Remove Threema from explicit non-recommendation, alphabetize list, … #997
Conversation
…d WhatsApp EFF article link, add SMS messages mention
|
Deploy preview for privacytools-io ready! Built with commit a70a689 |
|
Without transparency we have no way to verify the encryption standards. Privacy is impossible without Free Software. |
Threema has been very transparent about it's encryption. In fact you can take saved Threema message ciphertext and your private Threema key and use the NaCl library outside of Threema to decrypt your messages and verify them. See https://threema.ch/validation/
Yes you can, it's called network packet inspection. There's this cool tool called WireShark. If you can capture any tracking communications back to Threema, let us know.
These blanket statements aren't adding anything to the discussion. PTIO is not an extension of the FSF. I have told you before to go look at the PTIO contribution guidelines. |
Mikaela
requested review from
Vincevrp,
blacklight447,
privacytoolsIO,
jonaharagon,
kewde and
a user
There are a lot of messengers that are not completely open source. Why single out Threema and not mention others such as BBM, Confide, Eleet, FireChat, Hoccer, Keybase, SafeSwiss, Sid, StealthChat, TwinMe, Zangi, Google Hangouts/Chat, Discord, Yahoo, iMessage, Facetime, Slack or WeChat? And these are only small list of the most widely known apps. |
How dont you know that they dont simply send your key to their servers ? :)
Threema will always connect to threemas server to send messages, how do you see the difference between normal threema network traffic and tracking?
These are not blanket statements, they are valid concerns, and I agree with them. |
Threema has about 55k playStore reviews... making it roughly a hundredfold smaller than iMessages+Facetime, which are more closed than Threema. But I think the biggest reason that it is a little jarring to see threema in the yellow area, is because it is lumped in with the likes of facebook apps. If threema "must" be kept in the list of avoid-for-sure (but e.g. WickrMe and iMessages not listed), we should at least have two sentences. One for products that we don't have a special reason to believe are privacy-violating such as threema which has partially-libre e2e crypto on by default, and another for projects that there IS a special reason to believe are risky (because they have closed-source crypto that is off by default in particular would be red flag of a completely more severe nature). I think the purpose of privacyToolsIO is to list good recommended tools, and the listing of tools-to-avoid is far less crucial. Either a tool is top3, or WorthMentioning, or implicitly NOT worth mentioning ... but being listed in the yellow-warning-bar, should be for things that regular endusers often ignorantly or mistakenly believe are private. If they are supposed to be just "list of things that are not perfect" then we need to have a MUCH longer list :-) |
I don't know the history of how Threema ended up on that list, but I guess it's the only one of those that advertises being E2EE, but isn't open source. I didn't start researching that list, so it's possible that some of those are fine. Keybase is open source and E2EE, Discord and Slack aren't E2EE and have their own issues, WeChat is controlled by Chinese goverment and iMessage is iOS-only and I guess most of people using it may not even realize they are using it as it's integrated to the SMS app? |
There was a problem hiding this comment.
LGTM. I don't think Threema is good enough to be recommended by us (closed source) but I don't think it needs to be specifically called out like WhatsApp etc.
The point (IMO) of the warning is to list some examples of popular apps that aren't as nice as you might think, and Threema doesn't even seem big enough to get that point across anyhow.
Per commentary on another thread, it looks like keybase client is libre, but their server-side code is closed/proprietary. This is not a dealbreaker to them being WorthMentioning perhaps, but the current listings (signalapp + wireapp + riot&matrix + linphone) are all libre-licensed for 99% of their codebases -- i.e. including server-side. Not that that has much to do with whether threema ought be mentioned :-) But figured I would say that here, before the thread got too stale ;-) Thanks for merging, nitrohorse |
…add WhatsApp EFF article link, add SMS messages mention
Description
Resolves: #948
-Remove Threema from explicit non-recommendation
I don't think Threema should be categorized along with WhatsApp, Line, etc as being explicitly not recommended. The only reasons I have encountered in discussions for others not liking it is that it is not fully open source and costs money (the price of a coffee). Threema uses the open source NaCl box encryption model using elliptical curve DH 25519 key exchange and XSalsa20 encryption with all messages encrypted end to end.
-Alphabetize the remaining list of not recommended apps.
-Add a link for WhatsApp to an EFF article expressing their concerns with it.
-Add regular SMS messages to the list. This may not really fit, as it is almost impossible to completely eliminate using SMS.