[trust problem] I can not trust simplex.chat when it send traffic to servers that is not deploy by myself.

[bronze1man]

I am a user in a team that care about privacy of logs of chat messages history and contracts .
I do not trust what simplex.chat said in the first place, so I did a test:

I deploy two servers, ip a and ip b.
I config ip a to ios device c.
I config ip b to ios device d.
I put ios device c and device d into different nat , so it can not direct connect in ip .it must need some servers to relay.
I find that device c can send message to device d successfully.
So I am sure that are it send traffic to some hidden servers that is not deploy by myself.
So I will not trust simplex.chat only base on those tests, I can not sure the servers that is not deploy myself can not read/log my message.
I may trust simplex.chat by reading and verified all source code myself.

Suggestion:

• Add a option that allow me connect to servers that deploy by myself only. (I will use wireshark/tcpdump on router to verify it)

[bronze1man]

I know that ios push notifications stuff must use a server that is not deploy by myself.
So I need options to disable it and document it (the domain or ip list) and document that code that do that stuff, so I can verify that code is not send my chat content to apple.

[epoberezkin]

So I am sure that are it send traffic to some hidden servers that is not deploy by myself.

That is 100% not the case, it may use other servers, but they are not hidden :)
What seems likely to be happening is that the servers you configure only used for the new contacts you create, the contacts created before changing configuration continue using the servers they did.

You can check which servers are used to send and receive messages for each contact in the contact page (tap contact avatar on top of the chat). If it has one of simplex.im servers that would explain what you observe. If you have your servers there and you are certain that they are unreachable I'd love to investigate it further. I wasn't quite clear what is in different networks - for the test you describe it should be devices and servers, the devices would never communicate directly.

We will be adding a feature allowing to manually and automatically migrate to other servers - it is coming soon.

Add a option that allow me connect to servers that deploy by myself only.

What you are asking is an option for "trusted servers" - we are considering it. We were thinking to only constrain the new connections though, not to prevent the existing contacts to work (as you seem to want), but it can be extended to be more restrictive and inform users that there are X contacts using non-trusted servers and that they would stop working.

[serrq]

I am not an expert in IT networks but I use logic.
It seems correct to me that changes to servers also affect backwards those contacts who have established connections on public (or untrusted, I think you call them) servers. This is because if I had even a single doubt about the continuity line of my telecommunication (MitM) I must be able with one click to replace all past, present, and future servers without standing there bargaining. An alert message will ask if you agree to migrate to trusted servers, after which if the contact does not agree, peace in the world. He chooses, I choose.

[bronze1man]

What seems likely to be happening is that the servers you configure only used for the new contacts you create, the contacts created before changing configuration continue using the servers they did.

No, in my tests, it looks like the configure of smp and webrtc address can not stop new contacts to use the default(hidden) servers . It may be a bug? (First configure to differents address, than add the contacts, then talks to eath others.)

[epoberezkin]

@serrq: It seems correct to me that changes to servers also affect backwards those contacts who have established connections on public (or untrusted, I think you call them) servers.

You decide which message queue (think, like a mailbox) to use for each contact. If you want to move this mailbox to another server it requires some communication and agreement with that contact. Right now, it can only be done manually, by creating a new contact. v4.2 or maybe 4.3 will have experimental feature allowing you to switch contact to another server manually, by clicking a button. Later this year we will adding automatic migration of the contacts, and optionally it will be happening regularly too, but it cannot be instant - it will be happening over some short period of time. And if the current server is broken then the automatic change won't be possible - you would have to send the new address out of band, in the same way the initial connection was made.

The expectation that changing the server should instantly change how you communicate with your contacts is based on the idea that each user has some global address and the servers are used to route messages between these addresses. But it's not how SimpleX is designed - users do not have any global addresses, and a server is part of the pair-wise address used to send or receive messages to one contact only, so changing this address requires some communication.

@bronze1man: No, in my tests, it looks like the configure of smp and webrtc address can not stop new contacts to use the default(hidden) servers . It may be a bug? (First configure to differents address, than add the contacts, then talks to eath others.)

Have you changed the configuration on both clients before creating the connection? Your client only determines which servers will be used to receive messages, your contact's client determines which server is used by you to send messages (that is, both clients define the servers where they receive messages).

