Briar is a messaging app designed for high-security and censored environments. It uses peer-to-peer encryption, meaning messages are exchanged directly between devices rather than through a central server. This decentralized approach eliminates single points of failure and surveillance. Briar can connect directly via Bluetooth or Wi-Fi in proximity, or through the Tor network for more distant contacts, further enhancing privacy. Users add contacts by scanning a QR code or sharing a link. While Briar prioritizes security, it also supports blogs and forums, fostering community building in challenging situations.
Apple is reportedly planning to add support for encrypted Rich Communication Services (RCS) messaging between iPhones and Android devices. This means messages, photos, and videos sent between the two platforms will be end-to-end encrypted, providing significantly more privacy and security than the current SMS/MMS system. While no official timeline has been given, the implementation appears to be dependent on Google updating its Messages app to support encryption for group chats. This move would finally bring a modern, secure messaging experience to cross-platform communication, replacing the outdated SMS standard.
Hacker News commenters generally expressed skepticism about Apple's purported move towards supporting encrypted RCS messaging. Several doubted Apple's sincerity, suggesting it's a PR move to deflect criticism about iMessage lock-in, rather than a genuine commitment to interoperability. Some pointed out that Apple benefits from the "green bubble" effect, which pressures users to stay within the Apple ecosystem. Others questioned the technical details of Apple's implementation, highlighting the complexities of key management and potential vulnerabilities. A few commenters welcomed the move, though with reservations, hoping it's a genuine step toward better cross-platform messaging. Overall, the sentiment leaned towards cautious pessimism, with many anticipating further "Apple-style" limitations and caveats in their RCS implementation.
The UK's National Cyber Security Centre (NCSC), along with GCHQ, quietly removed official advice recommending the use of Apple's device encryption for protecting sensitive information. While no official explanation was given, the change coincides with the UK government's ongoing push for legislation enabling access to encrypted communications, suggesting a conflict between promoting security best practices and pursuing surveillance capabilities. This removal raises concerns about the government's commitment to strong encryption and the potential chilling effect on individuals and organizations relying on such advice for data protection.
HN commenters discuss the UK government's removal of advice recommending Apple's encryption, speculating on the reasons. Some suggest it's due to Apple's upcoming changes to client-side scanning (now abandoned), fearing it weakens end-to-end encryption. Others point to the Online Safety Bill, which could mandate scanning of encrypted messages, making previous recommendations untenable. A few posit the change is related to legal challenges or simply outdated advice, with Apple no longer being the sole provider of strong encryption. The overall sentiment expresses concern and distrust towards the government's motives, with many suspecting a push towards weakening encryption for surveillance purposes. Some also criticize the lack of transparency surrounding the change.
Delta Chat is a free and open-source messaging app that leverages existing email infrastructure for communication. Instead of relying on centralized servers, messages are sent and received as encrypted emails, ensuring end-to-end encryption through automatic PGP key management. This means users can communicate securely using their existing email addresses and providers, without needing to create new accounts or convince contacts to join a specific platform. Delta Chat offers a familiar chat interface with features like group chats, file sharing, and voice messages, all while maintaining the decentralized and private nature of email communication. Essentially, it transforms email into a modern messaging experience without compromising user control or security.
Hacker News commenters generally expressed interest in Delta Chat's approach to secure messaging by leveraging existing email infrastructure. Some praised its simplicity and ease of use, particularly for non-technical users, highlighting the lack of needing to manage separate accounts or convince contacts to join a new platform. Several users discussed potential downsides, including metadata leakage inherent in the email protocol and the potential for spam. The reliance on Autocrypt for key exchange was also a point of discussion, with some expressing concerns about its discoverability and broader adoption. A few commenters mentioned alternative projects with similar aims, like Briar and Status. Overall, the sentiment leaned towards cautious optimism, acknowledging Delta Chat's unique advantages while recognizing the challenges of building a secure messaging system on top of email.
