I'm working on a list of secure and insecure Chat Apps and Email Hosts for the OpSec Wiki. Your feedback would be appreciated. : OpSec | Torhoo darknet markets

Please don't send me random, unchecked lists of email hosts. Check to see if they're on my lists already and if you can register and send an email from them.

Very useful.
Add morke.org under the disposable email section.

VERY USEFUL! I WANT TO GIVE YOU AWARD WITH HEAVEN!

Why is session messenger considered unsecure?

Thank you father.

Briar which is similar to session but supports p2p over bluetooth and wifi for offline communications.

I need to sleep for a while. I'll get back to sorting this out tomorrow.

Every single chat app that uses servers that are not under your control. Are not safe. Especially if it's a public company offering the app. No matter how "private" they are, they will bow before closing to LE.

Fact of life.

So.. never assume any 'anonymous chat app' is secure.

awesome list thx!
Is signal on the X list due 2 needing a phone number to reg?
or u saying LE has access?

Tuta? Is that one good? I use pgp always anyways, and what about cock.li?

Oh and I think a big thing would be to designate which require java and not

What about Tox? I read that some users might have been de-anonymized while using it, but I can’t find the source of that information.

Just nitpicking, I like the guide a lot, but maybe include 'why' Telegram, Signal, Discord, and Session are insecure and shouldn't be used? Because you just say they are bad, same as 'drugs are bad' phrase, but in reality, sometimes it just depends, is weed bad? Maybe, depends on the person, amount taken, how you use it, etc. like maybe signal and session, is fentanyl bad? Well, in this case yeah of course unless in hospital environment with responsible use eg. discord for gaming and fun chat with friends is okay

Because in the case of Signal and Session it might be more about the tradeoff between sacrificing X and Y, since I have seen on opsec both arguments pro both and con both.

Signal con soft-kyc solved by /post/3fd976b3a033bad6c6ef using temporary sms receiving services or maybe purchase a prepaid activated sim from a vendor on a market or maybe one service I have seen mentioned here but I cannot remember the name, or because it is closed source, whatever reasons it may be, also

Signal is obviously linked directly with a phone number which isn't a huge issue since you can just use SMS registration services then set a pin and do a registration lock. Set a username. There you go. Obviously doesn't do much for the anonymity of connecting to signal servers.

/post/81e801938ee9975acc04/#c-2111ce1d90076ee584

Session, more of the same, I have seen both 'you can use it, just take x y z into account' and 'stay away if you wish to keep living'.

SimpleX, you also have

No. Do not use fucking simplex.

https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server

There is nothing close to anonymous about it. And the server itself can straight up lie to a client without much detection.

I took my examples from this post or this comment thread: /post/81e801938ee9975acc04/#c-6e86174dc03af9748c
Also, most apps can be routed through Orbot, and it might be nice to mention that as well, and if there is some post in opsec mentioning why it would be good to do or not and bad for opsec, also nice to include like 'you can also do this, BUT know the risks <link to post>', like good in this case for the connecting to Signal servers maybe like mentioned in the signal cons comment?

Or maybe instead of being in a guide, there could be a detailed post in /d/Opsec pinned or not that will be also linked in the guide youre doing, answering once and for all all questions about chat apps why yes, why no, etc., tradeoffs, and including links to guides like http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/opsec/anonsimplex/index.html from /u/nihilist1 where a guide for a better use is available, because there is so much information, and also contradictory information on these chat stuff that it sometimes confuses.

Adding: /post/af7a081a3211c24b0908/#c-4c8e2a007ff8230b59 and /post/f12b38fc9337bce6ae34 are interesting as well.

