The Secure Messaging Stack: Private Chat, Calls, and Numbers
A threat-tiered messaging stack — from mainstream Signal to metadata-resistant Briar — plus the virtual-number layer that lets you sign up for anything without your real phone number.
The Secure Messaging Stack: Private Chat, Calls, and Numbers
Messaging that isn't logged, profiled, or tied to your real phone number — matched to how much metadata you actually need to shed.
End-to-end encryption is now table stakes; even mainstream apps have it. The real exposure has moved to two places most "best messenger" lists ignore. First, metadata — who you talk to, when, and from where — which is often more revealing than message content and which encryption alone doesn't hide. Second, the phone number, which ties your "private" chats straight back to your legal identity. This stack tiers your options by how much of that you need to shed, then adds the number layer to break the identity link.
Who this is for / Threat model
You want messaging that isn't logged, profiled, or bound to your real number. This stack defends against metadata collection, phone-number identity linkage, message interception, and centralized-server compromise.
What it does not do: make you untraceable to someone who already controls your device, or protect content you voluntarily hand to a contact who screenshots it. Encryption secures the pipe, not the person on the other end. Pick the tier that matches your adversary — over-provisioning security you don't need just adds friction that makes you abandon it.
Tier 1 — Mainstream, strong by default
The right starting point for almost everyone.
Signal — E2E messaging, minimal metadata open-source GitHub
Why it's here: best-in-class end-to-end encryption with deliberate engineering to hold as little metadata as possible. It's the pragmatic default: strong protection your contacts will actually install. Tradeoff: requires a phone number to register (see Tier 4 to decouple that), and routes through centralized servers.
Tier 2 — No phone number, no central identity
When tying an account to your number is itself the risk.
Session — messaging without metadata or a phone number open-source GitHub
Why it's here: no phone number or email to sign up, and it routes messages over a decentralized network to minimize metadata. Removes the identity-linkage problem at the root. Tradeoff: smaller network, and onion-style routing can add latency.
Tier 3 — Federated, no single server to compromise
When you don't want one company holding the whole network.
Matrix / Element — decentralized E2E chat open-source GitHub
Why it's here: an open, federated protocol — no single server owns your account, and you can self-host. Element is the mainstream client. Good for communities that want control without going fully peer-to-peer. Tradeoff: metadata is spread across servers rather than eliminated; setup is heavier.
XMPP — federated messaging standard open-source GitHub
Why it's here: a mature, open federation standard with many clients and self-hosting options for those who want a lightweight, long-lived protocol. Tradeoff: encryption and features vary by client; you assemble your own experience.
Tier 4 — Metadata-resistant, no infrastructure at all
The high end: when even "which server" is too much exposure.
Briar — offline / Tor peer-to-peer messaging open-source
Why it's here: connects devices directly over Tor — or even Wi-Fi/Bluetooth when there's no internet — with no central server to log, subpoena, or seize. This is the metadata-resistant end of the stack. Tradeoff: both parties must be online to sync; deliberately spartan, and not for casual group chat.
The voice layer
Linphone — open-source encrypted VoIP open-source GitHub
Why it's here: encrypted voice and video over open SIP standards for calls that aren't routed through a mainstream telecom. Tradeoff: call quality depends on your SIP setup and network.
Mumble — low-latency private voice chat GitHub
Why it's here: self-hostable, low-latency group voice — a private alternative to consumer voice-chat platforms. Tradeoff: you run or trust a server; text features are minimal.
Tier 5 — Break the number link (signup layer)
Most "best messenger" lists stop before this — the reason your private apps still trace back to you. A virtual number lets you register for services (including Signal) without exposing your real one.
MoneroSMS — crypto-paid private SMS numbers
Why it's here: receive verification texts on a number you paid for with private crypto, decoupling the signup from both your real number and your card. Tradeoff: per-number cost; numbers may be short-lived.
Crypton.sh — private cloud physical number GitHub
Why it's here: a real, cloud-hosted physical number you control, useful where a genuine (not disposable) line is required. Tradeoff: ongoing cost.
Hushed — disposable private phone numbers
Why it's here: on-demand disposable numbers for one-off signups you don't want tied to your identity. Tradeoff: a mainstream provider, so it fits lighter threat models, not adversarial ones.
Which tier is the call?
| Your need | Pick | Cost of going higher |
|---|---|---|
| Strong default, easy to adopt | Signal | — |
| No number / no account | Session | Smaller network |
| Community-owned network | Matrix | Heavier setup |
| No server at all | Briar | Both must be online |
The call: put everyone you can on Signal — the security-per-friction is unbeatable and network effects matter. Add Session or Briar only for conversations where the fact that you talked is the sensitive part. And pair Tier 1 with a Tier 5 virtual number so your default messenger isn't quietly stamped with your real identity.
FAQ
(Questions answered below; see the CTA to take the full checklist with you.)
Run a tool in this stack? Claim this listing.
Tags
Build your stack
Browse the vetted directory to compare every tool, or run a free check on your own exposure.