[HN Gopher] Cwtch: Decentralized, privacy-preserving, multi-part... ___________________________________________________________________ Cwtch: Decentralized, privacy-preserving, multi-party messaging protocol Author : homarp Score : 67 points Date : 2021-06-26 16:19 UTC (6 hours ago) (HTM) web link (cwtch.im) (TXT) w3m dump (cwtch.im) | anotheryou wrote: | Can it handle multiple devices of the same account? | detaro wrote: | According to the FAQ on the linked page, not yet. | julienreszka wrote: | damn I can't even imagine the level of autism of those who | decided that cwtch is an ok name, interesting product tho | udia wrote: | How does this compare with something like Matrix, which also does | decentralized encrypted communications? https://matrix.org/ | sarahjamielewis wrote: | Hi Sarah from Open Privacy / Cwtch team here - the main major | difference is that Cwtch servers are completely untrusted under | the risk model - they don't learn anything about the groups | they are hosting, who is a member of which group, or who each | message is for. | | The design for groups is still in flux, and they are marked | experimental but there are a few more details in our Secure | Development Handbook https://docs.openprivacy.ca/cwtch- | security-handbook/groups.h... | | Metadata resistant group comms is still a fairly large open | research problem, and we are also working on the research side | to reduce some of the bandwidth requirements that are currently | required by our group protocol: | https://git.openprivacy.ca/openprivacy/niwl | bjt2n3904 wrote: | Interesting project! I've been looking for something to | replace Signal, and this scratches an itch. | | I see that you're using Tor to route messages? How would | mobile devices fair with Tor connections when they go to | sleep? | sarahjamielewis wrote: | On Android we implement a background service that will wake | up periodically and either use the active tor connection or | start a new one if the kernel has stopped it for any reason | - and also reconnects the UI. This makes Cwtch connections | fairly stable on android devices - even for p2p. | | However, it also means that Cwtch on Android is fairly | battery intensive. We provide a way to easily shutdown | Cwtch completely for this reason - and we are researching | ways to minimize power consumption (both through tor | optimizations and alternative anonymous communication | networks) | kitkat_new wrote: | how will it compare to P2P Matrix? | dane-pgp wrote: | I'm wondering that too, or specifically how it compares to | Matrix run as a Tor hidden service, which is apparently | possible: | | https://github.com/matrix-org/synapse/issues/2111#issuecomme... | remram wrote: | I'm not sure if Cootch is federated, like Matrix, or peer-to- | peer. I assume the first, if Tor is being used? | | Berry also sounds similar, although it is not released yet: | https://berty.tech/ | celticninja wrote: | It's Cwtch, pronounced more like Cutch than Cootch | | Edit. Cutch was supposed to be more of a phonetic way to | pronounce it as opposed to a word with a similar sound. | some_furry wrote: | Like "clutch" without the "L"? | celticninja wrote: | Close. This is from the homepage: | | How do I pronounce Cwtch? Like "kutch", to rhyme with | "butch". | | In common use you might say "Cwtch in" to mean "snuggle | in" or "cuddle in close' | some_furry wrote: | That is a really damn cute name | [deleted] | remram wrote: | I don't know how either "butch" or "cutch" is pronounced. | You might want to offer a common word for people who did | not grow up in America... | | edit: butcher? | celticninja wrote: | This may help, although I would have thought butch was | common enough. E.g. Butch Cassidy and the Sundance Kid | | https://www.google.com/search?q=define+butch&oq=define+bu | tch... | celticninja wrote: | Yes, butch is like butcher but without the "er" | sneak wrote: | Android and desktop only, so most people I know won't be able to | use it on the only device they message on. | mindstab wrote: | Maybe talk to Apple, whom have made it increasingly hard to | theoretically impossible for our type of privacy preserving app | to run on iOS. We aren't the first, and Brair has been around a | bit longer and has run into the same problem. | | https://briarproject.org/news/2018-1.0-released-new-funding/ | | https://code.briarproject.org/briar/briar/-/issues/445 | | As an even smaller team with less funding, we have so far | decided it would be irresponsible to risk sinking a sizable | portion of our limited funds into trying to port to iOS when it | may be impossible. | | But if you really want it, please, donate, we