As a happy user of Signal (no bugs or incidents from my viewpoint), I regardless chime in to say a word for decentralization. :)
Signal is centralized:
- there is a single Signal implementation, with a single developing entity
- you have to install its mobile version before you may run the desktop version
There exist protocols like Tox which go a step beyond Signal and offer more freedom -> have multiple clients from diverse makers (some of them unstable), don’t have centralized registration, and don’t rely on servers to distribute messages - only to distribute contact information.
In the grand comparison table of protocols (not clients), Tox is among the few lines that’s all green (Signal has one red square).
Tox isn’t the most secure or private. I would go Simplex Chat
Removed by mod
Not anymore. They have made hostile changes are are screwing over there early adopters. It also lacks forward secrecy
And effectively cannot be selfhosted.
This is the same Meredith Whittaker doing interviews with US defense-department aligned sites like LawFare.
Why are all these big tech sites like wired so interested in pushing signal anyway?
Maybe the US government (or even “deep state” or something) has realized that making everyone use insecure devices for easier surveillance is as smart as forbidding fire exits so that people would be easier to arrest.
I haven’t heard too many bad things about Signal.
Various dictatorships want to simply read correspondence because the social graphs producing actual value and keeping stability in our world, and also protecting their embezzled value stored abroad, are all abroad too, and they won’t hurt these. Some politicians in the west want to invade privacy for the same reason - what they embezzle is stored in ways unaffected by insecure communications in their own countries.
But if you are part of some establishment, even if not well-meaning, you are interested to protect the system from outright erosion, meaning secure communications.
Other than that, WhatsApp and FB Messenger are owned by Zuck and he’s become too big to tolerate, Telegram is an African brothel with no protection and plenty of diseases, and in general it’s all corporate around.
Let’s please also remember that there are people of various views and interests in every organization and force.
I find it intriguing that the people will scrutinize messaging platforms such as Telegram, and explain in detail how one should not entrust their messages’ encryption keys to these services. Yet, these same people seem unable to comprehend the concerns regarding Signal server having access to phone numbers of its users. The fact that these people are able to perceive potential vulnerabilities in one platform while remaining oblivious to similar concerns on another highlights that their arguments are more ideological than rational.
For sure. I’m convinced signal is supported mainly for the same reason’s apple products are: it’s got a shiny user interface and it’s simple to use. That let’s them overlook all the privacy dangers behind the curtain.
A gigantic US-based service based on phone-number(meaning real identity) identifiers.
Exactly, it takes a lot of credulity to believe that the US government would just altruistically develop and fund a messaging platform that genuinely respects privacy. I recall somebody was talking about how collecting metadata is basically equivalent to having a private investigator follow you around, and I think that’s a great analogy. People tend to fixate on the content of the conversations, but the reality is that knowing who talks to whom is just as valuable.
This is a very rude question, but on this subject of being lean, I looked up your 990, and you pay yourself less than … well, you pay yourself half or a third as much as some of your engineers.
Yes, and our goal is to pay people as close to Silicon Valley’s salaries as possible, so we can recruit very senior people, knowing that we don’t have equity to offer them. We pay engineers very well. [Leans in performatively toward the phone recording the interview.] If anyone’s looking for a job, we pay very, very well.
But you pay yourself pretty modestly in the scheme of things.
I make a very good salary that I’m very happy with.
That’s pretty cool. But knowing the number would matter.
IIRC She earns around 400+k per year. Which is a nice salary, but rather low compared to other execs.
Signal’s hostility to third party clients is a huge red flag.
They also refuse to distance themselves from Google’s app store.
That’s outdated information:
- Molly ~5 years in development
- gurk-rs ~4 years in development
- signal-cli ~9 years in development
- Flare
- Beeper
Go forth and contribute, fork, or create your own.
They also refuse to distance themselves from Google’s app store.
This link has existed forever at this point if we count in internet years: https://signal.org/android/apk/ - getting an app directly from the developer with no middleman is about as distant as you can get from Google’s app store.
