Follow

Reminder of why is far from optimal:

- No (every account is connected to a phone number)
- Not (the git repo of the server hasn't been updated in a year)
- No
- No web client, and max. 1 mobile client per account
- No (your entire contact list is uploaded to the server. It's encrypted, but it's trivial to brute-force encrypted phone numbers. You can prevent it by disabling the PIN feature, but it's enabled by default without warning.)

@hut while I don't disagree with the gist of what you say, Signal does not know about the contents of your contacts list.

How that works is explained on their website: support.signal.org/hc/en-us/ar

@humanetech You refer to contact discovery, while I was referring to the social graph storage. See support.signal.org/hc/en-us/ar , under the heading "Why is there a PIN?", which mentions that if you enable PIN, the encrypted social graph is stored on their server.

Admittedly, I have no evidence that the social graph is stored in an unsafe way, like a simple list of encrypted phone numbers. Unfortunately, the signal server repo is outdated, so I can't check either. Any leads would be appreciated.

@hut @humanetech Re: web clients, you can use a matrix bridge with mautrix-signal (docs.mau.fi/bridges/python/sig). Then element is the desired web client.

Still, I do this /only/ as a stopgap with people who can't use @briar yet because they're on iPhones. I encourage everyone who cares about privacy to do the same.

If anyone wants to use my instance, which has this bridge, message me and I'll see if I can help (no promises, as it's pretty small-scale).

#privacy

@hut
signal was designed for privacy not for anonymity; for friends, family, coworkers, someone you know to chat with the private payload msg. if one needed anonymity, what do you suggest? all you said was, signal is bad for x reasons, yet no mention of an anonymous msgr alternative. that meets your critera and simple to use without a steep learning curve. what you got? hit me with a perfect msgr alternative.

@NatCor Signal totally has its use, no doubt about it.

For anonymity without a steep learning curve and a signal-like experience, there's Session (@session).

- Lacks some features but totally usable.
- I'm still not sure what to make of that it's based on a block chain & crypto currency.
- The protocol seems so bulky that I can't simply set up my own session server like I could do with Mastodon, XMPP or IRC. Can't select a server in the app either. So I wouldn't call it decentralized exactly.

@hut oh, come on. I finally switched to it and got a couple of people to switch to it as well and now...

@critical Whatever you switched away from was probably even worse, right? :)

@hut true, but I don't want to be the "distro hopper" equivalent for chat services.

@critical @hut Don't worry Signal is a secure and easy drop in Whatsapp replacment and it's good at that. Just stick with it for your family and friends and in case you ever get couriouse you can check out Matrix and XMPP but those aren't quite as easy so it's probably best for most of your contacts to stay on Signal anyway.

@hut The people at signal violate the GPL, the license they themselve chose by not releasing their server sources. It's truly disgusting what this company does.

@Alexmitter Is it a violation of the Affero GPL if they are the original authors of the server software and don't disclose their own updates? I'm not sure.

@hut Yes, you need to disclosure the code to people who connect to the service. Usually a website but in this case the applications backend.

@Alexmitter I'm not a lawyer, please correct me if I'm wrong. But just like I can build a program, license it under Affero GPL, and then later decide that I license it under GPL3 instead, the 18 Signal Server authors can just agree to change the license of the server, right? Then the restrictions would not apply anymore.

@hut If all people who committed code to the project agree, then yes, they could switch to the GPL or whatever license they see fit.

@Alexmitter Although there's no doubt about it that it was totally shitty of them to hide the source, especially now that we know why they were hiding it :-/

@hut I do not really believe that this had to do with the crypto currency thing. Nothing speaks against developing the backend to it in the private while continuing to release the rest of the server. But its moxie's company so we can expect such things.

@Alexmitter I think it's highly likely that they hid the payment feature, since the last public commit was 3432529f9c018d75774ce89f3207b18051c26fe7 (I still have it checked out, from before they re-opened the source), and the first hidden commit was:

github.com/signalapp/Signal-Se

Guess what, this commit started implementing the payment feature.

@hut
@Alexmitter
No, it's not. If the copyright is assigned to the company or if the authors agree they can do whatever they want.

@federico3 @hut Sure, but who in their right mind (beside the KDE people) would sign such a i-give-all-my-rights letter.

@Alexmitter @federico3 Oh right, I forgot about the contributor license agreement :'D

signal.org/cla/

The Moxie can do anything he wants with it.

@Alexmitter @hut that is so they could implement this #shitcoin in secrecy without anyone knowing... Sounds shady to me

@hut
What about something like Delta.Chat or Session?

