Cwtch – Privacy Preserving Messaging
28 comments
·March 14, 2025dang
I guess the current thread and this other ongoing one are duals:
Briar: Peer to Peer Encrypted Messaging - https://news.ycombinator.com/item?id=43363031 - March 2025 (48 comments)
sarahjamielewis
Hi! Sarah from the Open Privacy Research Society / Cwtch team here - happy to answer questions.
Gys
There is not any background on the website. Like who is that society, who is behind it, what is the goal of the app, where comes the funding from. Why for example did you not fund Signal? It has similar goals?
sarahjamielewis
There should be a link to the society website (https://openprivacy.ca/) on the Cwtch site, but I can see that there isn't - we will get that fixed.
Open Privacy Research Society is a Canadian non profit society, founded in 2018, you can find details of our members and operating structure on our website. Most of our funds come from individual donations.
Cwtch started as an extension to the Ricochet Tor messenger which I also contributed back in 2014/2015. Our main goal behind Cwtch was to establish that metadata resistant / p2p communication could be done in a similar form factor to traditional server based / non-metadata private protocols like Signal i.e. to try and push the privacy properties that people can wield beyond end to end encryption, in a way that is still usable.
jqpabc123
Looks interesting but the lack of an iOS client makes it a non-starter for me. I use Android but I have friends and family who don't.
sarahjamielewis
It's definitely one of the bigger challenges. Currently we don't see a viable way to deploy something like Cwtch on iOS (both in due to how locked down the platform is in general, and the requirement to run a backing onion service for each profile making mobile a hassle in the general case) - we are somewhat hopeful that advances on the Tor front might make it possible one day.
mrtesthah
would something like Orbot work?
sarahjamielewis
Cwtch requires setting up onion services, and the app currently does that automatically via establishing a control connection with a Tor process (either launched by Cwtch, or provided by the system).
Orbot can be configured to expose the same control port (or at least it could on Android when I last looked a few years back, I'm not sure about this capability on iOS), and Cwtch can be configured to use a custom control port connection - but that imposes much more work on the user, and is somewhat fragile.
That could likely be made to work on iOS in some factor, but the problem of the stability of the services themselves would remain. Its definitely something we'd like to explore.
dang
Related:
Cwtch: Decentralized, privacy-preserving, multi-party messaging protocol - https://news.ycombinator.com/item?id=27643171 - June 2021 (88 comments)
Prunkton
direct link to the repository: https://git.openprivacy.ca/cwtch.im/cwtch
nullc
Any thoughts about direct lan/vpn communications as an option? The use of tor makes a working high quality internet connection a requirement, and potentially makes it more attractive for attackers to DOS attack tor in order to make their targets move off Cwtch and onto less secure communications methods.
sarahjamielewis
It is something we get asked about fairly frequently, its not a high priority for us right now as it requires some thought as to not break or undermine any existing cryptographic/privacy properties that Cwtch does have (see: https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/461#issu...) - but it's also not something that we have ruled out if the right combination of design/effort is available.
some_furry
Tor is important for metadata resistance.
kitd
Lol, not often you find Welsh in the world of tech naming!
gizajob
Who named this, are the devs welsh?
It can be a bit of a bugbear of mine, when people who’ve never been to wales and certainly don’t siarad cymraeg appropriate welsh words as names, such as the sickmaking LA lifestyle brand Hiraeth. But then again the welsh did give the world the word penguin.
sarahjamielewis
Shwmae, Sarah ydw i. I co-founded the Cwtch project, and yes I was born in Wales, lived there for 20+ years, and as a result learned Welsh in school; and while I no longer live there, I still consider myself, at least in part, Welsh.
youngtaff
Dai iawn…
I’ve often wondered how the rest of the world will pronounce Cwtch and Blodeuwedd Labs
mac-mc
yes they are
gizajob
da iawn wedyn
thaumasiotes
Are they worried that their project is going to be called "cooch"? It seems likely to severely inhibit uptake.
opminion
cwm the n3logic interpreter
yamrzou
How does it compare to SimpleX Chat?
sarahjamielewis
SimpleX relies on out-of-band key material transfer between clients, in addition to the honesty of routing server to protect privacy and metadata.
Cwtch uses the existing infrastructure of Tor and v3 onion services to establish p2p chat sessions, thus relying on the underlying security of the Tor network. There is some nuances regarding how different kinds of groups work, we have a security handbook that goes into it a deeper: https://docs.cwtch.im/security/intro
yamrzou
I found this[1]:
Use end-to-end encrypted messaging applications for all your digital communications:
- Ideally, use peer-to-peer and metadata-resistant applications such as Cwtch or Briar. Otherwise, use metadata-resistant applications such as SimpleX or Signal.
- Email is not metadata-resistant and should be avoided if possible. If you must use email, use PGP encryption and register an address with a trusted service provider.
Do not use:
- Delta Chat or Matrix, as they are not sufficiently metadata-resistant.
- Telegram, as not all messages are end-to-end-encrypted.
Since SimpleX requires that users place some trust in the SimpleX servers, we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
[1] https://www.notrace.how/threat-library/mitigations/digital-b...
pluto_modadic
<3 great work
Looks nice, but all my friends care about are stickers and gifs...