If after you change configuration on both clients the new connection is still established via the default servers, we need to look into it, but let's make a test first:

1. two clients with the empty profiles (so there are no old contacts that might still have traffic with the other servers)2.
2. if you use iOS disable push notifications in the app settings (not in iOS settings), as otherwise you might be seeing the traffic to our notifications server that cannot be self-hosted, as it has the private key to send push notifications via APNS.
3. change server configuration on both clients
4. make connection
5. make screenshot of contact pages - it would show which server is used to receive and which to send messages (see below)
6. also please check chat console in both clients for hostConnected events - these events would have servers when they are connected (also see pics below).

We might have a bug if:

• if you see incorrect servers there, or,
• the servers are yours, but the traffic is still sent to our servers

I don't think either can be the case though, but I absolutely can be wrong :)

Thank you for testing it!

[bronze1man]

The expectation that changing the server should instantly change how you communicate with your contacts is based on the idea that each user has some global address and the servers are used to route messages between these addresses.

No , my expectation is that I will setup my server after I download the app , and do not change it when the server is normal. I do not need that changing the server should instantly change how you communicate with your contacts is based on right now. I may need it when the server is broken , but not now.(I may expect two servers may solve this problem when one is broken) When i change it , the old contacts are not important, i can always add my contact again face to face.

I will do the test again, later.

[serrq]

The expectation that changing the server should instantly change how you communicate with your contacts is based on the idea that each user has some global address and the servers are used to route messages between these addresses. But it's not how SimpleX is designed - users do not have any global addresses, and a server is part of the pair-wise address used to send or receive messages to one contact only, so changing this address requires some communication.

Understood. Since I don't have the IT background to contribute to security improvements, I fully rely on your expertise and that of your team, and I am sure you will do everything you can to protect our communications from potentially aggressive and oppressive governments.

Thank you for the explanations and for what you do.

[serrq]

Could you add a "make a donation to the collective" button within the app? I would like to be catapulted to the crypto donation page. I do not want to support the centralized FIAT (currency) system.

Even better if you directly include a Bitcoin address of yours to which I can send funds directly. And let's get the "middlemen" out of the way to whom you have to pay the fee...

[epoberezkin]

There are ways to donate here: https://github.com/simplex-chat/simplex-chat#help-us-pay-for-3rd-party-security-audit

thank you!

[sarsoftware]

Hello!
I want to create a chat application based on your source code. I managed to load
source to Intellij and compile it but with some unwanted modifications. I failed to download 2 libraries:
libsupport.so and libsimplex.so. I found them when I decompiled the apk, but the project still failed to compile
due to a bug in the C code, the line: jstring res = (*env)->NewStringUTF(env, chat_parse_server(_str));
I am getting error: undefined symbol: chat_parse_server. I found links:

https://ci.zw3rk.com/build/494539/download/1/pkg-aarch64-android-libsimplex.zip
https://ci.zw3rk.com/build/482524/download/1/pkg-aarch64-android-libsupport.zip

but on them I got http error 500. Can you help me get the required libraries?

[easthvan]

Suggestion:

• Add a option that allow me connect to servers that deploy by myself only. (I will use wireshark/tcpdump on router to verify it)

I'm second to the poster in the aspect that I cannot trust a 3rd party chat server directly connected to my phone when I have my own SMP servers and I would like to have full control on the sender server (my sovereignty and no need to put trust in 3rd party). So I cannot wait the coming SMP proxies (at least) to have them as shield but still, I'd want to use my own my servers for sending our my own messages from my phone and not someone else's. If I could pick, I'd chose the sending server instead of the receiving server.

suggestion: both, the sending and receiving servers to be chosen locally from the preset pool of SMPs (which can include only the client's self hosted ones).

[epoberezkin]

So I cannot wait the coming SMP proxies (at least) to have them as shield but still, I'd want to use my own my servers for sending our my own messages from my phone and not someone else's. If I could pick, I'd chose the sending server instead of the receiving server.

These two things are equivalent - sending proxies would allow you exactly that - choosing the servers you use to send the messages, and they will be chosen from the same servers you use to receive - sending proxies would not be a new kind of servers, but rather an extension of messaging protocol, that would make each message delivered via 2 hops, when both sides choose both sending and receiving servers - similar to how email operated, but without any user accounts or identities.

[easthvan]

🚀How can you add 10 🚀 rockets on this...?

It seems so I did not get the whole idea for the first time you outlined this in the group. This "both parties have 2 hops as a shield 🛡️" and both can work as a sovereign "self hosted islands" concept sounds fantastic compared to the conventional ways. Especially if the user tops it with a decent anon VPN... This could actually eliminate Tor for those who don't need >90% certainty level of anonymity or who are not in critical danger in any way.

Exciting times ahead.