i’ve just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
You must log in or # to comment.
Signal is fine for normal/social chatting. It is centralised which makes it much harder to obscure identifying conversation metadata, and I wouldn’t recommend it for comms with a state threat model. I like SimpleX for addressing those issues.
If you just want to chat to friends and nothing else, I probably would recommend Signal for the most polished experience and most widely adopted open-source private messenger.
This is long, but answers your questions: Why Not Signal?
-how to explain it to my friends who use signal because i recomended?
Okay it doesn’t answer that one. But also, whether they should use Signal or not depends on their threat models. Many people don’t see the US police state as a threat.
Best answer/link and cause…
They don’t allow third party clients.
They are open source, and you can run your own, but it won’t ever be allowed to connect to the standard signal server.
Signal has a piece they say is for fighting spam so they can’t release the code to it. So you just have to trust them.
https://signal.org/blog/keeping-spam-off-signal/
“We build Signal in the open, with publicly available source code for our applications and servers. To keep Signal a free global communication service without spam, we must depart from our totally-open posture and develop one piece of the server in private: a system for detecting and disrupting spam campaigns”
Signal is not perfect. It’s better than most.
I personally use Matrix as I can go to another server or run my own. I run multiple clients. It is NOT perfect and has it’s own issues.
Your mom uses Matrix? You could set up something with random people you just met? Because we’re at that stage with Signal. It’s private and convenient. If I want to have some soort of anonimity I’ll use different platforms, indeed.
Yes. My whole family uses Matrix. Including my parents. And no, they’re not technical at all. Father, step mother, sister, wife.
And yes I can give someone a link to join me on matrix.
Installing Element has become super easy IMO.
And are you selfhosting and have them join you or how and where do they get their accounts? When the encryption keys don’t sync, who’s doing tech support?
I mean, my mother is 78. It’s all kind of challenging.
At the moment I’m happily on matrix.org and donating monthly to them. Most of my community is on their own Matrix servers. Outages happen, but most of the time it’s matrix.org that has an issue and the self-hosters are still able to chat and make fun of me. :) In a friendly way.
Encryption keys not syncing also happens. But it seems to be getting less and less. There are different steps for different devices and platforms. Normally leaving a room and rejoining works to resolve. Sucks, but the Matrix group are ACTIVELY trying to hunt these down.
My father is 71. The Element phone install basically walks you through the process. Including which server to connect to. You’d give them yours if you want them on just yours.
Everyone’s situation is different. if you’re interested, try it. See if it works. Maybe it doesn’t. Then stick with Signal. Signal is awesome, but it is far from perfect.
Matrix is awesome, and it’s nowhere near perfect.
Use the tool that works best for you. Some security and encryption is worth it than 0 security and encryption.
That’s a third party software list created by someone not Signal and basically tells you it’s a work around to Signal:
“Signal does not have an official API, and the published code requires additional effort to be used outside of the official signal clients.”
So I’m not certain the point of the link. There are still clients for Reddit and YouTube and others that are third party and aren’t official. Signal doesn’t support those.
They don’t allow third party clients.
The point is this statement is pointless because they exist anyway.
And signal can decide to break them if they want. You think it’s pointless, but yet you’re spending energy fighting a point that is pointless to you?
Was providing additional information because other people could read what you wrote and misunderstand it as being blocked via technical means rather than merely unsupported. What is with people in this community being upset when people challenge their misinformation??? It’s a really alarming attribute for something like a privacy community tbh
I’m not upset. So maybe a good question to ask yourself?
And I didn’t give misinformation. Signal doesn’t allow it. Yes, they exist, and can break at any time.
I personally have Signal. I use Matrix more, but in wouldn’t turn away Signal.
OP asked for information on what gives people pause about Signal. I have gave it. Where is my misinformation? I’d like to know so I can learn as well.
What you personally view as pointless, matters to some people.
That’s for each to decide. If this is a community focused on privacy, as you said, shouldn’t we give everyone the information they asked and not make decisions on what is or is not pointless to them?
It is a fact that Signal is a centralized service. They do not allow federation. They do not allow third party clients. They could decide in the future to turn people accounts off for using third party clients.
I have lived through this numerous times. I don’t trust a centralized service as much as one I can run myself. That’s for each to decide.
