Since 2016, decentralize.today has been covering messengers and looking for the most privacy-focussed and user-friendly messengers around.

Some of our team uses SchildiChat, which is a fork of Element, and really appreciate it as a self-hosted version of a federated messenger network.

However, there is no denying, that one of the best, when it comes to privacy (forget the use of a mobile number for a while), is Signal. It is also one of the most used messengers, and makes moving away from WhatsApp and the like as easy as possible. I am not a fan of many decisions Signal has made, but its E2EE (End-to-End-Encryption) is second to none!

We last reviewed Signal here:

The 2020 review of Messaging Service Providers: Signal
Since 2016 decentralize.today been runing reviews of many of the most privacyfriendly messengers around, asking (and attempting to answer) the question‘secure or not too secure?’. This year has been no exception and has allowed usto to feature a few messengers we’ve never looked into before. Th…

E2EE

The Signal Protocol (formerly known as the Axolotl-Protocol) was developed in 2013 by Trevor Perrin and Moxie Marlinspike and is pretty much the Gold Standard when it comes to encryption. I know some of my friends on Mastodon prefer Element or more decentralized applications but even if we all agree that self-hosted is better, we all need to give it up for Moxie as his encryption protocol is not just open-source but also second to none. It's Zero-Knowledge-Proof, which means that not only can Signal not see your messages but can not even see with whom you're communicating. Sealed Sender and Private-Contact-Discovery are unique to Signal and worth reading up on at both the links highlighted.

For further assurance, here is 'A Formal Security Analysis of the Signal Messaging Protocol - Extended Version, July 2019'.

https://eprint.iacr.org/2016/1013.pdf

All communications are E2EE (End-To-End-Encrypted), this is true for one-on-one as well as for group chats with Signal using the Forward Secrecy (PFS Perfect-forward-secrecy) .

So how come I am on about Signal, when the article clearly mentioned Molly.im? Well, that's because it is a Signal fork!

Molly has two different flavors

Molly, like Signal, uses Google’s proprietary code to support some features.

Molly-FOSS is the community effort to make it 100% free and open-source.

So let's get that directly out of the way! We're only looking at Molly-FOSS today!

Molly-FOSS is 100% free and open-source with zero property blobs, unlike Signal. Molly-FOSS also lets you protect the database with a passphrase-encryption. Yes, Signal offered that in the past, but dropped it for no good reason. You can lock the app at a set time to make it even more private and secure. Molly-FOSS also has RAM Shredding, which securely shreds sensitive data from RAM. Molly-FOSS also lets you back up on a daily or weekly basis. Finally, with Molly-FOSS, you can proxy your chats over Tor via Orbit.

We have talked about Signal in the past, and that is why I linked it earlier and while Molly-FOSS is Signal, it is truly open-source!

Molly has an F-Droid Repo:

Get Molly on F-Droid | Molly
Use F-Droid to install apps and ensure access to app updates.

And a Github release:

Release Molly Android v5.24.17-1 · mollyim/mollyim-android
This release merges latest Signal v5.24.17.For the complete list of changes see CHANGELOG.

A nice added bonus feature is that you can communicate with anyone who uses Signal - calling, texting, video calling - plus  the other end won't know you are not using the 'official' Signal app.

I, personally, would get myself an online number and set it up so truly no-one will know who you are!

Today's messenger review might not have been the 'in-depth' review that we normally do, but that is because everything that applies to Signal also applies to Molly-FOSS!, except for the features Signal is denying you and surely the aspect of being truly FOSS is a pleasant extra feeling, when using any app on your phone.

Stay safe!