I don't get it at all. There are plenty of platforms like matrix, xmpp, simplex that don't require phone numbers tied to your identity. Signal has somehow managed to convince people that it's a private platform, despite it being a US hosted service that requires phone numbers.
Doable, but a huge pain in the ass because of conflicts in the protocol. I spent about a year trying to suss them out and come up with a fix but never figured it out.
Who have they convinced that it is private? I think it has more to do with the overall purpose of the platform. Signal is not made for large group chatting with strangers like Matrix.
Say the US government, in a worst-case scenario in which it constantly monitors all traffic that goes through Signal’s data centers, can ‘only' see phone numbers, IP addresses and timestamps, right? Or am I forgetting something here?
Metadata and social graphs are more important than message content, esp since not many people have the time to read through individual messages to build meaning.
Signal stores phone numbers (meaning your identity, and home address), and message timestamps: who texted who and when, and who's in chats with who else. More than enough to build social graphs and connections, and also figure out where people are through their IP addresses.
Right. So arguably better than WhatsApp, where each users’ contact books, profile photos, bios, and each group chat name, picture and description is not E2E. But to call it ‘private’ is not logical, looking at the alternatives, of which some are much more private.
Signal can't see who is texting who. They can't see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.
Signal doesn't store message timestamps either.
What Signal itself knows of you is your phone number, the timestamp of your registration, the timestamp of your last connection to the server. That's it.
Yes metadata is critical but Signal handles metadata very well. Indeed, even though I'm a fan of Matrix, better than Matrix. Matrix is a metadata nightmare due to it's centralized structure and the way the protocol works.
Signal can't see who is texting who. They can't see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.
This is completely false. They can absolutely see who is texting who, in fact they need it to be able to route messages. They have message timestamps, and phone numbers stored in their database.
Question, why do you "trust" signal? You can't see what code their centralized server is running, unlike matrix which you can self-host and build from source. You don't have to "trust" matrix, you can verify it for yourself.
Signals server is open source. You can run a server. You just can't connect to the main net because each server is it's own thing so it doesn't make sense besides for development purposes.
The good thing here is that you don't need to trust the server in order to have a secure communication since your clients decrypt and encrypt and not the server.
Yes they can optimize with things like this but that doesn't make it insecure. It's still the most secure solution that the average person can use.
Threema doesn't even have the server open sourced at all, are for profit and their encryption has been compromised.
Session is shady.
Matrix is a metadata nightmare due to it's federated aspects.
SimpleX is the only thing that is secure, anonymous and good in this regards but it has some small details left that prevents people from switching. I.e. simple things like the fact that you can't see an overview of your images and videos sent in a chat without scrolling up all those messages. It seems trivial but for the average user stuff like that is important since they know it and use it every day in other messengers.
It really depends on your use case. Most of my simple chat messages are the same as I would have in any public space. I have no need for encryption, I have need for convenience in that regard. With Telegram I have my chat history on all devices and don't need to use my phone to connect which are two must-haves for me. For my use case, Signal is the worse option. That doesn't make Signal bad, just not suitable for me.
As a privacy-concious person I am very much aware of the non-secure nature of my chats, but since that is not a factor of consideration to me when it comes to casual chats with a few friends and family members. The worst thing Telegram could do is analyse my chats and ... then what?
Signal is not applicable when you need a public space for people to just have a discussion, like in discord. Signal clients are clunky and rely on cross sync from what I see, while telegram clients are well made and convenient to use. Even Whatsapp went away from electron so I'd choose it over signal any day.
I would argue that the standard federation fragmentation issues still apply. Many instances end up defederating from each other and you have no idea which wind you're pissing into.
