P2P Messaging 

"I found a new p2p messaging app, got time to help me test it?"

I say these words far too often, and I'm probably close to burning out a few friendships because of it.

Over the past few years, I've been on a quest to find a secure and private messenger app.

The full list of apps I've researched and tested out: Wickr, Signal, Threema, Briar, Session, Manyverse, Berty, and Jami.

As I researched and tested out different ones, the scope of what I was looking for changed.

Started out looking for some sort of privacy and security, learned the terminology of e2ee (end-to-end encryption) to keep messages secure, the ever present danger of metadata, the major vulnerability in the use of centralized servers, and finally, the double edged sword that is p2p (peer-to-peer).

Encryption is great, but if your messages are stored on any sort of centralized server, the metadata present in that string of messages (even if the messages themselves are encrypted), can be enough to destroy privacy.

So use of servers needs to be minimized, with as much as possible happening on the devices of the users themselves.

Thus, p2p.

Direct communication between peer devices (one phone connecting directly to another phone) brings with it a whole slew of technical problems. The Internet wasn't designed to do such a thing.

If pure p2p is going to happen, the only reliable way, is to be on the same local network. Internet connectivity is possible in some cases, but both devices have to be running the program at the same time, and even then, a minor hiccup in connectivity and the connection can be completely lost for some time.

Not great for a messenger.

To combat this, every single one of the messenger apps I've tested uses some sort of server at the very least handle the connecting of peer devices. Here's a little bit about all the ones I've tested:

1. Wickr, Threema, and Signal: these were the most problematic, they all failed my first test: if I can restore my account without keeping a backup file, or connecting to a peer, then my account is backed up somewhere that I can't control. I need to trust that they are keeping it safe, and that's a deal-breaker. Their encryption can be amazing, but the thing with encryption is that it's not if it can be broken, it's when will it be broken.

2. Briar: the first one that seemed to check all the boxes: messages are stored locally, servers-esque clients are only used to facilitate connections between peers, can easily work just over Bluetooth or wifi in case of emergency situations, and one of the coolest features: the app can be shared offline if needed in an emergency situation. There's no way to restore accounts, which is both good and bad. Good because there are no copies floating around out there, but bad, since I have no option to keep my own backup. All-in-all a good app, I had a few things I didn't like about it (no desktop app, not as many configurable options as I wanted), but I still keep it on my phone in case things get bad.

3. Session: intrigued me quite a bit, using a blockchain and nodes to replace the server component. It's the Oxen blockchain, and messages are relayed by nodes, HOWEVER, there does seem to be some replication process going on as well, since you can restore an account via a seed phrase. I really like the concept, and still use it from time to time, but there seem to be potential vulnerabilities, and I'm waiting for those to come to light before I rely on it.

4. Manyverse: I fell in love with this project when I first started reading up on it. Based on the SSB protocol, each device is essentially a node, building it's own time-stamped append-only chain of messages and posts. A server is still needed for devices to connect to each other over the Internet, but Manyverse doesn't run any servers, you have to run your own. For the time being, it's the most p2p option out there. Due to this, onboarding friends is a chore, and you or one of your friends needs to be running a server (it's very lightweight though, could be self-hosted on a Raspberry Pi) to facilitate connections. I've been running a server for a few months, and I'll keep it going for the foreseeable future, there's a lot of potential in this project.

5. Berty: still incredibly early in it's development, this project leverages IPFS to replace the server component. My testing has shown it's a ways off from being reliable, but the potential is amazing. Even old PCs can run an IPFS node, if the team gets it right, I can see this being the most pure p2p option, and also the easiest to use and onboard. But again, it's got a ways to go.

6. Jami: just found this one a few days ago, and my initial testing has been flawless. It's using older protocols, which makes sense, the Internet was made for distributed comms, no need to reinvent the wheel. Makes use of servers for connecting peers over the Internet, but is highly customization, and there's documentation on how to run your own server. My thoughts at this moment is to use it as my daily driver, until Manyverse or Berty get to the point where they can be a worthy replacement.

In conclusion: through my research and testing, narrowed down what I was looking for to something that minimized the need for servers to the absolute minimum, makes self-hosting a possibility, keeps as much data stored on peer devices, and have control over backing up data. Manyverse does this best at the moment, Berty is the project I'll be following with the most interest, and Jami, after a little more research, is probably what I'll be using in the meantime until Manyverse or Berty is ready for my non-tech friends.

Comments