[maqp]

Plus the company likes to advertise their product as more metadata-private than Tor Onion Service based messaging apps like Cwtch.

They lie by omission when they say that the service doesn't have any user IDs. What they really mean is, the application does not add its own long term identifiers. But by default, the application takes zero steps to anonymize your IP address from the server, meaning the server can very probably tell users apart.

It's also ridiculous that the entire public server infrastructure is hosted under two companies: Akamai and Runonflux. Roughly 50% of your conversations can be end-to-end correlated by a single VPS company.

[epoberezkin]

This is both incorrect and misleading.

Application is designed to: - always choose server from configuration to deliver messages via, and not the destination server that is chosen by the recipient. The protocol is designed to provide packet-level anonymity (not circuit-level anonymity, as in Tor) so that neither of the servers can see which IP address talks to which IP address. - always choose server operated by another operator, to mitigate collusion risks.

My problem with Tor is that after all these years it takes zero steps to prevent collusion and data sharing by Tor node operators - even though Tor has a centralized authority over server registry and could have deployed such mitigation. So the main assumption on which Tor security is based on - that independent parties run relays in the circuit - is simply untrue. We are designing the network and the app to ensure exactly that.

If people want to use Tor, it's their choice, and the app supports it. But we won't be integrating it.

[maqp]

Same guy, always pretending we've never had the same discussion over and over here, Reddit and privacyguides, for years. You're always running away.

>The protocol is designed to provide packet-level anonymity

Anything you do to harden SimpleX on server side does not matter to user. Unless the client protects the user it's not really helpful. The user only has your word that the server is stripping the IP address from the package.

> so that neither of the servers can see which IP address talks to which IP address

Two computers that could be run by the same entity. Also, the entire public infrastructure is again either Akamai or Runonflux. 50% of SimpleX chats' metadata is accessible by a single company, which is not even you so you have no control over it.

>always choose server operated by another operator, to mitigate collusion risks.

How does Alice, Bob and Charlie choose a third VPS provider when there's only two?

>My problem with Tor is that after all these years it takes zero steps to prevent collusion and data sharing by Tor node operators [...] that independent parties run relays in the circuit - is simply untrue

I don't know how to tell you this, but 10,000 Tor relays is absolutely more diverse than two VPS provider companies.

You're already supporting Tor. You're already running Onion Service servers.

How about you stop running to the mountains once again, go visit what I wrote to you in the PrivacyGuides threads on Cwtch vs SimpleX and actually consider that.

>If people want to use Tor, it's their choice, and the app supports it. But we won't be integrating it.

Then maybe it's time to strip the "no identifiers" bullshit from your marketing language. If you can't be open upfront about the client leaking the IP-address and you're not fixing the leak, I have zero problems referring to you as the snake oil you are.