Our great sponsors
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
So disclaiming this with the warning that I haven't really kept myself too up to date the last year or two with the latest in private communications so please correct me if I'm wrong or outdated about any of this.
Also remember that privacy and security are never a silver bullet, and anyone claiming that something is, is probably not being genuine about their intentions. Privacy and security are about making things harder, not impossible - how difficult is entirely based on what you're trying to protect, and from who or whom you're trying to protect it.
Right, with that out of the way.
In this case, tapping is less of a concern with anything E2EE encrypted and using proper cryptography suites - which is usually a given these days with most privacy-focused applications. Signal, Matrix, and Briar come to mind. But "censorship resistance" being the key term here, means that the infrastructure used to actually send the messages cannot be tampered with or otherwise taken offline.
You want to make sure that automatic updates can't be pushed to the app by a third part. App signing helps but making sure that automatic updates are off and that you update frequently enough and ensuring that each release is properly released by the author is important. There are other modes where this still isn't bulletproof (system OTA update with a backdoor, app author is compromised, etc.) but these are typically not within your model.
Telegram is not censorship resistant[0], and while it's E2EE in secret chats, it's not E2EE by default. This is a common misconception by a lot of people.
Signal by design isn't censorship resistant but they do a lot of work to make it effectively so - when they're not fighting amongst themselves[1]. Signal is also quite aggressive when it comes to antiestablishment sentiments historically, which depending on where you are can work against you or be in conflict with your goals[2].
Matrix is a decent enough protocol at a higher level, though admittedly I'm not super acquainted with its internals. I do use it quite a bit, however, and generally like it, but it's very unapproachable to all but the savvier tech enthusiasts, and has a pretty young ecosystem when it comes to clients, phones, etc. It's also wildly underused compared to other platforms. I myself am a long time IRC user and get very confused with Matrix at times.
Finally there's Briar[3], which I've not used but it was mentioned not too long ago here on HN. It can use other means of communication on phones to send messages securely.
As always, Tor can be a great way to obfuscate your internet usage and in some cases even bypass state-enacted blockages of certain sites, but it's not foolproof and can actually make things worse[4] if you don't understand how it works and when not to use it. Make sure to research first.
By the way, threat modeling[5] can be fun and is applicable to a lot of situations, including your own personal safety. The five functions[6] are a fun place to start. Read up on it if you want!
Hope this is a decent enough overview!
[0] https://en.wikipedia.org/wiki/Government_censorship_of_Teleg...
[1] https://github.com/net4people/bbs/issues/63
[2] https://cyberlaw.stanford.edu/blog/2021/05/i-have-lot-say-ab...
[3] https://briarproject.org/how-it-works/
[4] https://support.torproject.org/faq/staying-anonymous/
[5] https://en.wikipedia.org/wiki/Threat_model
[6] https://www.nist.gov/cyberframework/online-learning/five-fun...