Signal actually has a rule on not using third party clients on its servers. These clients existing do not prove the point you intend.
can you post a link to this rule?
I wish they had Signal on F-droid but at the end of the day at least it is possible to use Molly Foss.
Those clients exist despite Signal Foundation, not because they encourage community development. They are doing everything they can to discourage third party app development.
They are doing everything they can to discourage third party app development.
I’d say you’re moving the goalpost. Other than the hostility the founder showed towards LibreSignal nearly 10 years ago now, can you source any evidence to support your claim?
Lots of red flags here in Github: https://github.com/signalapp/Signal-Android/issues/9044
That link, and I could be missing it, has nothing to do with what I claimed. Mind editing your post and quoting a red flag linked at the source you provided?
Some of my favourite red flags:
Signal’s dependence on Google libraries: https://github.com/signalapp/Signal-Android/issues/9044#issuecomment-535194837
Signal dev bullshitting a non-answer and then hilariously refuting his non-answer: https://github.com/signalapp/Signal-Android/issues/9044#issuecomment-534340623
Signal hiding its serverside source code for many months: https://github.com/signalapp/Signal-Android/issues/11101
You can find many more examples.
The last one about server side code, together with Signal’s funding sources and their obsession with phone numbers code leads me to suspect that Signal is just a honeypot by US intelligence.
Those clients exist despite Signal Foundation, not because they encourage community development. They are doing everything they can to discourage third party app development.
That was your original claim. None of the sources you provided back up your original claim. We can talk about Google libraries or the delay in server side code if you want to go down that path, but that’s a completely different discussion. Why are you pivoting to other topics? Will you concede your original point or do you have evidence to back it up?
Yeah, I would like to use it from f-droid instead of google store or apk
https://molly.im/ Especially the FOSS version. Need to manually add the repository though.
This is the way.
Do you hate Signal or do you hate the west? There legitimate reasons to not like Signal but calling them hostile toward third party clients is untrue. Last time I checked Signal wasn’t proprietary.
They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network. The client that currently exists that do this do it against the wishes of the signal foundation
They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network.
The lead developer, nearly 10 years ago now, specifically asked LibreSignal to stop. A single event does not make a demonstrated history.
- Molly ~5 years in development
- gurk-rs ~4 years in development
- signal-cli ~9 years in development
- Flare ~2 years in development
- Beeper
The client that currently exists that do this do it against the wishes of the signal foundation
If you have evidence to back this claim, I would like to see it so I can stop spreading misinformation.
In the Libra signal issue that you linked to, they made it clear they don’t want third-party clients talking to signal servers
You’re free to use our source code for whatever you would like under the terms of the license, but you’re not entitled to use our name or the service that we run.
If you think running servers is difficult and expensive (you’re right), ask yourself why you feel entitled for us to run them for your product.
He was specifically talking to that developer. The “You” and “You’re” in that quote was specifically targeted at the LibreSignal developer.
I recall the gurk-rs developer specifically mentioned that his client reports to Signal’s servers as a non-official app. The Signal admins can see the client name and version - just like websites can tell what browser you’re using - and could easily block third party clients if they wanted to but they don’t.
If Signal wanted to block third party clients, they would have blocked them already.
Moxie made it incredibly clear, he does not want third party is talking to the signal servers.
Libra signal took him at his word and turn themselves off
The other developers, like Molly, take a stronger road.
Is signal currently banning third party clients? No. But they’ve made it clear they don’t like them. They didn’t actually ban Libra signal, they just asked them to stop. Could they ban the clients in the future? Yes
I’ll reiterate my statement as you didn’t address it.
If Signal wanted to block third party clients, they would have blocked them already.
If you have a backdoored client, then you would naturally object to third party clients :)
What? How is this a red flag? Having third party clients is not good for security.
I hope they don’t arrest them too.
She has her hand in too many strategic places, unlike Telegram.
employed at Google for 13 years
speaker at the 2018 World Summit
written for the American Civil Liberties Union
advised the White House, the FCC, the FTC, the City of New York, the European Parliament, and many other governments and civil society organizations
The very fact that there have never been any attempts in the west to stop Signal from operating says volumes in my opinion.
