Speek! Secure Messenger

wfoex · 2022-04-09T00:51:06+00:00

What do you think of Speek!? https://speek.network/ https://github.com/Speek-App/Speek

Speek! Secure Messenger

PrivacyTools

Hi wfoex, I actually can't believe how many great open source, decentralised, encrypted instant messengers are out there already. First time I hear of "Speek!" today, but it a great first impression for sure.

All messages are end-to-end encrypted. The Speek client is creating a Tor hidden service on the client PC. The message is then routed via the Tor onion network to the receiver. This makes it possible that the IP addresses are never public and the users can stay anonymous. The users are identified with public keys. Each user can share their public key with others to add them to the contacts list.

A messenger with a great set of features like that usually suffers from a bad user interface. But Speek! looks like Telegram basically and it's easy to use.

The only annoying thing I've seen so far is the fact that they direct users to the Microsoft & Mac Store in order to download it. GitHub downloads are available as well, to be fair, just a bit hidden coming from their main website:
https://github.com/Speek-App/Speek/releases

Give me and our community some time to discuss and test this messenger. Thanks for your suggestion.

SpeekSecure

PrivacyTools Regarding the Mac and Windows Store: We think it is important that the application can be also installed easily by the average Joe user. We want that Speek! is a privacy messenger that we can also share with our family and friends, therefore we also focus on UI. If you are a privacy geek, the best option of course is always to use the Linux version, or to even compile on your own.

SpeekSecure

Hi everyone!

Great that you look into Speek! If you have any questions please feel free to reach out to me 🙂

Also here is my Speek ID: speek:jhnmerlfyarytkzqrmjp2umjknwhs7u5g4rst5nnggevktippx2lriqd

SpeekSecure

[unknown] I just added you Speek ID

PrivacyTools

SpeekSecure Hey mate, thanks for reaching out and joining us here. I think your approach is spot on to reach the average Joe. Most privacy minded people forget that average Joe is the main target group while trying to promote their software or service. Your UI is great, good job.

Are you a developer or community manager?

Regarding the GitHub link: It was just a bit hidden, maybe another link could be included next or near the other download buttons?

Keep up the great work, this is amazing. Thank you for releasing open source software.

coolhead If you think about it.. It's a good marketing strategy to join a popular competitor and reach your target audience with ease.

coolhead

I find it funny that they have Telegram chat group on their website

SpeekSecure

coolhead At the moment we do not support public groups in Speek unfortunately. We use the Telegram group as a support channel and a way to reach out to new users. I think it is important to be an open and welcoming community to new users, therefore I want to make it easy for them to reach out. I know that Telegram is not opensource or secure, but it is a place where many communities have formed. I think the privacy community has to go, where the users are at the moment, because the users will not find out about us otherwise.

SpeekSecure

PrivacyTools Wow thank you very much 😀 I am a developer, but I also do community work. Yes it makes sense to add another button to the website. We did it this way, because the design looks very clean this way. We will think about ways to position the Github releases more prominently.

We love opensource and FOSS and decentralization is the way to go imho

pospeselr

wfoex

Hi sorry, don't mean to shit up your thread with dev/open-source drama but here we go:

I'm Richard, the lead developer/maintainer of Ricochet-Refresh with Blueprint for Free Speech and the dev lead for Tor Browser with the Tor Project ( reddit thread w/ proof: https://www.reddit.com/r/TOR/comments/tqk6g3/ricochetrefresh_3011_prerelease/ ). This forum account is linked w/ my Github (https://github.cm/pospeselr) so hopefully that's visible to end users here.

tldr: Speek.App is literally just reskinned Ricochet-Refresh w/ some sketchily implemented patches on top and the Ricochet-Refresh git history removed. Please don't be fooled by slick marketing and purple websites. If your safety is a real concern (ie you are an activist or a whistleblower or something), don't use Speek.App. To everyone else, sure YOLO.

long version: Speek.App is a fork of a dev version of Ricochet-Refresh from sometime around October 2021. They have updated the style (dark mode skin, tweaked toolbars, backgrounds, etc) and added some quite badly implemented features (bad in the sense that the code changes are amateurish and buggy, not that the usability enhancements are themselves a bad idea). I performed a light audit on their changes a few weeks ago, and while there isn't anything that stands out as a backdoor, or cryptography fuckery, or anything like that, the changes are very badly implemented (like around first-year of uni if I'm being generous). They have also stripped out nearly all references to Ricochet-Refresh and the Blueprint for Free Speech organization (the non-profit which maintains Ricochet-Refresh through grants).

