Let me edit in one more relevant info:
I don’t use it, but my contacts may or may not use it.
For those who don’t know, Beeper is an app that aims to unite all your messaging apps into one. To do this, it makes use of Matrix, bridging all those services together. So far, so cool.
However, since different services often use different encryption protocols, messages between those services and Matrix have to be decrypted on Beepers’ servers, before being re-encrypted with the protocol of the recipient.
They are completely open and transparent about this (which I can very much respect), and state that chats on their servers are encrypted, so they can’t read them.
Still though, decrypting mid-transit kinda throws the whole end-to-end part out of the window.
Some might say that everyone needs to decide for themselves if that’s a problem. But the issue with that is that if you decide to use Beeper, you also decide that every person you chat with is okay with it. Not very cool in my book.
That’s where the question asking for independant audits comes in, because I certainly don’t have the expertise to look at their code. If everything is safe from attackers, then cool.
But me for example, I switched to Signal specifically for verifiable and proper End-to-End Encryption, so chatting with someone who uses Signal through Beeper kinda defeats the point.
Because, how does Beeper even get what they need to decrypt a message I send to a Beeper user?
I don’t consent to a third party decrypting my messages, simply because one of my contacts uses their service. That is fundamentally wrong in my opinion.
What are your thoughts on this?
So, I’m self hosting basically this. I have a matrix server that is publicly accessible but I’m the only user on it. I’m also self hosting a handful of bridges, signal being one of them. I’ve played with the WhatsApp bridge, and I’m using an SMS/MMS bridge.
It’s basically a man in the middle for all your chat apps. The Signal bridge software will login to your signal account and have full access to everything. The bridge works by watching all the decrypted messages and posting them to a matrix room. The matrix room may or may not be encrypted. This means you need to put a lot of faith into the bridge code and the people hosting the matrix server. The SMS/MMS bridge I use doesn’t even support encrypted matrix rooms.
I personally would never use beeper. Even if I couldn’t selfhost, I would not trust one person/company with centralized access to all my messages. I’m sure they have good intentions and would never do anything to abuse their position but I won’t put anyone there.
I mean, I love the idea behind it. And Matrix bridges aren’t anything new either, Beeper just aims to make it easier to set up.
And with the Digital Markets Act pushing for interoperability, big services will have to decide on one protocol to use, so messages between those services should be truly e2ee then.
But what really irks me is that someone can just set this up, and now there’s a gap in the encryption that’s supposed to be end-to-end, without me ever knowing or having given my consent.
Guy behind Beeper fucked Pebble smartwatch users and developers on his way out.
So when Beeper isn’t making enough money and he sells it… Will you trust who he sells it to to keep it secure instead of aiming to use data for ads or some shit?
I won’t.
Wait, what? What did he do? (Aside from selling the company, I mean.)
The sale of Pebble was supposed to include the developers jobs. They found out very late in the game that this wasn’t true. He screwed his devs on the way out. Basically said “fuck your job, good luck.”. Real shitty way to handle it, imo.
Coupled with the fact that it meant all real support for Pebble was gone as well, it really was about Micigovsky making out with a bunch of money and saying “good luck, I dont actually care what happens” to his devs and the people who bought a Pebble.
The way it shook out just doesn’t make me trust him. I think he would do the same thing again, sell to a more scummy third party who will strip Beeper for profit when he isn’t making enough money.
I honestly distrust their business model as a successful long term one, based on his past.
That tells you all you need to know about the new employer already. Pass.
I don’t trust the whole thing in the first place, for the reasons outlined in my maybe too elaborate rambling.
If I’d use this service, it’d have to be self-hosted.
I already don’t like how centralized signal is. Adding another service I’d need to trust in the middle doesn’t make it better.
Signal being centralized and based in the US are definitely two major pain points. It’s just the next best thing when trying to move people away from WhatsApp, so here we are.
But yeah, self-hosting Beeper is an option, since it’s just Matrix after all. You can even use different Matrix clients however you please, so that’s nice.
deleted by creator
Beeper is just a reskinned Element messenger. The devs behind it are also the ones who built all the bridges everyone uses.
Beeper users who message other Matrix/Beeper users it should be fully e2ee as it’d be no different from using Element or another Matrix client.
But, it would be nice to get more clarification at a high-level as to how they handle the message relaying.