I have managed to get all my friendship group on signal and we use it daily. While it does have its flaws (mainly being centralised and US based), I try in life to not let perfect be the enemy of good. Until there’s a stable and easy to use alternative I can point my friends to, I imagine we’ll stay on Signal.
No one can break the encryption, so even though it routes through AWS sometimes it’s still completely E2EE with quantum resistant encryption that not even the feds could break
the only way it can be “hacked” is with phishing
Requires you to use a phone number, your phone app needs to be online 24/7 to be connected, and hosted in a questionable jurisdiction with questionable human rights. Try Matrix. It’s selfhostable, doesn’t need a phone number to sign up and the foundation is British, which while this country from what I know has gone down the water, they still have some niceities from time they were in the EU, like GDPR.
The 5 eyes CCTV GCHQ British? The rabid USSA, Shitrael bootlickers?
No thanksAmong other problems, Matrix is not a replacement for a messaging app. It’s more of a community message board with 1:1 private messages with the possibility of encryption. It is way more than most want or need.
I’ve also run a Matrix server in the past, and it’s not simple. The vast majority of people do not have the technical acumen, hardware infrastructure, or time necessary to even begin this endeavor.
Joining a public server where they don’t have control of the data requires a lot of trust in that instance and their owners. To expect them to vet those owners first, verify the servers are in a trusted country, … 10 more steps, before they begin is asinine.
Matrix is not an alternative to any messaging apps mainly intended for 1:1 communication.
I don’t know what the current reputation is but Matrix wasn’t always perfectly trustworthy either: https://hackea.org/notas/matrix.html
I’ll start by saying that i don’t use signal.
if this is true
There are some concerns that other people in the comments explained. It’s up to you to decide if the trade off is good enough for you. There’s no silver bullet for this.
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
Signal is ok. Same as matrix, delta chat, xmpp, simplex. Avoid telegram, messenger, whatsapp, instagram, snapshat, max…
-how to explain it to my friends who use signal because i recomended?
Most people mess up the concepts of anonymity with privacy.
-what this means for other apps in general?
There’s no silver bullet. All the apps have ups and downs. Most people don’t realize that if a state actor (I’m not talking about police but for example NSA, CIA, mossad, mi6) is after you, they will get you. Usually from a side channel, or from some stupid mistake you made years ago.
Signal is the best “easy” alternative. And DIY leaves many holes for rookie errors.
Do explain what makes it better than SimpleX Chat?
Would love to use SimpleX too, but the plan fell apart while trying to use it with family. Surprisingly many people fail to grasp the concept of anything other than a phone number, social media profile, or email address. It fell apart among my more tech-savvy friends because we missed calls and had delayed notifications despite SimpleX eating through the battery like no other messaging app.
No doubt, SimpleX is the concept of a messaging app done right and could be better than any other. It’s just the implementation that needs work. But I’d be happy to hear if there’s any optimizations I could try and revisit it.
My contact coulds find me by phone number. I changes my status on WhatsApp and half of the regular contacts decided to use Signal. If I want to use SimpleX I would have to invite them all and just hope they’ll adopt.
I don’t need my phone number to be private. I want my communication to be private.
You deciding to invite your contacts to Signal isn’t really Signal being better though.
Better at connecting with the people in my life, the people that I want to stay in touch with on a regular basis.
It’s an easy alternative. It took me a decade to get my friends to download a second app
You, yes you, scrolling.
Here.
XMPP
I see you.
The problem is it isn’t Telegram, Whatsapp, or some other insecure platform that nefarious actors would rather privacy minded individuals use.
No, privacy minded individuals do not use a platform designed to harvest phone numbers lmfao.
I got around it by registering a new number with phreeli.
granted, this is not something most people can go and do, phone numbers are hard to separate from. however, you might agree that privacy minded individuals are more likely to find that workaround acceptable.
I do like Dessalines post regarding alternatives, I’ll have to do more research.
i agree with everything you said about signal, but i’m uncomfortable with a lot of the alternatives. a cryptographer i follow has written about a couple of these: xmpp, matrix three or four times (linked in the introduction to the post), others
I saw a good response to the XMPP thing he wrote about I’ll get back to you Rizzler. The “encryption isn’t enabled by default” thing just isn’t true for the clients people actually use, for one.