Here's my comment in their original Reddit thread with the relevant details and a somewhat deep dive/investigation into the source:

https://www.reddit.com/r/TOR/comments/tkgk41/ricochet_reborn_a_user_friendly_torchat_for/i2hnq35/?context=3

Anyway, Ricochet-Refresh is being actively developed and maintained by BPFS which is a non-profit who funds Ricochet-Refresh with the goal of protecting whistleblowers and journalists and helping them communicate securely+privately+anonymously.

If you want to try it out, you can get Ricochet-Refresh from either our GitHub releases page:

https://github.com/blueprint-freespeech/ricochet-refresh

or from our website:

https://www.ricochetrefresh.net/

SpeekSecure

pospeselr Hi Richard, yes Speek! is based on Ricochet. As you can see by the reddit posts, we even called it "Ricochet Reborn". Ricochet is a great messenger, but I think that the UI is not attractive for new users and we want to implement much more features in the future like group chats and versions for iOS and Android. Ricochet has been stagnant since years in that regard and we want to bring new life.

It would be great if we could work together, but it seems like you are not interested in working together. If you find any specific bugs we would be very happy if you could create constructive issues for them on github so we can fix them (as we already fixed some bugs of ricochet). We believe in free and opensource software and I dont think that infighting helps our common cause.

pospeselr

SpeekSecure

Oy vey, to those unfamiliar, beware the weasel-words in the above post.

Ricochet-Refresh ( https://github.com/blueprint-freespeech/ricochet-refresh ) is itself a fork of Ricochet ( https://github.com/ricochet-im/ricochet ). Speek.App ( https://github.com/Speek-App/Speek ) is a fork of Ricochet-Refresh, though you wouldn't know it from their marketing or their github w/o some digging as they purged the commit history and nearly all mentions of BPFS (y'all forgot to remove us from the LICENSE and a few source files).

Ricochet is no longer maintained or supported (ie 'stagnant since years'). Ricochet-Refresh is the already existing project that is not stagnant and is under active development.

SpeekSecure

pospeselr I am not sure, why you are always so unwelcoming and aggressive. Of course I also meant Ricochet-Refresh, as Ricochet is not working properly anymore. Also, the development imho of Ricochet-Refresh is stagnant, because many feature requests have not been implemented (multiple identities, mobile Versions, etc.) and the UI is still the same as Ricochet. We want to implement (and already implemented some) many of these features and I am not sure why you have a problem with that.

Again, I think that there is still lots of work to do and I would be happy to cooperate if possible

PrivacyTools

Hi @pospeselr welcome to the forum. Thank you for releasing open source software and working on Tor.

You two are basically doing the same thing with different approaches:

Speek: More work on the frontend, good marketing ideas to promote open source privacy software.
Richochet Refresh: More work on the backend, from an experienced dev to make sure things work safely.

To me that sounds like the both of you care about privacy, ricochet and are moving in a small privacy niche that could be become more popular with the right marketing.

The perfect opportunity to join forces and work together on a messenger? Think about it.

Currently @pospeselr is using a lot of time to discredit "Speek" in public: reddit, GitHub and here. I'm not saying you are wrong, Richard. Would just love to see you guys cooperate since the different skill sets and approaches could go well together.

SpeekSecure

PrivacyTools Very well said! I am in opensource, because i love cooperating and building things together. I am not interested in fighting my fellow opensource developers - imho this is just a waste of time and energy.

This is a clear win-win situation so lets join forces and build something great.

pospeselr

PrivacyTools

There is good reason to be incredibly suspicious of Speek. This company has popped up out of nowhere taking credit for Blueprint's work in this space, made inaccurate claims about their app's capabilities, and it's history. To the average user this looks like some revolutionary new thing that's going to change everything, when in reality it's Ricochet-Refresh with a paint-job.

So, if you're an expert in this space you already know all of this. They are going around advertising to users (here, reddit, etc) who don't know any better, which is irresponsible and dangerous. Rule #1 in privacy/anonymity/security tech is don't over promise because this gets people imprisoned or killed.

If the Speek devs had come in and made issues on our issue tracker, submitted patches, etc we wouldn't be here and would welcome the help. Blueprint is a non-profit and could use all the help it can get.

