Overview
This document encodes a strict, adversarial scoring regime for privacy-first messengers. Scores are 0–100 per criterion, multiplied by weights (sum=100) to produce a composite. Links are embedded inline at the point of relevance.
Candidates
16
Top tier
Briar • TFC • SimpleX
Primary differentiators
MTA • AUD • OSS
Structural caps
push seams • relay visibility • IP exposure
Interpretation tightening (applied in final scoring)
- AUD credits only public third-party reports/certs with meaningful scope; non-public claims do not score.
- MTA is measured as secure-by-default outcome, not best-case theory.
- OSS includes “source exists” plus verifiable release/supply-chain signals where documented (signing, reproducibility, transparent build chain).
- DEC is penalized by required chokepoints (notably iOS push delivery seams) even if self-hosting exists in principle.
Final perfected scoring rubric
Weights sum to 100. Each criterion is scored 0–100 per application.
| Criterion | Wt | Definition of 100 (maximal target) |
|---|---|---|
| MTA — Metadata / traffic-analysis resistance | 22 | Default posture minimizes IP/timing/social-graph leakage (Tor/mix/onion), avoids observability seams. |
| DEC — Decentralization / self-host / no trusted operator | 15 | No required chokepoint; relay/server roles are disposable and operator-controlled. |
| ID — Identity surface | 10 | No phone/email; minimal stable identifiers; ephemeral/rotatable keys where relevant. |
| OSS — FOSS + supply-chain verifiability | 15 | Public source + credible release verification story (signing, reproducibility, transparent build chain). |
| AUD — Assurance | 15 | Public third-party audit / certification / evaluation with meaningful scope. |
| END — Endpoint surface / opsec compatibility | 10 | Minimizes remote compromise blast-radius; avoids high-risk dependency sprawl where possible. |
| RES — Resilience | 10 | Operates under censorship/blackouts/offline; hard to takedown. |
| USE — Maturity/operational health | 3 | Stability, maintenance cadence, cross-platform practicality (intentionally low weight). |
Composite formula: Composite = Σ(score × weight) / 100
Final composite ranking
Highest composite score = strongest default posture under this scoring regime.
| Rank | App | Composite |
|---|---|---|
| 1 | 87.96 | |
| 2 | 84.95 | |
| 3 | 81.96 | |
| 4 | 74.21 | |
| 5 | 74.16 | |
| 6 | 71.20 | |
| 7 | 65.75 | |
| 8 | 61.40 | |
| 9 | 60.55 | |
| 10 | 58.45 | |
| 11 | 58.25 | |
| 12 | 57.65 | |
| 13 | 56.35 | |
| 14 | 55.00 | |
| 15 | 54.50 | |
| 16 | 48.20 |
Final scorecard
Scores are 0–100 per criterion; composite is weight-adjusted.
| Rank | App | Composite | MTA | DEC | ID | OSS | AUD | END | RES | USE |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Briar | 87.96 | 88 | 90 | 90 | 95 | 88 | 75 | 95 | 55 |
| 2 | Tinfoil Chat (TFC) | 84.95 | 95 | 95 | 95 | 95 | 55 | 100 | 75 | 10 |
| 3 | SimpleX Chat | 81.96 | 78 | 72 | 95 | 95 | 90 | 75 | 70 | 75 |
| 4 | Cwtch | 74.21 | 88 | 90 | 90 | 75 | 35 | 70 | 75 | 45 |
| 5 | Ricochet Refresh | 74.16 | 88 | 88 | 88 | 85 | 40 | 60 | 70 | 35 |
| 6 | Olvid | 71.20 | 65 | 50 | 80 | 85 | 95 | 70 | 50 | 80 |
| 7 | bitchat | 65.75 | 50 | 78 | 95 | 90 | 15 | 65 | 95 | 60 |
| 8 | Quiet | 61.40 | 65 | 80 | 85 | 90 | 5 | 45 | 65 | 45 |
| 9 | Jami | 60.55 | 30 | 70 | 70 | 95 | 35 | 70 | 80 | 65 |
| 10 | Vector | 58.45 | 60 | 65 | 80 | 75 | 15 | 60 | 65 | 50 |
| 11 | White Noise | 58.25 | 55 | 70 | 85 | 80 | 15 | 60 | 60 | 30 |
| 12 | Keychat | 57.65 | 55 | 65 | 75 | 80 | 20 | 50 | 65 | 60 |
| 13 | 0xchat | 56.35 | 60 | 65 | 80 | 70 | 15 | 45 | 65 | 55 |
| 14 | Wire | 55.00 | 35 | 55 | 30 | 80 | 70 | 65 | 45 | 85 |
| 15 | NYMCHAT (Nostr) | 54.50 | 45 | 70 | 90 | 65 | 10 | 55 | 70 | 45 |
| 16 | SphinxChat | 48.20 | 40 | 65 | 70 | 70 | 10 | 35 | 55 | 55 |
Why the ranks land where they land
1) Briar — resilience + real audits + Tor-by-design
- Offline/blackout resilience is native: Bluetooth/Wi-Fi direct when internet is down; Tor when internet is up. Quick Start
- Public audits exist across time: Cure53 report (PDF), plus newer assessment/retest context from the project’s security workstream. How it works
2) Tinfoil Chat (TFC) — endpoint-hardening taken to the extreme
- Architecture explicitly centers onion routing and hardware separation (relay + data-diode design pattern). Repository
- Audit maturity is the limiter under this rubric (no comparable public third-party report surfaced here).
