It's much more secure wrt metadata. There is no third party server that's able to amass metadata about the two users conversing. SimpleX doesn't hide your IP-address from the server, and given that there's exactly two parent companies hosting ALL of the official servers, it's not too hard for Akamai or https://runonflux.com/ or anyone who compromises their OOBM systems to perform end-to-end correlation between two users.
Agree with your post, but do want to point out that using private message routing on SimpleX theoretically hides your IP address from the server[1].
Similarly, built-in routing over Tor can make performing correlation attacks difficult for some adversaries, and if you elect to use your own .onion servers instead of the official ones, it adds another layer of obfuscation.
What do you mean by "own .onion servers" here specifically? It is ambiguous for me. Your own hidden service? Your own bridge? As for hidden services, that would be up to SimpleX to do so (just like how Ricochet does it), otherwise I have no idea how one would do it with SimpleX or configure SimpleX to use "mine". You would need Orbot on Android to begin with to use SimpleX with Tor, and I do not know if there is such an option to "use own hidden service", as hidden services do not work this way at all.
How do you configure SimpleX on Android to use your own SMP servers BTW?
Could you clarify with regarding to .onion? How would I set this up for SimpleX and how would I configure SimpleX to use it, on, say, Android and Linux? I believe to use Tor with SimpleX, you would have to use Orbot, for example. What would I have to set up and how, on Linux? Genuine question. I would much prefer to self-host it.
I would also like to know how I would configure SimpleX on Android to use my own SMP servers.
# `socks_mode` can be 'onion' for SOCKS proxy to be used for .onion destination hosts only (default)
# or 'always' to be used for all destination hosts (can be used if it is an .onion server).
# socks_mode: onion
Yeah, I figured it out. I think I am supposed to do this: run a hidden service and a SimpleX server that uses the hidden service's port, and then use the hidden service's hostname as my SMP server that I set within the app.
On Android, however, this is not as easy or straightforward and I cannot think of a way to do this, to be honest. That is why I prefer these programs to have Tor bundled and run the hidden service by themselves with a hardened-enough torrc. Ricochet does this on desktop, which I think is the right way to go about this. SimpleX's server (https://github.com/simplex-chat/simplexmq) should do this.
> On Android, however, this is not as easy or straightforward and I cannot think of a way to do this, to be honest. That is why I prefer these programs to have Tor bundled and run the hidden service by themselves with a hardened-enough torrc. Ricochet does this on desktop, which I think is the right way to go about this. SimpleX's server (https://github.com/simplex-chat/simplexmq) should do this.
What I do is run Wireguard on my server with a Tor daemon, connect to the WG network on my phone and then access the SOCKS and DNS proxies the Tor daemon exposes.
That way there is no need for Orbot or running Tor on Android at all.
"To mitigate this problem SimpleX Messaging Protocol servers support 2-hop onion message routing when the SMP server chosen by the sender forwards the messages to the servers chosen by the recipients, thus protecting both the senders IP addresses and sessions, even if connection isolation and Tor are not used."
The thing is, like I said, there are only two main companies running all the servers. Akamai and RunOnFlux. So unless Tor is used, it's a 50-50 chance that both users are connecting on to servers run by Akamai. Doesn't matter if the two servers don't share with each other the information about the IP-adderss of the user's peer. It's enough the parent VPS company has access to all traffic coming into the infrastructure. There's nothing "onion" about that routing. It's much closer to just traffic between two nodes of a server farm. Which is what practically any scalable IM server does.
It's much more secure wrt metadata. There is no third party server that's able to amass metadata about the two users conversing. SimpleX doesn't hide your IP-address from the server, and given that there's exactly two parent companies hosting ALL of the official servers, it's not too hard for Akamai or https://runonflux.com/ or anyone who compromises their OOBM systems to perform end-to-end correlation between two users.
https://discuss.privacyguides.net/t/simplex-vs-cwtch-who-is-... has a lot of discussion about Simplex vs Cwtch.