Instead, they have been bombarding the internet with fancy marketing BS deliberately designed to trick people and obfuscate and hide what Speek.App actually is. If you dive into their own git history it's pretty clear their first priority was re-branding Ricochet-Refresh, not functionality improvements.

This whole Speek operation is sketchy AF. The most charitable/least paranoid explanation in my mind is that it's just another case of private capital coming in and trying to profit off of the backs of open source developers (which to be clear, one ought to think is shitty). If you're cool with that, fine you do you I guess.

PrivacyTools

pospeselr Thank you for taking time to share your point of view. Everyone is warned now and can take a closer look. Still hope you guys can work together in the future and leave this behind. The whole privacy community will benefit from such a partnership.

pospeselr If the Speek devs had come in and made issues on our issue tracker, submitted patches, etc we wouldn't be here and would welcome the help. Blueprint is a non-profit and could use all the help it can get.

Hope it's not too late.

SpeekSecure

PrivacyTools Of course we are always open for collaborations. At the moment we are working on an Android build. I think that might be also interesting for Ricochet-Refresh. I also understand some of your points pospeselr and we will improve upon them. Ricochet-Refresh has been an inspiration for me and I do not want to take any credit away from you. Ricochet-Refresh is still one of the best out there and with Speek we want to bring this privacy technology to the mainstream people.

PrivacyTools

Hey guys, I've just created a new category called "Anonymous Instant Messaging via Tor" and added both projects to the list. Thanks for your great work again.

https://www.privacytools.io/#messaging-tor

0xTheFather

If anyone wants to:

speek:ld3ut3iq225y5vgmtcvbuhmffyptn4p4uow6he7mkq765mvaulqru6yd

begipok689

I've searched both of the repos for these, but didn't find anything: have either of these been independently audited? I think this seems particularly important for Speek! due to the recent and comprehensive criticism it has received in its GitHub issues. Ricochet Refresh seems to have a substantial team backing it, including researchers specializing in encryption, privacy and human rights. I find no mention of who is behind Speek! neither on its website nor on GitHub. Looking at Speek!'s commit history, it is clear that the criticism mentioned previously in this thread is very valid - whoever is developing the code is not used to large scale software development. I would be very weary of recommending Speek! and I think that it should be removed from list of recommendations until these issues have been resolved.

EDIT: it is unclear to my why Speek! is (not) forking this project. How do development goals differ? Has Speek! had any communication with Ricochet Refresh? This just seems like a garbage fire.

pospeselr

begipok689 yeah pretty much, you can do some cyber-sleuthing to figure out some info on Speek!'s company's CEO (a former sales person, not a software person) but no one seems to have any idea who these people are, especially since there is a shared github account being used to push commits. Def not sketchy at all lol but I digress.

Ricochet-Refresh was most recently audited Spring of 2021, and much of the dev work since then has been focused on resolving main 'cyber-stalking' issue found there (some other issues such as crashes and shitty URL handling have been fixed and/or features entirely removed).

To summarize the problem: an onion service's online/offline status can be determined by anyone who knows its service id/onion address, so if you share your ricochet id publicly, anybody can just periodically try to open a TCP connection to it to determine your online/offline status. That sucks for hopefully obvious reasons.

See this issue for discussion: https://github.com/blueprint-freespeech/ricochet-refresh/issues/73

To fix this, we've developing something we call 'Gosling' which basically pulls out and generalizes the 'authentication' layer of Ricochet-Refresh and (mostly) fixes the above issue by enabling an 'offline' mode whereby you don't run your 'introduction' server. When in this mode other users would not be able to add you as a contact or see you as online, but your contacts would (as they have a separate 'endpoint' onion to connect to which is secret).

See https://github.com/blueprint-freespeech/gosling/blob/main/docs/protocol.md#cyber-stalking for more details 🙂

I say 'mostly' here because a malicious third party can still cyber-stalk you assuming:

you are using 'shared' endpoint servers (so multiple trusted contacts connect to a single endpoint, see Gosling spec for details)
they used to be a contact, but were removed (and their client auth revoked); the tor daemon (fortunately/unfortunately depending on you use case) informs you when it tries to connect to an onion service that is online but which requires client auth if you do not have the key

This scenario can be mitigated altogether if you use a unique onion service per contact, but I am somewhat hesitant to make that default behaviour to be kind to the tor network (one endpoint onion service per contact implies worst case n² onion services, ie every ricochet user having an onion for every other ricochet user assuming everyone is 'friends').