Not that the action against Telegram is right, but there’s a big difference between what Signal and Telegram is doing.
Would you have more info on the differences? I was wondering the same thing, but I don’t know enough about Telegram to compare
I’m no authority on it but from what I’ve read it seems to have more to do with the social features of telegram where lots of content is being shared, both legal and illegal. Signal doesn’t have channels that support hundreds of thousands of people at once, nor media hosting to match.
Right, the French authorities are going to present evidence that this dude was aware of specific illegal activity and refuse to comply with a legal warrant involving said actively, making him guilty of obstruction at best, and possibly conspiracy. Signal complies with warrants, they just don’t have anyone’s keys. Telegram has everyone’s keys, and theoretically could turn them over but they refuse. That’s a huge difference from a legal perspective.
Thank you. I’m going to restate your explanation to be sure I’ve got it:
- authorities want platforms to comply with legal requests
- when Signal gets a subpoena, they open the key locker and show that it’s empty. They provide the metadata they can (sign up date and last seen date, full stop) and tell authorities they can’t do better.
- when Telegram gets a subpoena, they open the key locker and show all the keys, then slam it shut in the face of the investigator, telling them to get bent.
- conclusion: it’s easier to never have the keys in the first place than to tease the government with them
Signal always responds to authorities when they ask for data, and they give them all they have: the day they registered, their phone number and the timestamp they last used the app.
Telegram has unencrypted channels of drug dealing, and what I heard is a lot of illegal porn too. The authorities want information on certain users there and Telegram doesn’t comply. This is directly against the law Signal is not breaking, because they always send all the data they have to the law enforcement.
Is it time stamp of last usage, or time stamp of all messages?
while not wrong context matters, US social media companies also enable human, weapons, and drug trafficking. they play a role in a few genocides too.
but the western regime does not care.
But they give their data when the officials ask. That is all that matters. And I seriously hope none of us uses Telegram or WhatsApp to any discussions. Use Signal because that is so far pretty unbreakable.
Telegram is already in the hands of that tiny Russian old man and WhatsApp is owned by a lizard.
Telegram is a propaganda weapon in some sense, between two worldviews - one is “a good service doesn’t require trust, because they physically can’t sell you”, another is “a good service you can trust because they won’t sell you”. And Telegram helps the latter.
So frankly - kill it with fire. Sadly I’m in Russia and everybody uses it here.
Telegram is available on F-Droid. Signal is not. Whatever is Signal doing, it’s pretty bad.
The folks at F-Droid have said that Signal would certainly qualify, but Signal doesn’t want multiple channels out there. F-Droid is just honoring their wishes.
Are you developing your opinions based on vibes or have you actually audited their software yourself (you are free to do so both client and federation server code)?
If you audited it, have you produced an actual report with metrics and points of reference for your data points?
Doesn’t take away the fact that not being on F-droid is a huge issue and says a lot about how much they care about privacy and security.
This person has been running around spreading FUD in every post about this
It’s what Ive come to expect from the lemmy.ml instance and I finally blocked the entire instance.
It’s actually sad, even though I’m a libertarian, tankies and in general marxists could have made a good input into our future. But if they can believe in Telegram being secure because of vibes and not even doing basic research, they’ve already lost.
Heeey I am also a libertarian, I just tend towards left libertarian. Back to the point of discussion, I find it difficult to ha e a meaningful conversation with the tankies or in general anyone from lemmy.ml . The discussions tend to lack any real data and feel entirely vibe based OR it’s apologist bullshit for Russia.
Like it’s cool if you like communism and have a philosophy based around why you think it’ll help humanity. I can politely disagree but still listen and discuss. It’s quite another to just be a complete dipshit and say “Ukraine had the invasion coming” (actual quote I’ve seen).
Assuming you’ve audited Signal, can you tell us what your findings were and why you think Signal must be up to something pretty bad? I’m very curious and would love to be enlightened by someone as knowledgeable as you.