They state that they open-sourced the privacy-critical portions of their codebase for people to look at.
But idk, I think the entire codebase is privacy-critical when it comes to private messaging.
deleted by creator
I’m just hearing about Beeper for the first time, but if what you say is true then OP’s concern is valid. Bridges have to decrypt to re-encrypt; what’s more, they have to ~hold your credentials~ hold a token to be able to act on your behalf.
I just did some reading about this, and you can self-host bridges and use end-to-bridge encryption, in which case Beeper will not have access to the unencrypted messages. But if you use Beeper-hosted bridges, then they have access to unencrypted messages.
Edit @tulir is the lead architect. Tulir wrote gomuks, and most of the existing bridges. It gives me more confidence in the endeavour; it bothers me that the sign-up requires a phone #. That’s going to be a non-starter for me, personally.
Interesting, when I signed up I didn’t need a phone number, just email. Lmk if you’d like an invite code (if that’s even necessary anymore?)
An audit wouldn’t really help with the core problem though.
I think bridges like beeper should inform other unsuspecting communication partners about their use.
Wouldn’t really help further than knowing how secure their servers are, that’s true.
Like so often, informed consent is very important, so informing contacts about using Beeper and what that means should be the default.
Why
As someone else said, selfhosting is the only real way to overcome this problem. When it’s all on your hardware it matters a lot less if the messaged at are decrypted server side or not. Everyone has a different threat level and at some point you have to put trust in some companies but if beeper makes you uncomfortable then buy a cheap second hand mini pc and learn to self host the service.
Sure, but the more important issue is that other people use Beeper, so messages I send to them still get the decryption treatment even though I never consented to that.
I don’t even know if one of my contacts uses Beeper unless they tell me, and that’s not okay.
I think this is an issue for any messenger, not just those tied to the beeper service. E2E encryption only covers transmittal of the message, and you can’t control what the recipient does once they get it… What if the recipient has no passcodes on their phone, no disappearing messages, and the phone gets stolen? Whoever stole the phone now has access to all of your messages even when using a fully E2E encrypted messenger like signal.
If you’re using any messenger for highly sensitive conversations you need to have trust in the recipient. Just have a conversation that they’re either not using a service like this, or like others said are choosing to self host it in a safe manner.
I fully agree with the sentiment. The recipient is the last, but most important link in the chain to trust with the contents of my message.
But that doesn’t mean we can devalue the other parts of the chain. I need to be able to trust them, too. So if messages are being decrypted by a third-party without my knowledge, that’s a problem.
I guess what I’m saying is that if the recipient chooses to use Beeper, the chain ends there though… Signal did its job and delivered an encrypted message, and you can’t control that the recipient gave decryption keys to Beeper.
Both Signal and Beeper aren’t doing anything inherently wrong, but if you don’t trust messages passing through beeper servers you need to have that conversation with the recipient.
It just seems very wrong that some random service can decrypt my messages. Like, what.
Beeper being able to do that without consent from both contacts is very wrong to me, at least.
Signal should be firmly against this, seeing how they already proclaimed being against interoperability, but what do I know.
That goes hand in hand with a level of trust with some companies/people and everyone has different threat tolerances. It also highlights the mindset that you have no idea what the person on the other end of the message is doing with it. End to end encryption helps keep in line eavesdropping down but if the recipient of the message has a compromised device or are screenshoting everything and posting it on facebook it’s out of your control.
Which is exactly why I’m raising concerns over it. The fact that this can just happen should not be as normal as it is.
A slightly different example would be WhatsApp having my name and phone number even though I don’t use it, but simply because someone else has me saved in their contacts.
Stuff like this is a problem, and I want to make more people aware of that, give them a better understanding of what can and does happen to their data.
If you’re using s service that bridges to a bunch of chat services that are evil fucks like Facebook and google then I think the last thing you should be worried about is beeper reading your messages.
I should’ve mentioned: I don’t use Beeper.
My problem is with the fact that other people use it and hand over encryption keys to my chats without my knowledge.
But other people are using WhatsApp and signal. What the concern over beeper reading your messages but not these bridged services?
Think of beeper, or any matrix bridges, as the client you use to connect to these non free black box chat services. Now do you think that if you use an alternative client for any of these bridged services would you expect the person you’re chatting with to be notified that you’re using a third party client?