The Encryption algorithm of Signal is basically the same algorithms proposed by the US gov in 2000. There is no way they would release these encryption algorithms if they couldn't break them themsleves
If you would see which organisations are supporting Signal (look at where Signal gets all the money), you would also agree with me. There is no way these organasations are supporting them for your privacy. Why would they? The same people who are trying their best to get all your data. Believing this is just pure naivity imo but call me what you want
The encryption used by Signal would not be used if it could be easily broken. It's fully open source and is regularly audited. People would not recommend it if it were so broken like you say; this is just fearmongering.
I'm not forcing you to believe anything. Also this is a free platform where I can say what I think. I won't hold myself back from expressing my view only because the majority has a different opinikn (looking at the downvotes). I personally just wouldn't trust it. And it also doesn't have any difference to Whatsapp and co. (encryprion algos are the same) which completely removes the purpose of it even existing (ik open source is still an argument. But they don't have reproducable builds so even that falls apart) so there really isn't any reason for me to switch to it or promote it to anybody at all.
It has had some suspicious funding sources
(UPD: It was funded by CIA)
(UPD2: Here I will quote www.securemessagingapps.com:
This matters because “money talks”, as the saying goes. If the company or person behind the money is likely to have reason not to protect customers’ privacy, it’s important to know. This could be indicative of the company not doing as they say (Google, Whatsapp, for example) or changing their mind once they’ve onboarded enough customers from whom they can make money.
(I'm gonna find sources for the last two statements a bit later to not be unsubstantiated)
Done.
Although, we all can agree, that Signal is still better than Telegram, or WhatsApp, or Threema, or whatever.
Still, we probably want to look at the better alternatives, like Simplex or Session.
Session is also sus because you effectively cannot host a node, last I have seen. They claim it is "against a Sybil attack" but all it does is making sure only people wih large disposable funds can have nodes, and the effect might be the exact opposite.
Simplex is more interesting in this regard because while I am concerned with initial centralization (the default servers), they made hosting your own easy. But I personally stick with imperfect yet trusty XMPP.
SimpleX is great. BUT it's not user friendly. Thus general adoption for the average user will be hard. Don't get me wrong using the app itself is easy but as soon as someone switches their phone that doesn't have technical knowledge they will loose their chats because they won't understand the concept of moving their DB. Since you don't have an identifier like a phone number with SimpleX those people could even lose contacts as a whole since they generate a new DB, hurting their social connections.
That's the reason I personally never recommend SimpleX to anyone who doesn't have the technical knowledge to understand stuff like that.
Don't get me wrong. As far as we know, no malicious code have been funded. The very fact that the Signal was sponsored by the CIA is suspicious (maybe I used some incorrect words, sorry if so). Of course, it's totally up to you whether you think that fact is sus or not.
Signal no longer requires a phone number. You can now create an account. Not sure if that helps your outlook on it, but yeah. It was a fairly recent update that this was rolled out.
Edit: being told we still do need numbers to register. I haven't gotten a new phone since well before the change was made, so I haven't actually created an account and gone through the process. It looks like I misinterpreted what was going on when I read the changelog.
Last I have seen, it still requires a number to register - it just doesn't have to be public.
What gets me the most is the requirement of a smartphone to register. No way I am trusting my non-public chats to a phone, so that means either Waydroid/VM (which creates issues with copypasting) or signal-cli (which is fairly inconvenient).
Telegram requires a phone number too? I mean yeah there's the option to use that blockchain phone number service, but you can do the same for Signal. 🤷
Last I checked, their provided server code lags behind their production server, so you rarely get to see the current version. However, that's kinda the point of E2EE, is you don't have to trust the server.
I'm wondering if something interesting will fall off the truck this time :D
Context: before that blogpost, cellebrite claimed they can "hack" signal (or they were kinda closer to the truth, and that was media talking abt hacks without reading stuff)
I use it sometimes. It has its fair share of issues, and the back end is not open-source, but it is OK for the most part. Main benefit is that you don't need a mobile number to sign up.
But if you are looking for an alternative IM to use with friends and family, I would rather suggest XMPP, specifically Snikket.