I’ll leave it up to you to decide if that is bad or not, but one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time, which can also be altered by Google at will with any Android update.
How significant is it that the server code is open-source or not? It’s possible for Signal to publish their server code while running completely different software on their servers. The point of the client is being open source and audited on a regular basis by the community, which is why it doesn’t make sense to trust the server-side software.
The entire point is that we don’t have to trust the sever at all. The client is open source and regularly audited by the community. As long as the client stays fully open source, everything’s fine. Also, the closed source dependencies are part of a spam reduction effort which IMO is well worth it. Prior to this, Signal had a spam problem and the client itself remains fully open source.
Signal could have very well not even told people that they added a closed source dependency on Google to its servers and just lied by publishing fake server code that omits the closed source dependency., but instead they were very transparent about the spam problem. In terms of they “why?” regarding the closed source dependencies, their argument is that making it open source would almost immediately result in all anti-spam measures being thwarted. Frankly I’m inclined to agree and again, as long as the client is fully open source and regularly audited, the server code is irrelevant to user privacy/security.
https://community.signalusers.org/t/spam-scam-on-signal/26665
The external Google dependencies I am talking about are loaded into the client not the server, so that’s an entirely different issue.
Every app from the Play store requires GCM though, and Signal functions even if a user disables GCM. It pertains to a phone’s ability to notify a user of a new message. But again, users can disable GCM and the app itself will continue to work just fine.
For what it’s work, the APK on Signal’s website (obviously) doesn’t have the external Google dependencies. Personally, I really don’t see this as an issue at all.
They won’t there’s no need. Their clients are garbage and they’re most likely backdoored anyways. This action against Telegram is only happening because they can’t get inside it, they can’t backdoor it nor corrupt anyone. If they were able to do that they wouldn’t be doing this.
No matter how good the protocol or client encryption, your privacy is only as good as your own physical security for the device in question.
Given that if you lose your private key, there is no recovery, I would be surprised if there were real back doors in the clients. Maybe unintentional ways to leak data, but you can go look for yourself: https://github.com/signalapp/Signal-Android
They have one for each client.
Maybe unintentional ways to leak data,
Yeah, that’s what I think it may be. Just like Apple reporting on all apps you open on un-encrypted HTTP calls and a few other things.
are you talking about phone notification bullshit and google got caught reporting to government with no warrants.
Not only that, https://sneak.berlin/20201112/your-computer-isnt-yours/
Telegram isn’t even E2EE
If you don’t turn on the secret chat feature it wont be, yes. However if E2EE was the only deciding factor for a gov to go against an App then they woudln’t be going after Telegram. The fact that govts are going so hard at telegram simply proves that even when the company has access to all our chats they don’t actually provide them to said govts.
I’m not saying telegram is good from a security perspective, I’m just saying that event without E2EE and all the modern wonders govts can’t still get in because the company doesn’t indulge their requests.
Yeah, Signal is more than encrypted messaging it’s a metadata harvesting platform. It collects phone numbers of its users, which can be used to identify people making it a data collection tool that resides on a central server in the US. By cross-referencing these identities with data from other companies like Google or Meta, the government can create a comprehensive picture of people’s connections and affiliations.
This allows identifying people of interest and building detailed graphs of their relationships. Signal may seem like an innocuous messaging app on the surface, but it cold easily play a crucial role in government data collection efforts.
Also worth of note that it was originally funded by CIA cutout Open Technology Fund, part of Radio Free Asia. Its Chairwoman is Katherine Maher, who worked for NDI/NED: regime-change groups, and a member of Atlantic Council, WEF, US State Department Foreign Affairs Policy Board etc.
Cross referenced you on the sister thread.
People there positing that this is no correct. Granted their info appears to be signal “disclosed” to the feds as part of a court proceed what it collects, which is only apparently when you connect to the server.
