If you use ArcaneChat (https://arcanechat.me/) or DeltaChat (https://delta.chat/) there is an in-chat mini-apps for split bills, you can use it with groups of friends totally private end-to-end encrypted between chat members without the need of any online service for split bills

It is an email provider but for encrypted email and optimized for speed and security, to use for chatting, the app looks like WhatsApp etc but every message is just an encrypted email

It is also possible to run GUI desktops in Termux since ages, for example take a look at:

AnLinux (Run Linux On Android Without Root Access) https://f-droid.org/packages/exa.lnx.a/

It was also possible to run a “full Debian” using PRoot etc

If what you want is encrypted email, and see it in the form of a chat, take a look at ArcaneChat

thanks, I think I know that one, but yeah as you said it is not a real security audit and the person itself said so

thanks!

could you provide some source/link to the SimpleX security audits? I would like to look into it, thanks in advance!

does Briar has security audits you could point to? thanks in advance

does that one has security audits? thanks in advance

yet the reason that “Signal is expensive” https://signal.org/blog/signal-is-expensive/ is because they didn’t go for a federated approach, they spend more money just to keep the servers running than resources spent on development

You can always look at their history “complying” to government orders to hand over user data.

IIRC by US law they are not allowed to disclose requests from US gov itself

so live tests seem about as good as a security audit.

I would rather prefer real security audits

Not me, but someone on the signal forums helpfully compiled many of them; there are a lot more than I thought! https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243

ok I read it, these are no real security audits but academic reviews of protocol properties etc.

Matrix isn’t ready for the general public and I’m doubtful it ever will be, so in the meantime Signal is the next best thing.

yeah, it is too complex etc. take a look at https://arcanechat.me/ and https://delta.chat/ (I contribute to these open source projects) they are probably the decentralized messengers that are more on pair with WhatsApp etc. super easy to use, no phone numbers or any private data required

Not me, but someone on the signal forums helpfully compiled many of them

thanks for sharing!

It’s serverless though, right?

no, and in fact the cost of running it is really high because the server infrastructure they need to pay, they even say it themselves “Signal is expensive” https://signal.org/blog/signal-is-expensive/

it would be possible just to fork and use a “European” version of it

in theory yes, in practice no one has done it, and then you should not use Signal but the european fork which will not be compatible/federated with signal

It is a us based non profit that doesn’t store any information about you

still it runs in AWS, Microsoft, etc servers, and as any centralized service policy and interests can change at any time in the future, which would be pretty bad when you have several countries fully depending on them, just look the current situation with whatsapp, you can not be resilient/sovereign like that

has been independently audited like four times.

could you provide source pointing to the security audits?

take a look at ArcaneChat https://arcanechat.me/

Maybe I’m confused, do the DeltaChat and ArcaneChat clients only work with DeltaChat/ArcaneChat servers?

The “ArcaneChat/DeltaChat servers” are just normal email servers with some default configurations and tweaks for privacy/security and speed

Edit: forgot to mention I can see the sender & recipient addresses (Signal uses sealed sender to minimize this metadata leak)

Signal needs to “seal sender” to be able to send messages anonymously since their service is not anonymous and you login with your phone number, in ArcaneChat it is like you are “sealed sender” from the very beginning, you don’t register with phone number or any private data, you log in anonymously always, currently you have an static anonymous identity, and have to manually change it over time if you are the most paranoid person in town, but in the future the app might implement anonymous identity rotation

I can also see what time the message was sent this is the kind of metadata Meta collects through Whatsapp even though they also encrypt message content.

Nothing that the server doesn’t know, the server knows the time at which you try to send a message because well you are asking it to do so at that time. But I agree this is a problem with stored messages if the server gets audited at a later point, by default with a single device messages are deleted immediately and otherwise after 20 days so still it is limited what they could get, but this can be improved, the header doesn’t need to have a real date could be whatever fixed date while the real date is protected in the encrypted part, this needs to be done 👍

It doesn’t seem - although maybe it now does - that DeltaChat nor ArcaneChat support key ratcheting, so if someone’s intercepting messages they can decrypt all future + past messages.

This is a pretty theoretical situation, first the attacker needs to get control of your chatmail provider/server and start collecting your messages, secondly you need to happen to be using disappearing messages since otherwise when they get access to your phone to get the key they can as well just get all your messages that are available already decrypted in the app, since you need the messages to be ephemeral, in that case you can as well create a temporary profile, ex. For some protest or activism and delete it after the operation is finished, and you get the same results of “forward secrecy” without sacrificing the usability of the app, ex. In ArcaneChat it is possible to have your account in as many devices as you want all well synchronized and every device is totally independent, if your phone dies you can keep using it in other devices or add it back to a new phone without losing a single message

Hey, how do you know she is named Nancy!? And that she smokes a bit too much! 😱

I didn’t want to advice/promote DeltaChat/ArcaneChat, they are not the only possible way of using email securely, just came here with the meme as a way of leaving out a rant because I have seen a lot of people talking like that and it is by now an urban legend people just repeat like parrots and pointing to articles that basically are misleading. Had a recent discussion about that in the Privacy Guides forum and just came here with the meme to shake the frustration away ;-)

it is all about the sassy retro style and base64 MIME body

more seriously: Signal is centralized and based on phone numbers, and as said by Signal themselves: “Privacy is Priceless, but Signal is Expensive” https://signal.org/blog/signal-is-expensive/ while email infra is WAY more economic and decentralized

SimpleX maybe but I it is not powerful/flexible nor as solid/mature as email server infra