====== Messaging Candidates ======

This is a summary of candidates for a cross-platform, user friendly text messaging platform for general use instead of Facebook Messenger, Google Hangouts/GTalk, etc. Mobile-friendly solutions have some precedence as mobile texting seems to be the dominant use case at the moment.

===== Requirements =====

The starting point in candidate selection is the now obsolete [[https://www.eff.org/secure-messaging-scorecard|EFF's Secure Messaging Scorecard]] (as of 14 July 2015). From that list, only entries that have at most one red mark are considered.

In addition, the ideal candidate will:
  * Be federated with an open source server.
  * Have open source clients.
  * Have clients for all major platforms:
    * iOS, Android, Windows, MacOS, Linux
  * Be easy to install and set up.
  * Provide something better than a miserable user experience once set up.
  * Offer privacy and security protections by default.
  * Feel like it's not going to abandoned.
  * Not require a phone number create an account.
  * Not require your phone number to be divulged to everyone with whom you communicate.

===== The candidates =====
The notes below shouldn't be considered complete; they just highlight known negatives.

==== ChatSecure + Orbot ====
  * //Have clients for all major platforms.// No clients for desktop platforms.
  * //Be easy to install and set up.// Setting up an XMPP account isn't tragic, but it's not as streamlined as a single-source (i.e., non-federated) system. The big fail here though is that public XMPP servers tend to be fickle. OTR is baked in, so that's good.

==== CryptoCat ====
  * //Have clients for all major platforms.// Android client is still betaware. No native Windows or Linux apps.
  * //Feel like it's not going to abandoned.// Development is advancing at a slow pace.
Also, the Facebook integration needs to be investigated to see whether there's a potential security compromise.

==== Jitsi + Ostel ====
  * //Have clients for all major platforms.// Jitsi isn't available for mobile platforms (although an Android app is in the works). Other Ostel-compatible apps exist for mobile, but Ostel supports calls only--no text.

==== Mailvelope ====
OpenPGP encryption for webmail. Not really what we are after.

==== XMPP clients with Off-The-Record Messaging (Pidgin, Adium, etc.) ====

  * //Be easy to install and set up.// Setting up an XMPP account isn't tragic, but it's not as streamlined as a single-source (non-federated) system. The big fails here though are that public XMPP servers tend to be fickle and configuring+engaging OTR messaging is an additional and cumbersome step.

==== RetroShare ====
  * //Have clients for all major platforms.// No mobile clients.
  * //Feel like it's not going to abandoned.// It's unclear how many developers are involved and what the commitment is.

==== Signal / RedPhone ====
Open Whisper Systems' partnership with WhatsApp/Facebook renders any security and privacy provisions suspect. Whatever lives within WhatsApp/Facebook is effectively governed by WhatsApp/Facebook privacy and security. In the absence of additional information, this renders this option ineligible for further consideration.

==== Silent Phone ====
  * //Have clients for all major platforms.// iOS and Android only.
Also, SilentCircle seem to have deprecated their standalone clients in deference to their turnkey payware systems.

==== Silent Text ====
  * //Have clients for all major platforms.// Android only.
Also, SilentCircle seem to have deprecated their standalone clients in deference to their turnkey payware systems.

==== Subrosa ====
In-browser tool. Not really what we are after.

==== Telegram Messenger ====
[[https://telegram.org/|link]]
  * //Be federated with an open source server.// The server is currently closed source. Federated open source services appear to be planned. From the [[https://telegram.org/faq#q-how-are-secret-chats-different|FAQ]]:

> Q: Why not open source everything?
> 
> All code will be released eventually. We started with the most useful parts -- a well-documented API that allows developers to build new Telegram apps, and open source clients that can be verified by security specialists.

  * //Offer privacy and security protections by default.// For the highest security (i.e., full marks from EFF), secret chats can be used. See the [[https://telegram.org/faq#q-how-secure-is-telegram|FAQ]]. also, the [[https://telegram.org/privacy|privacy policy]] is encouraging. Questions have also been raised regarding the solidity of its encryption((See[[http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415|Why You Should Stop Using Telegram Right Now]], [[http://fortune.com/2016/08/02/telegram-hackers-iran/|Iranian Hackers Just Cracked This Super Secure Instant Messaging Service]], and [[https://www.theverge.com/2017/1/11/14237136/trump-leak-telegram-security-cracked-russia-encryption|Trump leak raises new questions about Telegram security]].))
  * //Not require a phone number to create an account.// The only way to open a Telegram account is by using an SMS-enabled phone number.
  * //Not require your phone number to be divulged to everyone with whom you communicate.// The path of least resistance for using Telegram is to use your phone number as your identifier; however username identification is possible. See [[Telegram|Telegram use notes]] for more info. 

Additional vetting of the founders' financial and other interests is required before a firm recommendation can be made. However the founders seem not to be invested with [[http://vk.com/|VKontakte]] any longer, and the operation is based in Berlin.
==== TextSecure ====

Open Whisper Systems' partnership with WhatsApp/Facebook renders any security and privacy provisions suspect. Whatever lives within WhatsApp/Facebook is effectively governed by WhatsApp/Facebook privacy and security. In the absence of additional information, this renders this option ineligible for further consideration.

==== Tox ====
Relative newcomer [[https://tox.chat/index.html|Tox]] doesn't appear on the EFF's list. A more complete evaluation is pending, but initially this looks like a winner.

===== Recommendation =====

Tox needs a more complete evaluation, but on the surface it is encouraging. Telegram comes close to a recommendation, but the questions surrounding its encryption, its use of your phone number as the primary source for identification, and its clunky use of usernames makes an enthusiastic recommendation difficult.