KLISHDFSDF

I have an account on there and it seems to be nothing but crypto hype, reminiscent of various "get in now or lose out" kinda scams. Not a good look, and not a lot of good content - at least from what I can tell.

“Popular,” and even “ease of use,” are not relevant for the label of Gold Standard when we’re talking about security

First, ease of use is absolutely relevant when it comes to security. If it's too technical, difficult, or confusing, nobody will use it. Just look at how prevalent PGP is in emails - it's basically doesn't exist outside of niche nerd circles. What percentage of Linux admins ever deal with SELinux before getting told to just us AppArmor because it's easier? So yes, ease of use is a factor.

Second, 'security' is too broad a topic. I don't see a point in debating what is "the best" if a threat model isn't outlined first.

I originally stated "Signal is the gold standard for encrypted private messaging", which stands true regardless of other security features because it defaults to end-to-end encryption for everything by default and works out of the box. At the end of the day your messages are guaranteed to be encrypted and private - anonymity is not in the equation.

That said, I did bring up the point about leaking metadata, but looking at SimpleX I see that even they claim [0]:

The protocol does not protect against attacks targeted at particular users with known identities - e.g., if the attacker wants to prove that two known users are communicating, they can achieve it. At the same time, it substantially complicates large-scale traffic correlation, making determining the real user identities much less effective.

So, without digging much into it, it seems there's some limitations to your claims about SimpleX's superiority to Signal in terms of even anonymity.

Jami

I tried it when it was called Ring, tried it again sometime after the name change. It's a P2P messenger that provides E2EE. The architecture means all metadata leaks to ISPs and the internet. So you should be using it with Tor (or some other layer), and because your contacts also need to do that, and one of them is bound to fuck up, it's better to use either something that's metadata-resistant by default (like Briar) or to stick to Signal. Also, because its P2P, it requires both parties to be online to even work - at least last I tried it. This doesn't work in the modern world.

Tox

Without getting into the various security issues over the years (here are two recent ones [3] [4], one which allowed remote code execution!), the Android client is spartan to say the least, and there's no iOS client [1], making this unusable with half the people I'd like to communicate with in the US. Your regional mileage may vary [2].

Confide

Isn't even open source so completely out of the question - security through obscurity, as the story post about the Converso apps proves, cannot be trusted.

I'll skip the rest as I've already spent too much time on this, but I will say I do believe Threema might be as good if not better than Signal, but it's a paid app and it's hard enough to convince friends/family to get onboard with a free app, never mind something that requires payment.

[0] https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers

[1] https://tox.chat/clients.html

[2] https://www.statista.com/statistics/236550/percentage-of-us-population-that-own-a-iphone-smartphone/

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44847

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022

I've read from SME's that Signal is the gold standard for encrypted private messaging. I haven't seen that claim of any other messenger. What are the alternatives?

I've tried Briar and that seems like it may be good in 5+ years, but not something I'd ask non-techy people to use in its current form. Sessions dropped Perfect Forward Secrecy because it was too hard to make it work. I don't want security features dropped just because they're "hard" so that's an immediate no from me. What are viable alternatives that don't leak metadata?

I agree with the OP but I think to say:

people on Mastodon don’t do enough to advertise other Fediverse platforms

is the equivalent of saying, "people on reddit don't do enough to advertise lemmy." It's an illogical jump. People on mastodon aren't there to talk about mastodon or the fediverse (although some do). It would be best to say other fediverse platforms need to work on their marketing and spreading awareness. Every chance I get I'm posting on reddit about lemmy, without trying to look like shill/spammer, because I want this platform to grow.

I wouldn't blame redditors for not mentioning lemmy in an attempt to spread awareness.

I personally don't really care for this change, but it would have been nice - although I understand it would have taken significant time/effort to develop that could be used in other areas with the limited resources - if there was some criteria to create a selection of instances that would be randomly selected based on something like:

1. instance age - Your instance must be active for N months/(years?) to qualify to ensure rando spawns that may die a week later don't impact users, as well as being able to track the next rule:
2. instance reliability - If there is a way to track this, only include instances that meet a specific number and maintained it for the last N months. It would suck to throw users into an unreliable instance, or one that started off great but started going south in the last 3 months.
3. same server rules and privacy policy - To ensure a "family friendly" set of default instances that people could easily join without having to overthink it.

Not sure what else they could track, but those three would be a good start, though admittedly a lot of additional work.

So we're trusting Tor but not Mullvad who collaborated with the Tor Project [0] to create this browser?

... developed in a collaboration between Mullvad VPN and the Tor Project

Who's behind Librewolf and Ungoogled Chromium that we should trust them over Mullvad?

Even Librewolf recommends you use Tor [1].

Can I use LibreWolf with Tor?

Please don't.

The Tor network is designed to give you complete anonymity, but it can be compromised if you use it with any browser other than the Tor Browser. If you want anonymity, download the Tor Browser.

They're all open source projects, how do you define who should/shouldn't be trusted? Seems rather reactionary to discredit Mullvad without any evidence when the alternatives provided suffer the same issue - who's behind the project and how do you establish trust?

Lastly, Ungoogled Chromium provides almost no privacy enhancing features by default [2], so how could this be a recommended as a privacy preserving browser?

ungoogled-chromium features tweaks to enhance privacy, control, and transparency. However, almost all of these features must be manually activated or enabled.

Lets discuss real alternatives and real issues, not jump to conclusions and throw everything out because it's not "perfect"

"Don't let perfect be the enemy of good" and all that.

[0] https://mullvad.net/en/browser

[1] https://librewolf.net/docs/faq/#can-i-use-librewolf-with-tor

[2] https://github.com/ungoogled-software/ungoogled-chromium#objectives

If not this browser, which one should we use if we want privacy?

Telegram has never been a secure option as you're granting the keys to your data to third party to the intended recipients. Your data is basically leaked by default to Telegram's admins.

I would recommend Signal to replace SMS/MMS and Matrix for IRC/Discord/Telegram.

What viable user-friendly (i.e. no account creation required) options are there? I just want my messages between friends and family to not be mined by greedy corporations.

I think the difference is that ultimately China (the government, not it's people) is an enemy of the "wester alliance" - "the west", if you will. You can work, and even cooperate, with an enemy to a degree, but you don't let them into your house. It's pretty basic at it's core. TikTok is from a simplistic POV, is at the whims of the Chinese government - much like Facebook/Insta/Snap are to the US government although to a much lesser extent. We don't worry about FB/Insta/Snap because they operate within the "western" jurisdiction and are "trusted" within their domain.

Being rational also requires you take real-life risks into consideration. This would be like saying "why don't you treat your friends the same way you treat the local crackhead when he walks through your store? He's just there to buy essentials" - yes, he may be there to actually buy things, but he's much more likely to do something nefarious than your known friends.