i’ve just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
You must log in or register to comment.
Requires you to use a phone number, your phone app needs to be online 24/7 to be connected, and hosted in a questionable jurisdiction with questionable human rights. Try Matrix. It’s selfhostable, doesn’t need a phone number to sign up and the foundation is British, which while this country from what I know has gone down the water, they still have some niceities from time they were in the EU, like GDPR.
Among other problems, Matrix is not a replacement for a messaging app. It’s more of a community message board with 1:1 private messages with the possibility of encryption. It is way more than most want or need.
I’ve also run a Matrix server in the past, and it’s not simple. The vast majority of people do not have the technical acumen, hardware infrastructure, or time necessary to even begin this endeavor.
Joining a public server where they don’t have control of the data requires a lot of trust in that instance and their owners. To expect them to vet those owners first, verify the servers are in a trusted country, … 10 more steps, before they begin is asinine.
Matrix is not an alternative to any messaging apps mainly intended for 1:1 communication.
I don’t know what the current reputation is but Matrix wasn’t always perfectly trustworthy either: https://hackea.org/notas/matrix.html
The 5 eyes CCTV GCHQ British? The rabid USSA, Shitrael bootlickers?
No thanks
PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.
It’s hosted in the US, subject to its pervasive spying laws including national security letters.
Also I need all your phone numbers.
Also no you can’t host this yourself, I run the only server.
Everyone who uses signal and supports it, is falling for this pitch.
I am under the impression that Signal encrypts metadata so that is useless to sell. The only thing they can turn over to law enforcement after a lawful warrant is the phone number an account was opened with (and maybe the date that happened) and the date of the last time the account was used. That is all.
not to shit on you specifically but I see this over and over, folks asking how to be “secure”. secure against what?
if you’re into this, you need to set up a “threat model” i.e. what are your threat vectors and then you build your defenses against that model. a defense against blanket surveillance doesn’t handle targeted threats. a successful defense against your government doesn’t preclude other nation-state actors getting at you.
like, if your threat vector is e.g. your SO “inspecting” your phone, you set up a passcode and you’re safe against that threat. but, if there’s a toddler going around smashing stuff, your defense isn’t valid. defense against that vector is placing your phone high up. but that defense isn’t effective against SO.
I am sure any messenger recommended here can be successfully red-teamed, be it design flaws, operator error, the famous wrench comic, or whathaveyou. but that doesn’t mean it’s ineffective in your specific case.
It’s fine as long as you don’t do something silly like invite a journalist to your top secret government group chat.
Or use a third party client that doesn’t have as much scrutiny on the source code and will Leak your message s
man imagine trusting in an israeli signal fork lmao
There is none. Theres like 0.1% of people who complain about it who have a valid point.
And those points are always meaningless in light of the alternative’s drawbacks.
Even the alternatives like Briar acknowledge on their FAQ that Signal has pros
Being tied to US infrastructure isn’t a valid concern?
What then is the difference between it and Whatsapp? Both claim to use the Signal secure protocol but you can never confirm that since their codebases are closed source and proprietary.
Signal is great, but it is centralized. Session messenger is a great example of decentralizes e2ee messaging.
I used Session for a couple of years, but switched back to Signal because it did a poor job with media sharing.
It’s been a while since I switched back, so maybe it’s fixed now?
Signal is closest to WhatsApp but in a open source format.
Is there anything else as close?
Given what you’ve said, Signal is still what you want and is good for it.
There are two main issues people have with Signal:
First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It’s not meant to be anonymous, though. It’s meant to be private. Those aren’t the same thing.
Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.
Did you ask the commenter what the issue was? Seems like the logical place to start.
You’d think so, but sometimes they just angrily rant with no clear point or references.
But that would mean that you shouldnt accept their claim, regardless of how conceivable the claim might appear to be. Otherwise, we loose our minds to common sense.
i agree with everything you said about signal, but i’m uncomfortable with a lot of the alternatives. a cryptographer i follow has written about a couple of these: xmpp, matrix three or four times (linked in the introduction to the post), others
Look at Delta chat.
I checkedout the SimpleX website and the webdesign looks like “crypto rugpull”
Signal does have your phone number, which is a problem.
On the other hand, the only information linked to that phone number is, “the person with this phone number uses signal”. AFAIK your phone number is not linked to your contacts, your message content, etc.
So in practice, the fact that Signal has your phone number is probably only a problem insofar as you don’t want anybody to know that you use Signal.
But to be fair, why have that issue if you don’t have to. Signal is actually good, still, but there are even better alternatives.
Well, it’s 100% linked to your contacts in one way or another because when you install it Signal will happily alert you to which ones of your contacts are already using Signal. I can’t see how they could manage that without slurping up your contact information.
AFAIK the client slurps up your contacts, but the E2E encryption ensures that the Signal server cannot actually see those.
Signal is the best “easy” alternative. And DIY leaves many holes for rookie errors.
Do explain what makes it better than SimpleX Chat?
Would love to use SimpleX too, but the plan fell apart while trying to use it with family. Surprisingly many people fail to grasp the concept of anything other than a phone number, social media profile, or email address. It fell apart among my more tech-savvy friends because we missed calls and had delayed notifications despite SimpleX eating through the battery like no other messaging app.
No doubt, SimpleX is the concept of a messaging app done right and could be better than any other. It’s just the implementation that needs work. But I’d be happy to hear if there’s any optimizations I could try and revisit it.
My contact coulds find me by phone number. I changes my status on WhatsApp and half of the regular contacts decided to use Signal. If I want to use SimpleX I would have to invite them all and just hope they’ll adopt.
I don’t need my phone number to be private. I want my communication to be private.
You deciding to invite your contacts to Signal isn’t really Signal being better though.
Better at connecting with the people in my life, the people that I want to stay in touch with on a regular basis.
There is no problem
Signal is fine for normal/social chatting. It is centralised which makes it much harder to obscure identifying conversation metadata, and I wouldn’t recommend it for comms with a state threat model. I like SimpleX for addressing those issues.
If you just want to chat to friends and nothing else, I probably would recommend Signal for the most polished experience and most widely adopted open-source private messenger.
Using phone numbers is the only real criticism imo any service that uses phone numbers is fundamentally compromised.
They offer encrypted messaging, not anonimity. They offer a way to keep your conversations private. It’s not an opsec tool, it’s not a tool to be used by the military. It’s a platform for regular people that don’t want to get spyed on or don’t want their conversations to be used agains them when legislation changes.
"Nullum crimen sine lege, nulla poena sine lege’’
Still phone numbers are just really really bad. Like the worst thing you could possibly choose when it comes to verification.
Why?