Btw nice list, at least you guys are officially recommending the right tools, keep it up.
personal recommendation: i like to justify the choice of technology by categorizing them by their uses

for chat apps:
private use: FOSS software, and you can compile it yourself
anonymous use: supports .onion servers and clientside socks5 routing through tor
sensitive use: supports disappearing messages

imo by stating the opsec requirements for each intended use, people will immediately understand that signal / telegram and the other options are not suitable

for emails it's a bit different because of the clearnet requirement, but clientside anonymity is possible with it regardless

also, regarding email providers, i know of these from being listed on my lantern instance:
http://mail.danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/
http://6n5nbusxgyw46juqo3nt5v4zuivdbc7mzm74wlhg7arggetaui4yp4id.onion/
http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
http://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion/
mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion
mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion

i didnt test them however, so i cant vouch for any of them yet

I think this would be a good place to see some discussion I had that might be useful for this:

/post/81e801938ee9975acc04/#c-6e86174dc03af9748c

I really support this idea and think this is a good start beelze baby. my complain (I do this a lot) is that this is too simplified and not really clear. If I am a new user why do I give a shit about any of these features, what use cases are these for, it's too generic. I think you can add information on the wiki with maybe a separate place where more things are detailed as to the "Why". I am even willing to help write a guide if it is useful. If not I would like each one to clarify if its open-source, if its been audited, and if their git is active at minimum but that maybe is too much into it.

My recommends:

Telegram, Signal, Discord, and Session are insecure and shouldn't be used.

Discord, Telegram, agree. Obvious reasons maybe that should be explained as to why (centralized, not truly encrypted, no anonymity). Signal and Session if you look at my chat history I disagree with on usage. Signal you can probably include on that list but I do not feel that Session has been disproven enough. Yes they had flaws that were strange, and they reduced the ability of Perfect-Forward-Secrecy but I am still trying to find someone smarter than me who can say it is not still somewhat valuable. You have a random generated ID and it uses onion-like routing that can be combined with Tor to make you incredibly anonymous. But I digress.

XMPP + OMEMO/OTR

should be clear as to why someone should choose one or the other. OMEMO for group, message sync( offline messaging), OTR for off the record 1 to 1 chats right?

Briar

Why is this on here? I don't know enough about this project but this seems far more of a stretch for someone in our community to use. Seems more useful in situation of censorship by government and you are local to who you talk with. The project is very heavily updated however so I will give it a very strong support on this. This is not a great app to use if the other person is offline, I know Briar mailbox exists but has anyone used it with a lot of success.

Onionshare?

I love onionshare but I don't know if I would recommend as a chat. This starts a tor service on your machine (or your partners) which is only functional for as long as you run that chat so you and your contact both need to communicate at that moment in time. You can technically leave the application running but that is an incredibly bad idea to just keep a machine on with an onionshare chat running. I think onionshare should be recommended but I disagree with it as a recommended chat application.

for those that want to go the "host it yourself" route for the email server, i wrote this tutorial on how to setup your own mail server btw:
http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/opsec/mailprivate/index.html

the only issue of the email protocol is the dependency on the clearnet presence. but as long as you keep tor in between you, and the server you rent (as long as you rent it, access it, set it up and use it anonymously) you're maintaining your anonymity even if it requires a clearnet presence

the main drawback of doing it this way however, is that you have to spend some monero to get a VPS, and a domain, contrary to using a free mail service provided by someone else

All of you, when speaking about Signal, being focused on phone number for registration and not mentioning another bigger issue.

phone number problem can be surpassed by half an euro xmr smsactivate or smspva or something


is centralized App
and is usig
ta daaaam ta daaam
Amazon AWS servers

if some malicious update ever goes throgh Signal, and logically at some moment it will, it will be through Mr Bezos.


of course
matrix ( jabber but worse ) on it's default server ( matrix, which is used by 80% of users, and destroys the point of decentralization ) is also using Amazon AWS


and still
when considering all pluses and minuses I trust signal more then I trust threema or zangi or any of the "custom encrypted phones"

Where are you placing the messaging app Speek! I would like to know your opinion

Theema is a reliable chat app. Also, it come under swiss jurisdiction.

Threema is the safest chat app, anyone stating otherwise has no idea how the world post-1950s, and post-Covid works. Threema's keyservers, all their servers, are hosted on Mainland China. Have any of you ever been served a subpoena by the USDOC that had assistance from the PRC? Jesus christ.,...