Signal's cryptography is generally well-regarded, using established and vetted protocols like X3DH and Double Ratchet for secure messaging. The blog post author reviewed Signal's implementation and found it largely sound, praising the clarity of the documentation and the overall design. While some minor theoretical improvements were suggested, like using a more modern key derivation function (HKDF over SHA-256) and potentially exploring post-quantum cryptography for future-proofing, the author concludes that Signal's current cryptographic choices are robust and secure, offering strong confidentiality and integrity protections for users.
Hacker News users discussed the Signal cryptography review, mostly agreeing with the author's points. Several highlighted the importance of Signal's Double Ratchet algorithm and the trade-offs involved in achieving strong security while maintaining usability. Some questioned the practicality of certain theoretical attacks, emphasizing the difficulty of exploiting them in the real world. Others discussed the value of formal verification efforts and the overall robustness of Signal's protocol design despite minor potential vulnerabilities. The conversation also touched upon the importance of accessible security audits and the challenges of maintaining privacy in messaging apps.
Ricochet is a peer-to-peer encrypted instant messaging application that uses Tor hidden services for communication. Each user generates a unique hidden service address, eliminating the need for servers and providing strong anonymity. Contacts are added by sharing these addresses, and all messages are encrypted end-to-end. This decentralized architecture makes it resistant to surveillance and censorship, as there's no central point to monitor or control. Ricochet prioritizes privacy and security by minimizing metadata leakage and requiring no personal information for account creation. While the project is no longer actively maintained, its source code remains available.
HN commenters discuss Ricochet's reliance on Tor hidden services for its peer-to-peer architecture. Several express concern over its discoverability, suggesting contact discovery is a significant hurdle for wider adoption. Some praised its strong privacy features, while others questioned its scalability and the potential for network congestion with increased usage. The single developer model and lack of recent updates also drew attention, raising questions about the project's long-term viability and security. A few commenters shared positive experiences using Ricochet, highlighting its ease of setup and reliable performance. Others compared it to other secure messaging platforms, debating the trade-offs between usability and anonymity. The discussion also touches on the inherent limitations of relying solely on Tor, including speed and potential vulnerabilities.
The UK government is pushing for a new law, the Investigatory Powers Act, that would compel tech companies like Apple to remove security features, including end-to-end encryption, if deemed necessary for national security investigations. This would effectively create a backdoor, allowing government access to user data without their knowledge or consent. Apple argues that this undermines user privacy and security, making everyone more vulnerable to hackers and authoritarian regimes. The law faces strong opposition from privacy advocates and tech experts who warn of its potential for abuse and chilling effects on free speech.
HN commenters express skepticism about the UK government's claims regarding the necessity of this order for national security, with several pointing out the hypocrisy of demanding backdoors while simultaneously promoting end-to-end encryption for their own communications. Some suggest this move is a dangerous precedent that could embolden other authoritarian regimes. Technical feasibility is also questioned, with some arguing that creating such a backdoor is impossible without compromising security for everyone. Others discuss the potential legal challenges Apple might pursue and the broader implications for user privacy globally. A few commenters raise concerns about the chilling effect this could have on whistleblowers and journalists.
Earthstar is a novel database designed for private, distributed, and offline-first applications. It syncs data directly between devices using any transport method, eliminating the need for a central server. Data is organized into "workspaces" controlled by cryptographic keys, ensuring data ownership and privacy. Each device maintains a complete copy of the workspace's data, enabling seamless offline functionality. Conflict resolution is handled automatically using a last-writer-wins strategy based on logical timestamps. Earthstar prioritizes simplicity and ease of use, featuring a lightweight core and adaptable document format. It aims to empower developers to build robust, privacy-respecting apps that function reliably even without internet connectivity.
Hacker News users discuss Earthstar's novel approach to data storage, expressing interest in its potential for P2P applications and offline functionality. Several commenters compare it to existing technologies like CRDTs and IPFS, questioning its performance and scalability compared to more established solutions. Some raise concerns about the project's apparent lack of activity and slow development, while others appreciate its unique data structure and the possibilities it presents for decentralized, user-controlled data management. The conversation also touches on potential use cases, including collaborative document editing and encrypted messaging. There's a general sense of cautious optimism, with many acknowledging the project's early stage and hoping to see further development and real-world applications.
