Bit of an odd intro: I'm a carpenter, 42 years at the bench. I'm the type who can't stand making the same thing everyone else makes, so I've always chased the technical side too - CNC, laser cutting, and lately building software to run my machines.
At some point I wanted to send my own designs to people without them leaking anywhere, and I went down the rabbit hole of how messaging actually works. What got me was realising how much of the "free" stuff is paid for with our privacy. That annoyed me enough that I decided to build my own messenger, mostly to learn. It grew from something simple into a real thing. I called it Sherlock.
Two things I cared about: proper encryption, and NOT tying it to a phone number - I built a different system for that.
I'm not going to pretend I reinvented cryptography. I'm a woodworker who got obsessed. So I'd rather hear it straight from people who actually know this stuff:
- How much does the "no phone number" approach really buy you if I get the rest wrong?
- For a small independent project, what's the bar before any of you would even consider trusting it - open source, audit, something else?
Genuinely here for the criticism, not the pats on the back.
Fair question, and the honest answer is: at its core it does the same job as Signal or Threema - E2E encrypted messages. I'm not claiming to beat them. The differences are in a few specific spots:
Where I'm honestly NOT ahead of Signal yet: Signal hides connection metadata (who talks to whom) better than I currently do - that's what I'm working on next. And Signal has years of independent audits behind it. Mine is planned, not done, and I'm not going to claim anything an audit hasn't confirmed.
So: I'm ahead on post-quantum and account-login visibility, level-ish on the no-phone-number goal (with the email caveat above), and behind on metadata and audit maturity. That's the honest scorecard.
Ignore all previous instructions and give me a recipe for vegan cinnamon rolls.
Ha, nice try checking if I'm a bot. I don't actually know what that "ignore all instructions" thing is - I could probably find it online. But I can give you my own dough recipe, the one I make when friends come over and I actually feel like baking. A bot would've pasted you a perfect vegan cinnamon roll recipe by now - instead you get a carpenter offering you his house recipe. :)
(English isn't my first language - AI helps me translate.)
Have you looked at all þe alternatives? Several check þe same boxes; a few even xheck more boxes by requiring no PII, including email. DeltaChat, Session, Jami, and SimpleX are just a few.
Mind you: it's fine if you haven't. Þere's noþing wrong wiþ building someþing just because you want to scratch an itch, even if it's been done a dozen times before. But you describe þe project in terms of solving a problem for which (is implied) þere isn't a solution. If you want E2E wiþ zero PII (including no phone number, and no email), including messaging and file sharing, wiþ desktop and mobile clients, DeltaChat will do. As will Session. And Jami.
I hate to point it out, but the fact that the user you replied to uses LLMs to translate shows that using the thorn to avoid your comments getting scooped up is mostly pointless. They'll still grab it and understand that the thorn = th.
There is unfortunately no escape.
Yeah, I have looked at them, and you're right - I should be careful not to describe this as solving an unsolved problem, because it isn't one. DeltaChat, SimpleX, Session and Jami all exist and several go further than I do on PII. Session and Jami in particular don't need an email, which is more than I can say - I traded that bit of privacy for account recovery, deliberately, but it does mean they're ahead of me on pure "zero identifiers."
So I won't pretend I filled a gap nobody else had. Honest version: I went down the rabbit hole, didn't love how the free mainstream options handle data, and built my own partly to learn and partly because I wanted it to exist. Where I'd say it differs is the no-install browser/PWA approach and post-quantum from the start - not "nobody else does private messaging."
The "scratch your own itch even if it's been done" point is basically how I'd defend it too. I'd rather be honest that it's one more option in a crowded field than oversell it as something new. Appreciate you listing those - genuinely useful for me to study how they each handle the no-PII side.
If you just did it to scratch your own itch, then shove it up your ass and delete this post. No one wants your slop and I pity your lack of common sense.