Doesnt answer the issue if they could collect your call logs though
My reply from the other thread. People who claim this isn’t true aren’t being honest. The phone number is the key metadata. Meanwhile, nobody outside the people who are actually operating the server knows what it’s doing and what data it retains. Faith based approach to privacy is fundamentally wrong. Any data that the protocol leaks has to be assumed to be available to adversaries.
Furthermore, companies can’t disclose if they are sharing data under warrant. This is why the whole concept of warrant canary exists. Last I checked Signal does not have one.
This message is definitely giving all the vibes of a disinformation/misinformation attempt. There is no metadata to harvest from signal.
Here is an example of all the extent of data that signal has on any given user: https://signal.org/bigbrother/cd-california-grand-jury/
It involves phone number, account creation time and last connected time. That’s it. Nothing more.
The cross referencing of data is just nonsense. Google and meta already have your phone number. Adding signal info to it adds absolutely zero information to them. They have it all already. They know nothing of who you talk with, which groups you are part of.
The funding of Signal did involve public grants but that’s not anything bad. Many projects and nonprofits receive public money. It does not imply that there are backdoors or anything like that. And signal was purposefully designed so that no matter who owns and operates it, the messages stay hidden independently on the server infrastructure. They did the best possible to remove themselves from the chain of trust. Expert cryptographers and auditors trust signal. Don’t listen to this random ramble of an online stranger whose intentions are just to confuse you and make you doubt.
It’s fascinating that these kinds of trolls come out of the woodwork any time obvious problems with Signal are brought up.
Phone numbers very obvious are metadata. If you think that cross referencing data is nonsense then you have absolutely no clue what you’re talking about. It’s not about Google or Meta having your phone number, it’s about having a graph of people doing encrypted communication with each other over Signal. The graph of contacts is what’s valuable.
Don’t listen to this random ramble of an online stranger whose intentions are just to confuse you and make you doubt.
What you absolutely shouldn’t listen to are trolls who tell you to just trust that Signal is not abusing the data it’s collecting about you. The first rule of security is that it can’t be faith based.
What are you talking about? you get a phone number from signal, and what will you be able to derive from it? there is no graph. signal does not hold any “relationships” information.
Give me your phone number. I’ll quickly be able to find out where you live.
Its the tankies.
Honestly if they can recommend something better I’m all for it but I haven’t heard anything.
Take a look here for some alternatives:
https://dessalines.github.io/essays/why_not_signal.html#good-alternatives
- Matrix
- XMPP
- Briar
- SimpleX
Also just because there are no alternatives doesn’t mean your default position should be we just have to trust whatever exists now because it’s good enough. Or that we can’t criticize it ruthlessly, distrust it. Call it out and as a result of that build perhaps the desire for something better, a fix as it were.
The evidence and history clearly points towards Signal being very suspicious and likely in bed with the feds. This is not conspiracy thinking. Conspiracy thinking is thinking that the country/empire that gave away old German engima machines whose code they’d cracked to developing countries without telling them they’d cracked it in the late 40s/early 50s, that went on to establish a crypto company just to subvert its encryption. That’s done everything Snowden revealed has in fact changed suddenly for the first time in half a century for no particular reason and not to its own benefit. That’s fanciful thinking. That’s a leap of logic away from the proven trends, the pattern of behavior, and indeed the incentivizes to continue using their dominant position to maintain dominance and power. They didn’t back down on the clipper chip because they just gave up and decided to let people have privacy and rights. They gave up on it because they found better ways of achieving the same results with plausible deniability.
Also why is everything “tankies” with you people. Privacy advocates point out the obvious and suddenly it’s a communist conspiracy. LOL
-
Matrix and XMPP are not alternatives and are worse for privacy and security
-
Simplex Chat is actually is pretty sold but isn’t the most user friendly
-
Briar is very cool but its complexity makes it hard to use. It also has problems with real time communications
Matrix and XMPP are not alternatives and are worse for privacy and security
XMPP is exactly as good or bad for privacy as the servers and clients you choose. It’s a protocol, not a service. Unlike Signal, which is a brand/app/service package.
The protocol is worse for privacy
Is that better?
