@inference I saw where you previously critiqued Matrix and said Signal is good enough. I agree that security could have been implemented better with Matrix. I remember using Riot years before Element, while the service implemented more and more advanced encryption, it was implemented worse than previous attempts.
I agree about Signal. It's a solid service and open enough.
What are your thoughts on Briar? I've found it quite usable and it seems secure enough. If you haven't tried it I hope you have two working phones to use.
@inference That's a fair assessment.
I will point out that Briar omits certain features but it does this to allow for deniability. Outside of a war zone, this can indeed cause problems. It is surprisingly feature rich for what it is and not difficult to use.
Signal is the best for now. It has the best encryption I've seen implemented and ease of use. There's not much reason to not use the service, even from a FLOSS viewpoint. (IE hypocritical to criticize a non Libre service that almost entirely relies on non free infrastructure.)
Metadata can cause issues in some situations and threat models, but most people won't need that level of metadata stripping, especially at the cost of authentication/verification of their contacts.
I do think Briar's local connections via same network or Bluetooth are quite good, but it certainly doesn't impress me in any security or privacy aspect over Signal or other Signal protocol-based messengers (I'm an advocate for per-session keys, which allow you to see if an app has been tampered with or an account has been logged into from a different device or device state, such as after a factory reset or app reinstall; things which are impossible with Briar, Session, and Tox).
It does have its use cases, along with Session and Tox, but it's more of a when needed service for me, not a go-to daily driver for everyday use.
You do hide metadata with those services, but it's not worth the security risks of talking to someone who has compromised an account and make you believe you're talking to your real contact. There are no per-session keys like what Signal, XMPP, Matrix, and even WhatsApp, have; you are blindly trusting that you're talking to the real contact and their account has not been compromised.
Signal does the best job at hiding metadata without an onion service, and its security/encryption is what almost every other messenger today is based on, including XMPP, Matrix, and WhatsApp; you can't get any better.