The blog post "Let's talk about AI and end-to-end encryption" explores the perceived conflict between the benefits of end-to-end encryption (E2EE) and the potential of AI. While some argue that E2EE hinders AI's ability to analyze data for valuable insights or detect harmful content, the author contends this is a false dichotomy. They highlight that AI can still operate on encrypted data using techniques like homomorphic encryption, federated learning, and secure multi-party computation, albeit with performance trade-offs. The core argument is that preserving E2EE is crucial for privacy and security, and perceived limitations in AI functionality shouldn't compromise this fundamental protection. Instead of weakening encryption, the focus should be on developing privacy-preserving AI techniques that work with E2EE, ensuring both security and the responsible advancement of AI.
Hacker News users discussed the feasibility and implications of client-side scanning for CSAM in end-to-end encrypted systems. Some commenters expressed skepticism about the technical challenges and potential for false positives, highlighting the difficulty of distinguishing between illegal content and legitimate material like educational resources or artwork. Others debated the privacy implications and potential for abuse by governments or malicious actors. The "slippery slope" argument was raised, with concerns that seemingly narrow use cases for client-side scanning could expand to encompass other types of content. The discussion also touched on the limitations of hashing as a detection method and the possibility of adversarial attacks designed to circumvent these systems. Several commenters expressed strong opposition to client-side scanning, arguing that it fundamentally undermines the purpose of end-to-end encryption.
Summary of Comments ( 131 )
https://news.ycombinator.com/item?id=43363031
Hacker News users discussed Briar's reliance on Tor for peer discovery, expressing concerns about its speed and reliability. Some questioned the practicality of Bluetooth and Wi-Fi mesh networking as a fallback, doubting its range and usability. Others were interested in the technical details of Briar's implementation, particularly its use of SQLite and the lack of end-to-end encryption for blog posts. The closed-source nature of the Android app was also raised as a potential issue, despite the project being open source overall. Several commenters compared Briar to other secure messaging apps like Signal and Session, highlighting trade-offs between usability and security. Finally, there was some discussion of the project's funding and its potential use cases in high-risk environments.
The Hacker News post titled "Briar: Peer to Peer Encrypted Messaging" linking to Briar Project's "how it works" page generated a moderate amount of discussion, with several commenters expressing interest in the project and its technical aspects.
A recurring theme is Briar's unique approach to peer-to-peer communication, which avoids relying on central servers. Several comments delve into the specifics of this, comparing it to other messaging apps like Signal and Session. One commenter points out that Briar "uses Bluetooth and wifi-direct for local communication" when internet connectivity is unavailable, distinguishing it from apps that rely solely on internet access. Another commenter elaborates on this, explaining how this feature enables communication in "challenging network environments" like protests or areas with internet censorship.
The discussion also touches on the trade-offs of this decentralized approach. A commenter highlights the "higher barrier to entry" due to the need for direct connections or a trusted contact already on the network, contrasting it with the ease of joining centralized platforms. Another acknowledges the potential difficulty in discovering and adding contacts.
Security and privacy are also prominent in the discussion. Commenters discuss the encryption methods employed by Briar and its resistance to surveillance. One commenter inquires about metadata leaks, specifically regarding "Bluetooth broadcast device names," raising concerns about potential identification even with encrypted messages.
Furthermore, the conversation drifts towards the practical usability of Briar. Commenters discuss its interface and user experience, with some expressing a desire for a more polished design. The limited platform support (Android only at the time of the comments) is also mentioned. A commenter expresses interest in iOS and desktop support, indicating a demand for broader accessibility.
Finally, some comments provide additional context, mentioning related projects like Ricochet Refresh and the challenges of building truly decentralized and secure communication systems. One commenter mentions the historical precedent of "sneakernet" as a precursor to Briar's approach.
In summary, the comments section demonstrates a significant interest in Briar's decentralized approach to secure messaging, while also acknowledging the practical challenges and trade-offs involved. The discussion focuses heavily on the technical aspects, comparing Briar to existing solutions and exploring its potential use cases in situations where traditional communication channels are unavailable or compromised.