The protocol is worse for privacy
‘Trust me bro’
The problem is, you’re comparing apples with orchards. Analogous would be: ‘email is worse for privacy than yahoomail’. Plus in this scenario yahoomail only lets you send emails to yahoomail addresses.
-
Ppl just gone use it to cheat smh
Isn’t Signal at least partially funded by the agency?
What part of non-profit and open-source do you not understand?
Review the source, build it yourself, be happy. It uses well-known assymetric encryption algorithms. Not much your agency could really do here even if they harvest all the traffic from the server.
Was my fucking question about the integrity of the algorithms they use, or was it about who’s been funding the product? Because a quick web search will show you that they did in fact fund it at one point.
And so what? You could be an oil dictatorship prince and donate a billion to Signal. It’s not going to compromise it in any way that is not directly auditable.
So, your fuckin question is misguided. You’re “only asking questions” while implying intent.
The thing I hate about signal is the UI. Everything looks way too big on my device. WhatsApp, for example, holds 2 more chats, and the messages themselves are tidier.
This may seem like it’s not a big deal, but UI is absolutely crucial on order to get people to actually use the app. I moved a few people to signal but they just hated the way it looks. “seems like an app for old people, font too big”. I can see that. They moved back to insta/WhatsApp.
I think some small and easy UI changes could make the app much better: just give us a “compact” mode.
Signal is compleletly compromised through spell check on 99% of OEM smart devices. Spell check can see what your typing word by word, and signal uses it. Feds are 100% using spell check to view your private messages. And by feds I mean every government on earth with a computer.
Removed by mod
Is this some
Network Allowed
problem that I’m tooNetwork Not Allowed
to understand?Are you using a custom rom? I don’t have this option on my oneplus 9 pro. but I have something else.
GrapheneOS! I’ve been using it for a few years. Never going back.
The problem is actually further - it’s that they push people to use Signal on mobile.
In the official desktop client, there is no option to register (even though it would likely be not that hard to add a box accepting a verification code), they tell you to use it in the mobile app instead. All while far from all phones can have privacy-respecting OSes installed on them at all.
Yes, there are ways around (Signal-cli or an Android VM - and even then you have to use Molly since the official client requires you to scan a QR rather than following a link). But arbitrarily directing people to a platform that is harder to make private is nonetheless weird.
Spell check? If you mean smartphone keyboards, then yes, the non-foss ones are keyloggers. One of my side-projects is a privacy-oriented keyboard, but there are many out there that don’t require network calls to google or apple.
Nah dude the red squiggly lines are actually CIA backdoors
0% chance that the feds don’t have Signal backdoors, otherwise Wired wouldn’t be promoting it. fyi everyone Proton is CIA. It’s modern cryptoAG.
https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
https://freedom.press/newsletter/crossfire-over-messaging-security/
https://freedom.press/training/locking-down-signal/
You don’t have to take Signal’s word for it, because it’s been audited. The EFF, who are VERY privacy minded, and do extensive research into this type of thing, recommends Signal because it’s known to be secure.
Well, I disagree about Signal. Proton however, I agree is extremely shady and should be avoided at all costs.
That’s pretty strong and I’ve never seen or heard anything like it before. If it’s true I’m betting the rest of Lemmy would like some details, too.
No support for Monero despite it being requested on uservoice 6 years ago. A Bitcoin wallet (seriously?) which is easily traceable. Important email metadata is also not zero access encrypted (i.e., subject headers, from/to headers) which leaks a substantial amount of information even if the body is encrypted. Not to mention they had clearnet redirects from their onion service a while back, something a lot of honeypots usually do.
Even if it’s not a honeypot, you’re sure as hell not getting any privacy with Proton. That’s for sure.
You can’t e2e the to and from headers in an email. that’s a problem with the protocol, not with proton. I’d assume the subject line falls into a similar bucket, because mailservers probably want to use it to filter spam
Centralized service with servers in the US, requires a phone number to create an account, and tech bros like it. “0% chance” 100% confirmed.