Look at Delta chat.
I checkedout the SimpleX website and the webdesign looks like “crypto rugpull”
Don’t let the perfect be the enemy of the good. Signal is easy to use, and that is what really protects millions of people. Otherwise, they would never use a complex or decentralized alternative.
Something being easy to use has nothing to do with privacy or security. Apple, just like signal, also sold it’s products as secure, yet they also were forwarding all communications to the US government as part of the prism program.
Signal is not a stepping stone, it’s a honey pot. Best to avoid US services that require your identity entirely.
The difference between Apple and Signal is that Signal is open source, making the code available for anyone to audit and verify uts claims.
You have no idea what code their server is running, and its impossible to host your own signal since its a centralized service.
They went a whole year without publishing server code updates also, until they got a lot of backlash for it. Still, even publishing those is moot since its a centralized service.
Signal does have your phone number, which is a problem.
On the other hand, the only information linked to that phone number is, “the person with this phone number uses signal”. AFAIK your phone number is not linked to your contacts, your message content, etc.
So in practice, the fact that Signal has your phone number is probably only a problem insofar as you don’t want anybody to know that you use Signal.
But to be fair, why have that issue if you don’t have to. Signal is actually good, still, but there are even better alternatives.
Signal is actually good, still, but there are even better alternatives.
… Would you care to list some of these alternatives and how they are better?
Every alternative I’ve looked at has some major drawbacks that would prevent me from getting any of my friends to move. Having to selfhost my own chat service isn’t really a positive in my mind due to the maintenance required and the higher possibility of outages.
list some of these alternatives
Probably the ones you’re already thinking of (SimpleX, Session, XMPP).
how they are better?
They’re better in terms of privacy. When I said they’re better, I mean specifically in terms of privacy.
Of course they’re less convenient, as you’re alluding to.
Signal gets me all the privacy I need. I don’t care if they know my phone number uses Signal, I don’t use it as anonymous chat, I use it with friends and family.
As others in this post have said, Signal handles privacy perfectly fine, it does not provide anonymity.Unlike several other users here, I actually view Signal’s contact discoverability as a feature, not a security flaw. All it means is if someone I know installs Signal, they can easily send me a message without a complicated back and forth through some other medium.
I myself said “Signal is actually good”, so there’s no need to argue with me about it.
Nevertheless:
I actually view Signal’s contact discoverability as a feature, not a security flaw
Of course it can be both. Many things are both features in one domain, and flaws in another domain. Obviously it’s a feature or else they wouldn’t have purposely developed it.
Well, it’s 100% linked to your contacts in one way or another because when you install it Signal will happily alert you to which ones of your contacts are already using Signal. I can’t see how they could manage that without slurping up your contact information.
AFAIK the client slurps up your contacts, but the E2E encryption ensures that the Signal server cannot actually see those.
I can’t see how they could manage that without slurping up your contact information.
SimpleX Chat is an actual privacy focused app that’s easy to use and doesn’t harvest your phone number like Signal does https://simplex.chat/
Any concerns around the fact that SimpleX Chat is Made in the UK?
It’s open source, and it’s not tied to a single server the way Signal is. If the original people developing it started doing problematic things, it’s easy to fork. One of the worst parts about Signal is how it’s designed to lock you into using their official app and server making it effectively impossible to have a compatible fork.
It is also vc backed and they don’t have a direct plan to sustainability
PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.
It’s hosted in the US, subject to its pervasive spying laws including national security letters.
Also I need all your phone numbers.
Also no you can’t host this yourself, I run the only server.
Everyone who uses signal and supports it, is falling for this pitch.
Using phone numbers is the only real criticism imo any service that uses phone numbers is fundamentally compromised.
They offer encrypted messaging, not anonimity. They offer a way to keep your conversations private. It’s not an opsec tool, it’s not a tool to be used by the military. It’s a platform for regular people that don’t want to get spyed on or don’t want their conversations to be used agains them when legislation changes.
"Nullum crimen sine lege, nulla poena sine lege’’
Still phone numbers are just really really bad. Like the worst thing you could possibly choose when it comes to verification.
Why?
Like the worst thing you could possibly choose when it comes to verification.
Could you suggest alternative verification methods?
