will do anything to get EU/US grant money while harming other projects to promote themselves. Dead end for that reason.