3) SimpleX Chat — top assurance + strong supply-chain posture, with one central seam
- Apple push notifications currently require servers operated by SimpleX Chat Ltd (a constrained centralization/metadata seam). Privacy policy
- Public third-party security review is documented by the project (Trail of Bits engagement). Review announcement
- Reproducible/verifyable build posture is unusually explicit (strong OSS/supply-chain signal). Reproducible builds
4–5) Cwtch vs Ricochet Refresh — onion-native cores, missing different pillars
- Cwtch: the project’s own deployment notes explicitly flag missing public staff key records for signed releases and ongoing supply-chain maturity. Deployment
- Ricochet Refresh: current development phase includes explicit alpha warnings: protocol/tor integration and major code rewrite. Releases
- Primary project landing: ricochetrefresh.net
6) Olvid — assurance king, decentralization cap
- Open source status is explicitly stated for iOS/Android apps and the message distribution server. FAQ
- ANSSI CSPN certifications and Synacktiv evaluation reports are referenced and published by the project. Technology page
- DEC remains structurally capped under this rubric due to operator-shaped distribution infrastructure.
7) bitchat — extreme resilience, but geohash/location + low external assurance
- Internet mode includes geohash location channels, large relay fanout, and NIP-17 gift-wrapped private messages (tradeoffs between reach and observability). Repository
- No public third-party audit was linked in this review pass → AUD remains constrained.
8) Quiet — design ambition with a self-declared assurance floor
- Project explicitly states it is not audited and not suitable where security/privacy are critical (hard cap on AUD). Repository
9) Jami — decentralized core, but IP exposure is fundamental without Tor/VPN
- FAQ states Tor/VPN is mandatory to avoid IP address leaking in typical P2P scenarios. FAQ
10–13) Vector / White Noise / Keychat / 0xchat — relay-based Nostr stack (differentiated hardening)
- Vector: claims NIP-17 encrypted chat using NIP-44 encryption + NIP-59 seals/gift wraps. Vector repo • NIP-17
- White Noise: implements Marmot (MLS group messaging on Nostr), but release maturity is limited (“coming soon”). Repo • Marmot
- Keychat: explicit model: Nostr relays as “post offices,” ecash stamps as “postage.” Repo
- 0xchat: “secret chat” spec references NIP-101 key exchange for forward secrecy as an extension to gift-wrapped DMs. Spec doc
- Note on Nostr message protection primitives: NIP-44 • NIP-59
14) Wire — strong enterprise assurance posture, identity surface by default
- Privacy policy states registration requires username + email + password (default identity anchor). Privacy policy
- Wire server is open source and self-hostable (DEC uplift, but ID remains capped by default workflows). wire-server
- Anonymous registration exists at the API level (not assumed as consumer default posture). Developer docs
15) NYMCHAT (Nostr) — bridged geohash channels + weaker DM crypto baseline
- Bridge claim: geohash location channels bridged with bitchat. nymchat.app
- Web client flags: “Channels are bridged with Bitchat geohash.” web.nymchat.app
- Project home: nymchat.com
- Repository: Spl0itable/NYM
16) SphinxChat — Lightning-native messaging with hub gravity + high operational surface
- Core positioning: “End to end encrypted chat…using the bitcoin lightning network.” sphinx.chat
- Relay documentation explicitly recommends a direct channel to sphinx.chat for cheaper routing, with an explicit privacy/cost tradeoff statement (centralization/metadata gravity). sphinx-relay
- Umbrel app listing captures common deployment narrative. Umbrel app store
Dominant failure modes
These are the few variables that overwhelmingly decide outcomes under this rubric.
- Default transport observability (Tor/onion-native vs relay/DHT/IP-exposed).
- Supply-chain verifiability (signed + reproducible + transparent release chain vs “source exists”).
- Public assurance artifacts (real audits/certs vs none).
- Hidden identity anchors (email/username, push infrastructure seams, location/geohash participation).
Concrete examples (inline sources)
- Push seam: SimpleX iOS push delivery restriction via SimpleX Chat Ltd servers. simplex.chat/privacy
- Self-declared no-audit cap: Quiet “not audited” warning. TryQuiet/quiet
- IP exposure warning: Jami FAQ on P2P IP leakage and Tor/VPN necessity. docs.jami.net FAQ
- Release-chain gap: Cwtch deployment notes on signed releases and public staff key records. docs.cwtch.im/security/deployment
- Geohash coupling: nymchat bridge statement with bitchat. nymchat.app • bitchat repo
Core links (primary sources)
Key references used as anchors for the scoring regime; additional links are embedded inline above.
| Topic | Primary link |
|---|---|
| Briar offline + Tor behavior | briarproject.org/quick-start |
| Briar audit report (Cure53 PDF) | briarproject.org/raw/BRP-01-report.pdf |
| TFC architecture (onion + data diode) | github.com/maqp/tfc |
| SimpleX iOS push seam + privacy posture | simplex.chat/privacy |
| SimpleX reproducible build verification | simplex.chat/reproduce |
| Cwtch deployment / signing notes | docs.cwtch.im/security/deployment |
| Ricochet Refresh alpha warnings | github.com/blueprint-freespeech/ricochet-refresh/releases |
| Olvid open source statement | olvid.io/faq/is-olvid-open-source |
| Olvid ANSSI CSPN + Synacktiv reports | olvid.io/technology/en |
| Quiet “not audited” cap | github.com/TryQuiet/quiet |
| Jami IP exposure / Tor-VPN requirement | docs.jami.net/pt/user/faq.html |
| Nostr encrypted DM scheme (NIP-17) | github.com/nostr-protocol/nips/blob/master/17.md |
| Nostr seals / gift wraps (NIP-59) | github.com/nostr-protocol/nips/blob/master/59.md |
| Wire default registration identity anchor | wire.com/en/privacy-policy |
| Sphinx relay hub-gravity note | github.com/stakwork/sphinx-relay |
| NYMCHAT ↔ bitchat geohash bridge | nymchat.app |