need iphones, | macs, dev accounts and budget for the research and work! | sneak wrote: | Talking to Apple won't change the circumstance that I am | alluding to, which is that most people willingly opt for | closed, centrally censored platforms. | | You can't solve this problem at the application layer. | some_furry wrote: | If you're speaking about iOS, the dev just tweeted this: | https://twitter.com/SarahJamieLewis/status/14088573160870584... | | > The answer to why is there no Mac/iOS version of Cwtch / why | does Cwtch not have feature X is that last year we raised only | a fraction of our donation target. You can help change that! | | > @OpenPriv is powered by hundreds of individual donors just | like you! | | > https://openprivacy.ca/donate/ | sneak wrote: | They are competing with Signal (and also every other insecure | messenger like WhatsApp and Telegram), and Signal already | exists. | | Cross-platform support is table stakes for a messenger. This | will likely go the way of Ricochet. | brutal_chaos_ wrote: | Decentralized vs Centralized is the competition. Cross | platform is a goal, but, I believe, user privacy comes | first for Cwtch. | lucb1e wrote: | A bit tangential but I'd be honestly curious how many people | use iOS _and_ explicitly value their privacy. Everyone has | something to hide so we all care implicitly to a certain extent | obviously, but for the real nuts (that includes myself), | Android is the only OS where you get to both have the freedom | to turn things off as you please (at the flip of a setting for | most manufacturers, at least) as well as install regular | applications. A Linux phone is fun and all, but much less | practical. | | With iOS you have to either be a leading expert in | vulnerability research or hope that someone else finds a | serious security issue in your operating system, leave it | unpatched, and then exploit it yourself to get proper access | and control your device. | | I'd trust Apple more than Google to do the right thing any day | of the week, but they're not some foundation with a mission. | Cutting Apple out of your data is a lot harder on an Apple than | it is to cut Google out on Google's platform. | some_furry wrote: | First impression: I created an account on desktop and on mobile. | I used the same display name and password in both cases. I got | two different addresses. Good. | | I don't see any means to copy an identity across the boundary | (e.g. with Telegram, I can participate in the same conversation | as the same identity from multiple devices). | | Which means one of two things happens: | | 1. Users are encouraged to use on dedicated device for all | private communications. | | 2. If users want multi-device, they have to leak facts about | their setup (one public key per device) to the people they're | talking to. | | (This isn't a criticism; I'm just observing the user experience.) | geoah wrote: | Really like the idea behind this. The basic premise is really | interesting: Conversation between two people is direct p2p | through tor, while groups require a server that people need to | host. It's a really interesting middle ground between having to | trust a single party with all your conversations and making | everything truly p2p. | kodablah wrote: | Easy to get around residential ISP NAT issues too. It's really | easy for any software to start a local ephemeral onion service | on Tor on their local machine and have it reachable worldwide | in a couple seconds. | | I'm a fan of this project and have been watching it for a | while. It is my hope that more self-at-home-hosted options pop | up in this space around Tor onion services. | ignoramous wrote: | > _...self-at-home-hosted options pop up in this space around | Tor onion services._ | | See also: https://github.com/agl/pond | | With Snowflake bridges, apps can now connect to the Tor | network from within a browser. | | Ref: https://snowflake.torproject.org/ | kodablah wrote: | Shameless plug, I also wrote a simple lib that makes onion | services easy: https://github.com/cretz/bine (OP's project | uses a fork of it and I plan on putting more time into it | soon) | sanity31415 wrote: | Tor isn't really P2P since messages need to go through Tor's | network of routers. | bastawhiz wrote: | The whole internet requires that any connection traverses | numerous switches and routers. Unless you're pointing a | microwave antenna at the destination to deliver your packets, | the distinction here is pointless. | generalizations wrote: | My first thought as well, since tor is built around the idea | of bouncing connections around the network. | | But "p2p" still