@xyfdi They all have their strengths and weaknesses. Session uses blockchain & cryptocurrency under the hood, so I'm not sure how it's better than Signal. I'd recommend trying out XMPP with OMEMO, it checks all the boxes, it only doesn't support Stickers. 😅

@hut Thank you, I try to push back on the Signal obsession whenever I can. I think it sucks, personally.

@eris @hut @dirtbag_anarchist chiming in to say XMPP+omemo is good! but the mac/ios clients suck (sad!). linux+android work great though

@eris @hut I like Threema. Some people don't like it because it costs money ($3 one time app purchase, at least when I bought it a year ago) and until recently wasn't open source (now it is). It should be at least as secure as Signal and also allows greater anonymity since it's not tied to a phone number. You can also delete your encryption keys and set up new ones as often as you like. My understanding is it also stores less data off-device than Signal. securitytech.org/secure-encryp

@dirtbag_anarchist @eris Threema was also one of my candidates but it's yet another centralized server that has power over us and we just have to trust them to do the right thing.

Screw that, I'm moving back to good old decentralized XMPP. With OMEMO, it now supports an equivalent level of encryption as Signal.

@M0YNG Those commits were not visible on the day I posted it, they uploaded them 1-2 day ago.

@hut I think you have to think about it a little different. While for privacy and other reasons Matrix and XMPP are a better and more ethical option Signal is by far the best for what it's supposed to do. A drop in replacment for Whatsapp that everybody can use with good privacy. Ik more then enough people who wouldn't get along with Matrix and for those people Signal is a big win :D

@gamey Now that Signal plans to include a pyramid scheme, I will not recommend it to anybody else, just like I don't forward any other pyramid scheme invitation.

@hut Could you send me some links of what exactly you are talking about? Signal is a none profit...

@gamey Pardon, I thought you heard the news already: schneier.com/blog/archives/202

They designed a cryptocurrency to fund Signal and plan to include it in their app in the future.

Some more links:

- stephendiehl.com/blog/signal.h
- news.ycombinator.com/item?id=2 (Comments on the wired.com news post)
- news.ycombinator.com/item?id=2 (Comments by MobileCoin CEO)

@hut That's not a pyramit sheme and as long as it's optional I don't really care that much tbh. Let's be honest the Elecron bloat the app was before won't get that much worse and if they keep there privacy promisis regarding the currency it could help a lot of people to discover decentralized payments. I don't really see how this opens up the potential of scetchy users even more since whoever really dose something bad usually uses Monero. Continue next post -->

@hut I do see how the US may try to use that as a excuse to violate some privacy tho so we will have to see how that goes. On the other hand Signal has shown in the past that they don't store anything useful and even fight none disclosure shit from the US.

@gamey Are you aware that the creators of MobileCoin (Signal's crypto currency) own a decent amount of it, and will make a shit ton of money if MobileCoin becomes popularized by Signal and rises in value? The more you spread it, the more users there will be, the more demand there will be for MobileCoin, the more the value will rise, and the more money they made off you.

Fortunately, MobileCoin is privacy-centric, so they even have plausible deniability.

@hut I am not familiar with that coin and it's exact mechanisms but unless there was a prestake or it's a centralized coin there shouldn't really be that much money to gain for the creators of it or? I feel like I have to add another thing here. I am highly critical of combining communications and payments but the strengh of Signal in my eyes is reaching a mainstream audiance and I think there the coin could have a positive effect :D

@hut Correction: the server code was updated just a few days ago.
github.com/signalapp/Signal-Se

The code wasn't updated for a while, probably to keep the payment feature secret.

@johannes Can't edit toots, unfortunately. But the "Not " label still fits, because they have shown that they have no problems with hiding source code when it suits them.

I wish I could add the item "Tries to be a bank" though. :)

@hut
Also no protection from timing correlation attacks and from network-level censorship. Perhaps #Briar is the answer.

@hut "max 1 mobile client per account" is wrong. I'm currently logged into the same signal account with two mobilenclients at the same time. I receive all messeges on both and none of my communication partners can tell the difference.

All the other critique is valid, of course.

@cdonat Are you on iphone? I heard that the iphone app supports multiple clients, but most people use the Android app, which doesn't.

@hut my main device is a FairPhone, so Android. The secondary one is an iPad. As you see, it does work for both. Also I still have my old Android phone around and it works in parallel with the two other devices, if I switch it on. Just tried a few weeks ago.

@cdonat Oh, that's interesting. I heard that multiple mobile clients are supported with iOS before, but not with Android. I stand corrected.

It used to be different [reddit.com/r/signal/comments/7], nice to see that they fixed it.

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community