Let's recommend Quicksy ( chatting app for newbies to get into free software and privacy. Quicksy has an easy sign-up using phone number, which gives same convenience as WhatsApp, Telegram, Signal and further it is free software, decentralized, federated and interoperable. I am able to use free software without being alienated from the society because of this option.

@ravi that actually looks like something I may push to my family

@stampirl Quicksy is a brilliant hack and is at the intersection of convenience, privacy and freedom.

@stampirl Family members who don't want to set up anything on xmpp are the target users of Quicksy.


'm not sure what this means on their page

"We hand your Jabber ID or Quicksy username out to any Quicksy user who knows your full phone number."

It's a shame that your username *is* your phone number.

I appreciate the easy signup, but there are better ways to do this on a new app, such as using petnames, or heck, even just using a roster.

Also it's not clear to me if their query works across servers, and if it does, if it preserves any privacy.


I want to elaborate a bit...

Let's say that quicksy server has a list of user phone numbers[1]. Why does it need to make usernames match that? Why can't it simply map the phone # to a more secure username (an unguessable string)?


[1] Ugg, phone numbers as IDs is both wonderful and awful...


Then what about autocontacts?

Alice signs up with her server, and she wants to look for others who have her contact.

That's something the server could do, as it has this mapping.

Doing this mapping across servers without a trust relationship I think would be harder, and require some additional work, perhaps a zero knowledge proof, or perhaps something easier like simple hashing, such as "If you hash the number with [long string] you get this. Anyone got it?"

@emacsen For this, people can voluntarily add their phone number to Quicksy directory which is mapped to their xmpp address. Or they can manually add Alice. Or Alice can manually add them in their contacts.


We say to people "We can be as a good as the proprietary apps." but then gloss over obvious problems.

Quicksay makes signup easy, is distributed, and does contact discovery.

"But make contact discovery non-distributed"- that just leads to centralization and a poor user experience.

If someone is building a service in order to be self-hosted, it should handle basic functionality.



Moreover, it's not like this is hard stuff. I just laid out how to do secure contact discovery, based on phone number or email, and it took me what? <10 minutes of thinking the problem through. All you need to do is add a capability token with a time based expiration to make it even more secure!

I think Quicksay may be a good answer for some people, but c'mon, when it's this easy to add security and distribution, there's no excuse not to do so.

@emacsen @ravi you can certainly find fault in Quicksy, it is not perfect. It solves one problem well, that is convenience with interoperability for communications. If you like you can focus on what is missing. If you feel strongly, you can even implement what you proposed.

@praveen @ravi

When someone makes a claim, security, privacy, and distributed, we should hold them to it.

If not, and we gloss over the problems, then we end up with PGP, which no one uses, or Signal, which is great, but centralized.

Quicksy is just another centralized service, with even more problems than Signal- but it interoperates with XMPP.

@emacsen @ravi you clearly did not get the point of Quicksy or refuse to accept it. Interoperability with xmpp is in itself a great step compared to Signal. I'm not forced to use Quicksy and I don't use Quicksy, but I can recommend Quicksy to people who find plain xmpp confusing or inconvenient. It serves both requirements.

@emacsen @praveen @ravi Quicksy is WhatsApp but FOSS and with s2s left on. Unlike WhatsApp, I should be able to chat with people on Quicksy via my own XMPP server. It kind of bridges the great divide.

For a variety of threat models, phone numbers are an out of the gate fail. But this is the state of things in mainstream IM. A lot of people claim that phone numbers are "easy", but I can never remember them and they might as well be a hash or a QR code.

@bob well, I don't use Quicksy myself. If people are willing to take a bit more extra steps, we tell them to use plain xmpp. It is just an extra option for people who insist on exact same experience as WhatsApp.

@praveen @ravi


We *could* do better. It wouldn't even be all that hard. Make secure identifiers, then attenuate them. That's what I think AP should do too and wrote about.

Now for discoverability- again, simple problem. Server sends a message to its known peers asking about a phone number (or email or anything else) in a secure way, and sending along a "friend" capability, where the identifier is the phone #/email.

Voila, secure IM and contact discovery.

@emacsen @ravi it is not centralized, because you can talk to Quicksy users without being forced to sign up to Quicksy unlike Signal. I don't use Signal or Quicksy, but I talk to Quicksy users and I don't need the directory functionality. It is not an essential feature.

@emacsen We recommend Quicksy to those who are not comfortable with XMPP/matrix. Whatever you are suggesting can be implemented too. Are you interested in talking to the Quicksy developer? Or maybe implementing these things on a different server? Interoperability gives possiblities like these too which centralized things like Telegram or Signal doesn't(WhatsApp being nonfree software is out of the question). @praveen

@ravi @praveen

I'd be happy to talk about it; I don't have spare cycles, but I'd be happy to offer help where I can.

But if you want a hint at it, look at the suggestions for ActivityPub I've made.

Or look at Spritely's design- It's basically me suggesting major parts of that.

And maybe that's why Christine is right and we need a new social network- designed right from the start...

But if someone is not comfortable with XMPP, why advertise interop?

@emacsen I think you are confused. The advertisement of interoperability is because we are comfortable with XMPP and we can sign up on servers where we don't have to give our phone numbers. We are not forced to use Quicksy because of them. Such an option does not exist in centralized services.

@ravi @praveen

Ugg, the "No one is forced" argument.

No one is forced is the same argument Microsoft made in their anti-trust trial, the same argument Google makes today.

It's like "Patches welcome"- it's not actually resolving anything, it's borderline snarky.

If the attitude of the project is "You don't have to use it or advocate for it." which is what I've heard from several of you- then message received loud and clear.

@emacsen I assume malicious intent now. It is a waste of time to argue with you further and pointless too. @praveen

@emacsen @ravi it is not anyway official, none of us are officially linked to Quicksy project. These are our petsonal outsider views, far from what Microsoft or Google's arguments that you suggest. Lets agree to disagree and move on.

@emacsen @ravi everyone has two options, they don't have to take both. It is either Quicksy or another XMPP service. Everyone choose what they are comfortable with and still talking to each other. We advertize XMPP as another option in case they or their contacts don't like Quicksy.

@emacsen Then the people need to give usernames to other people which would be inconvenient for them. People who can do this don't need to use Quicksy. The point of recommending it was that those users do not want to go to that much "inconvenience" to remember username and stuff.

@emacsen The phone numbers are stored on Quicksy's servers. I suppose that the problem with your phone number being the username is that you will have to give your phone number even to strangers for chat, even if you are trust Quicksy with your number, right? Not sure how much of the problem is that because people can use plain xmpp too and nobody is forced to use Quicksy.

Quicksy is not suitable for every use case.


There are volumes written on the issues of using a phone number as an identifier- you can read all about it on the criticisms of Signal.

The argument you and @debacle made about "no one is forced to use" is a weak argument when an application is being advertised as secure.

Applications which focus on security should not leak so much information about users, nor should something sold as distributed tie a user to an external ID this way that it can't even get re-used.

@ravi Yeah...the phone numbers are gonna leave a mark. Just host your own service if you can.

@james Not exactly! there are lots of donation supported community-run services which won't identify you. You can run a service but that means a community, company can run a service too. And therefore take care of people who don't have skills or time to run/maintain a service.

Sign in to participate in the conversation
sahilister's Mastodon server

sahilister's mastodon server