What's the deal with Signal?
What's the deal with Signal?
I don't know if I'm opening a can of worms here, and I'm still trying to backtrack a lot of history where I was tuning everything out. I keep seeing random swipes at Signal (or the representatives (?)), and I was wondering whether they are founded or just lies.Is it another situation like Lemmy where we just "take the technology and move on"? Thanks!
my problem with signal is that they have a hard requirement to use a phone number for signup and that they don't want to do anything about federation or messenger intercompatibility.
Their resoning is that they only trust themself to keep the meta data safe and so need you. Leaves a little bit of a sour tast in my mouth that they don't even give their users the option to opt into federation.
they don’t want to do anything about federation or messenger intercompatibility.
Their reasoning is that they only trust themself to keep the meta data safe and so need you.
That's not their reasoning. Their reasoning is that it's much harder to evolve the protocol in a decentralized context than a centralized one. It's not that they only trust themselves with your metadata, it's that they can improve the protocol much faster in order to get rid of most metadata.
They have been able to deploy a ton of protocol updates with regards to minimizing the amount of metadata anyone has access to (including them), while other decentralized alternatives have essentially been stuck in limbo for a while:
- Secure Value recovery
- Groups V2
- Sealed sender
- Usernames
- Post quantum resistance
On the other hand, Matrix, XMPP and email are very leaky with regards to metadata. I'm not going into email because that's pretty documented, but here it is for matrix:
- Message reactions are not encrypted
- Group membership are not encrypted (which lead to attacks)
- Profile pic and Name are public (visible by everyone even people with whom you don't have any contact)
Different people don't like it for different reasons. Some people don't like it because they think it has CIA financial backing (nope), and some people don't like it because it requires your phone number, therefore it is not private (the privacy it provides is more than sufficient for anyone not actively being persecuted by a Five Eyes state), and some people don't like it because it feels corporate (it's a 501c3 nonprofit, and how corporate it feels is subjective).
Accurate. And if you are being targeted by 5 eyes, your phone is probably fucked, one app vs another probably won't make a difference
If you ARE targeted by 5 eyes, you'd probably want to not be using your phone for communications, but Signal sorta requires you to, even if there's a desktop client.
However, I don't presume to know what would be the best option. SimpleX maybe, as the servers don't keep messages? Otherwise, I use Matrix because it's a lot more common and very easy to set up your own homeserver. However, again, if I had to hide something from a 5 eyes threat actor, they'd just find some vulnerability in my server config or, hell, maybe they can somehow sneakily get root access through the VPS provider itself, as I'm not hosting on my own hardware.
Honestly, meeting in person might be the most private solution if you've got that kind of a threat model.
Signal likely does not have
CIA financial backing
But this is the kind of information that can be only dispositive.
That is, because we cannot prove a negative, and the only time you can be certain about whether an organization—especially one like the CIA—has provided funding for something, is after it has been proven.
And some people don’t like it because it used to handle SMS on Android, and they removed that feature for security reasons.
This was such a dumb decision
This might be offtopic but:
Fun Fact, you can use an open source app like Secure Space Encryptor (SSE) (on iOS its called "Paranoia Text Encryption") to convert any string of text into a encrypted ciphertext, and you can then copy-paste that ciphertext and send it over any medium, like SMS, without the internet. (Most encrypted messaging apps require you have to have internet AFIAK, so people without a data plan is fucked, but with SSE, you can just send ciphertext over SMS) Its not intergrated with SMS, so you'll have to type plaintext in the app then copy paste the ciphertext it spits out.
Or you can also PGP over SMS
I remember when Signal used to intergrate with SMS, and I kinda liked that more than the Signal today where you have to use the internet and go through their servers.
I don't think I've ever seen people say it has CIA financial backing. It did however until only a couple of years ago have strong ties to the State Department's Open Tech Fund (from the same financial envelope that brings you RFA/RFE/VOA).
The main developer of Lemmy seems to think there's a solid connection. I'm not jumping in that fight, I got no dog in that fight, I don't have that kind of threat model.
https://dessalines.github.io/essays/why_not_signal.html#cia-funding
However, considering he's openly Marxist, he may be just slightly biased.
I suspect OP of this post actually saw the recent /c/Privacy thread over at lemmy.ml where Dessalines was proselytizing against Signal while not seeming to have a problem with SimpleX chat being funded by a group of Venture Capital investors, including Jack Dorsey.
I understand why, but I get annoyed that I can't integrate it into ferdium with my other things like discord, e-mail and calendar.
Signal is an open-source privacy-focused end-to-end encrypted texting platform (so competing with SMS, WhatsApp, iMessage, Telegram, and similar). It’s developed by a donation-funded non-profit organization.
Signal is quite good compared to the competition, but it faces a lot of scrutiny because they make big promises about privacy and security so the people who care will really get into the details on that. Also IIRC there was a period when one of their competitors was trying to slander them more or less.
In general there’s nothing wrong with Signal and it’s quite a good option. If you really care about the privacy details you can always host your own instance (but that would require you to convince your friends to use your instance … it’s not federated).
The deal is that they run their program in a very transparent and wherever possible verifiable way.
More details here: https://lemmy.world/comment/14775870This is a good comparison of messengers here:
https://eylenburg.github.io/im_comparison.htm
Btw, an imprtant aspect of privacy is how metadata are handled/leaked. Signal trues to minimize metadata leak to near zero (there are some other messengers that do that, like simplex)
This comparison makes some questionnable choices. It puts the presence of a web client as green, when actually this breaks the thread model of end-to-end encryption.
It's mostly minor shit, it's better than the alternatives unless you self-host (which has a boatload of other issues).
The thing is I have yet to see any reasonable alternatives.
Threema is the closest but it’s not free-of-charge, so a non-starter for most of my friends.
The others are controlled by Russia (telegram) or Meta. What else even is viable?
Session, an Australian fork of Signal with onion routing and no phone number requirement, seems promising.
I'm trying to move my family to Matrix with a self hosted server. It's not easy though because of bugs in it.
How does simplex compare?