What the concern over beeper reading your messages but not these bridged services?
I don’t think WhatsApp can read my Signal messages, just because they are bridged to the same Matrix account of someone who uses both. Chats from different services are still isolated to themselves, as far as I understand it.
would you expect the person you’re chatting with to be notified that you’re using a third party client?
If that client changes how they expect my and their messages to be delivered, yes.
Lol OK if anyone is seriously concerned about beeper reading all their messages then they can just set up their own matrix instance. Beeper is more about convenience than explicitly privacy. If you’re really concerned about privacy than you shouldn’t be using any of these services that you dont host yourself.
Again, I don’t use Beeper.
@krolden @miss_brainfart the problem is that Beeper breaks the encryption chain. Not only for your messages but for everyone involved. So if you communicate with someone that uses Beeper, your messages are in the open too.
Is this about message content security or privacy?
I would love to have more insights on Beeper actual privacy. But one think to keep in mind is that they are subject to Cloud Act.
Specifically for OP: since you post on this privacy focused community but also are not very clear with your intent, I just want to remind that Signal is not the best messaging app when it comes to privacy, especially because of its close relation to CIA
Okay, you gotta explain that a bit further.
Yes, Signal is based in the US and as such, is subject to US laws. Not great, I don’t love that.
However, since they are fully open source, it was independently audited and verified several times that their encryption is solid, and the only data they can see is when an account was created, and when it was last online.
That’s all they can hand over to law enforcement.
For my intent with this post, I just want to raise the general issue I see with this app, and read what other people think of it.
Nope only the message content is encrypted. So what they have unencrypted is of course your personal information (phone number etc), all your contacts, and the list of all messages sent (datetime, and contact or contacts). This enable them to have a great social map that evolves after each message sent
And that is if the encryption remain unbroken. Don’t forget that the NSA has a history of placing backdors in cryptography schemes (like that mathematically flawed key based on a weak elliptic curve, standardized and approved by the NSA after they found their exploit)
As far as I know, even the user profiles are encrypted. They’ve been using Sealed Sender for a while now.
And don’t get me wrong, I’m not a fan of Signal being based in the US, but they go to great lenghts to limit what they know about their users. Private Contact Discovery being another great addition.
Signal isn’t the perfect, 100% secure, private and anonymous messenger that we’d love in our privacy bubble here, but it’s currently the best we have to reach the general public, and make private messaging as accessible as possible.
I think that’s a fair statement.
Thank you for that info and the link I’ll go into that. Just to summarize, if you have the knowledge and time: this is at-rest encryption? I’m not sure how it could be end-to-end encryption and at the same time enable to start new conversations with other Signal users / discovery based on name / phone number
I’m still fairly new to how all those things work, so I don’t have that knowledge, sadly. But since it’s all open source, their claims can be put to the test by people who do.
Though after some research, there actually haven’t been as many audits as I thought, so I think it’s important for me to mention that.
Ok thank you so much. What I would like to point at in the difference between having an end-to-end encryption between two recipients and at-rest encryption for information owned by Signal (in this example), is the purpose of those two different things. E2E encryption means only the two agents at each end have the mathematical possibility to decrypt the info: this is privacy by design. At-rest encryption on Signal servers of different things is a security layer meant to protect users’ privacy against attackers, but Signal have the means to decrypt it, and they would do it in the normal usage of the service. This would also mean they can (and have to) transmit decrypted information to whatever agency demand them to
Thank you for the explanation, that clarifies a few things for me.
If Signal was based in the EU, and finally moved away from phone numbers as the identifier like they talked about years ago, that would be just perfect.
Not sure about decentralization though. Being centralized means they have full control over the service and can ensure that everything runs exactly as securely and privately as they want for their users. (Which is also where my rant about Matrix bridges comes in)
It also means you have to trust them not to fuck around, though as long as the project is fully open-source, that alone should hold them to their proclaimed standards.
How do they have a close relationship with the CIA?
You can find this online easily. Some of the things are: they’ve been funded by the Open Technology Fund, created for Radio Free Asia, which is a program by the CIA. The fund is now financed by the US Congress
deleted by creator
Well this is not particular to Beeper, that’s always the case when using Matrix + Bridges for third parties right? Even though they are the main mainteners of a good part of the existing bridges
deleted by creator