makes sense, if we just consider tor a black | box. | cortesoft wrote: | So nothing on the internet is peer to peer, since you have to | go through ISP's network of routers? | SavantIdiot wrote: | Wait, why do we dislike Signal? | | I'm always late to the secure comm party... | | EDIT: Got it, Cwtch is decentralized p2p, Signal ain't. Thanks! | lucb1e wrote: | Not merely centralized, but also openly hostile to | decentralization. Going so far as to hold talks about why | decentralization is a bad thing for a chat app. I also never | heard a rebuttal to this claim of Wire's: | | > Moxie et al have publicly stated that they want wide adoption | of the Axolotl [Signal] protocol -- but if you do an | independent implementation, using the published reference | documentation and background knowledge from having seen their | code online, you can be accused of copyright infringement and | asked to pay a "license fee." | | Or that fiasco with integrating a shitcoin in the application: | https://www.stephendiehl.com/blog/signal.html | | I'm on Signal because of the network effect and its | reliability, and I actively invite people to use it over things | like Telegram, but I do wish we had a better alternative. | Matrix (Element) is buggy, Threema people need to pay for, Jami | and this Tor-based chat app (I forget the name) don't have the | features people expect, Wire is a good contestant but also not | decentralized (nor does it have fancy things like sealed | sender), and of course nobody has the network effect that | Signal has... no good alternatives. | thaumasiotes wrote: | DeltaChat? | MarcelProust wrote: | Signal requires a phone number for contact discovery, which | many people have given out about because it's tied to your | meatspace identity, so it's harder to be anonymous with Signal. | ludamad wrote: | Signal is encrypted and likes to show off how little they | store, but it is not decentralized. Not being decentralized has | many advantages, but a paranoid enough approach does see it as | a point of failure for security (I use and love Signal, fyi) | drdaeman wrote: | My understanding is that Signal is centralized, and this is | not. That's an important difference. | otabdeveloper4 wrote: | "Cootch"? | | Really? | vr46 wrote: | No, not really. It's Welsh for "Hug". | remram wrote: | The competitors found that "Riot" was too controversial a name | for popular adoption... good luck to "Cootch"... | celticninja wrote: | No, not really. It more like Kutch. | | They have a section as follows: | | How do I pronounce Cwtch? Like "kutch", to rhyme with "butch". | | Just scroll down the homepage | sschueller wrote: | Many words have some not ideal meaning in another language. We | (Switzerland) have cities with names that in other languages | mean male genitalia yet we are not going to rename them. | giantrobot wrote: | The township of Dickcocknbahls is not going to abandon their | proud heritage due to prudish Anglophones! | retube wrote: | No. It's Welsh | noxer wrote: | Crashed with no message within the first 30 seconds clicking | around on the UI (windows build) | | I'll try again in a year or so if it still exists. | kgraves wrote: | Why do we need decentralisation in a chat app? | max1cc wrote: | Haven't looked in to this properly yet but already in love with | the name! | geoah wrote: | From their faq. | | > How do I pronounce Cwtch? Like "kutch", to rhyme with "butch". | | > Cwtch (/kUtS/ - a Welsh word roughly translating to "a hug that | creates a safe place") is a decentralized, privacy-preserving, | multi-party messaging protocol that can be used to build metadata | resistant applications | canadaduane wrote: | Such an odd word. My 1-second judgment of it sent me in an | entirely different direction: cthulhu, witch, crotch. I wonder | if the emotional gap between cover and contents will be a | problem. | Mizza wrote: | Cwtch is an important word in Welsh, like hyggelig in Danish | or koselig in Norwegian, etc. It's kind of a "national | identity" word, you see it on tourist souvenirs. | ljm wrote: | It's a word from another language, what purpose would a 1 | second judgment like that serve when the post you're replying | to already explains that it's Welsh? | celticninja wrote: | It is a word from the Welsh language, so it may seem weird to | someone unfamiliar with the language. | hkt wrote: | Your name couldn't be more appropriate unless it was | "brythonicninja" | r721 wrote: | Twitter thread from a dev: | https://twitter.com/SarahJamieLewis/status/14085012588523110... ___________________________________________________________________ (page generated 2021-06-26 23:00 UTC)