In the past, zom was a XMPP client [0]. From what I can see on GitHub, the new version builds on Matrix [1], so there shouldn't be a separate answer for zom.
Telegram is a downgrade in terms of both security and privacy. Just leaving the comment for people who consider it. It's an excellent platform and a joy to use but I personally refuse to use it.
- Weird hand-rolled crypto protocol of questionable quality (MTProto). Probably fine in practice, but leaves a bad taste in your mouth, and their marketing to prove it made it worse. It has been through a few revisions since initial scrutiny.
- Only Secret Chats are E2EE. Normal use is just subject to transport encryption. However, this is true for any platform with server-side chat history.
Their e2e encryption only applies to 1-to-1 communication in the form of Secret Chats, which can be opened from a menu multiple clicks away. Default chats and group chats are not e2e encrypted and contents are fully visible to Telegram. This however enables lot of the features Telegram has that Whatsapp/Signal do not (seamless use with multiple clients, powerful search, history is retained after switching phones etc..)
... but still a company that you have to "trust". I'd rather have a protocol that will allow me to not trust anyone and still be secure/private by default.
I think they’re referring to the encryption. Group chats can’t be encrypted end-to-end, direct messages aren’t by default, and the direct messages that are encrypted (”secret chats”) aren’t available on the desktop client.
I'm referring to two things(although really just one) here
- WhatsApp claims to store messages only as long as they are undelivered, after which they are purged from their servers. Even if they are retained, they are e2e encrypted. Telegram on the other hand, from what I can see, store all messages in plaintext or in an encrypted-at-rest form where they control and have access to the keys. It comes down to whether I trust them, and I have no reason to.
- Tying back into the encryption point, in the event of a breach or an MITM, whoever intercepts or accesses WhatsApp messages will get encrypted dumps, while my Telegram messages are pretty much going to be in plaintext.
Also adding to this, there is certainly more nuance to it and WhatsApp is certainly far from perfect in that you still trust them to implement E2EE correctly without incompetence or malice, and then there's the whole other issue of their cloud backups being entirely unencrypted by design. Thankfully the latter can be turned off for now.
Also, the option to delete on a periodic basis is not an alternative to not having things stored in the first place. That said, there is no way you can verify that copies are not retained on the servers in either case (WhatsApp or Telegram) so there's not much to argue there.
Clients are open-source, so you can see the code for e2e encryption.
> That said, there is no way you can verify that copies are not retained on the servers in either case (WhatsApp or Telegram) so there's not much to argue there.
This is exactly true, so I actually prefer Matrix.
IMO Telegram is more similar to Facebook Messenger than WhatsApp from a security and privacy standpoint. Both do not use end-to-end encryption by default (but both have a separate end-to-end encrypted private chat mode).
Don't forget Apple pressured Telegram to remove rooms or be banned.
This type of pressure on centralized systems is exactly why it is unethical as technologists to suggest people centralize the internet.
When you choose to send friends to centralized systems you are voting for the internet to have all the problems and advantages of dictatorships.
When you support open decentralized protocols you get the problems and advantages of a democracy.
Dictatorships can move fast and make sweeping changes. Look at China.
Signal, Telegram, WhatsApp, iMessage are all examples of centralized walled gardens, aka dictatorships. They are all doomed to be co-opted into doing something you don't like at some point and you will have no recourse.
Meanwhile we have decentralized systems like like HTTP, SMTP, and Matrix. Yes they move slower, are more fragmented, need long periods of carefully discussed and rolled out protocol changes and many implementations and servers to all agree on those to function. Decentralized control is messy, and good UX takes longer to materialize, but that is how the internet was built, and how we kept it from being controlled by a single ISP/Browser like AOL.
If you want a modern e2e chat protocol that lets you use any client, server, operating system, or architecture you want and take your social graph with you when you change your mind on any of those things, where no one single entity can change the rules of the network
for profit or other reasons... you are looking for Matrix.
> Don't forget Apple pressured Telegram to remove rooms or be banned.
Apple pressured Telegram to remove specific posts. There was no way to stop spamming the posts, so they removed the whole channel because it was a lot easier.
It's not really "good enough" for them. Some criminals seem to use it but it's just a matter of reputation. It doesn't offer any extra privacy over whatsapp.
By default anyone at telegram can read your messages. By default, nobody at Facebook can read your WhatsApp messages. Telegram is a privacy downgrade here.
Facebook could push an update tomorrow that subtly modifies the RNG in a very difficult to detect way that allows them to easily brute force all messages.
No published source code or alternative implementations so it may take months of RE to notice if it is ever noticed at all.
If only a single party with no accountability controls your encryption keys with binaries they compiled from code they wrote that no one else can practically review with an undocumented protocol they can silently change or backdoor at any time, it is not end to end encryption. It is marketing.
I hate and refuse to use Telegram like all centralized chat services and feel it is hostile to freedom, privacy, and security but unlike Signal, WhatsApp, iMessage and others Telegram at -least- lets independent third parties like F-droid compile and distribute binaries offering accountability for their E2E claims.
I've tried many, many times to figure out how to use Matrix, and every time I can't make headway. I haven't included it in the options because after trying every six months or so to figure out how to talk one of my colleagues through it I've just given up.
Maybe it's time to try again, but all the docs seem to be written by people who assume the wrong things about their readers.
What do you mean? What kind of problems are you running into? Elements has a trivial 2 taps flow to get to "new direct message", so I'm curious what could go wrong.
Moxie doesn't care about sellout money. As I understand it he wants to run signal as a lifestyle business, and he has private donors keeping everything afloat. I'm not sure if it'll stay independant if Moxie ever leaves, but hopefully there's a stable org structure. Source: The JRE podcast he did a couple months back.
Also if they ever sell out, the server & clients are completely opensource. It wouldn't take much for someone else to fork the whole thing and run a competing service if we ever need to.
Brian Acton, WhatsApp co-founder, one who left Facebook post-acquisition, infused 50M USD into Signal. And, Signal is community-supported through donations. I hope that Signal remains here for a long time.
It is strange he moved from seeing a centralized messenger project he founded be morphed into a monster, only to double down and invest in yet another privacy hostile centralized messaging system hoping for a different result.
Anything not decentralized is going to get abused eventually.
The US government could seize the client signing keys, release s backdoored client, and dump the SGX keys and gag order everything in the name of national security. We have seen similar play out in China. Even the mighty Apple gave up HSM keys and caved to CCP censorship demands. It is only a matter of time.
I fear they are well meaning but woefully naive.
We need censorship resistant standard protocols anyone can implement and help host so there is no SPOF.
There are many things that can happen to a non-profit that can change the way they provide software or a service. Apart from a sale being possible (albeit with regulator approval), a non-profit could split (see MozillaCorp), or simply act against its own stated interest due to internal politics (see PIR).
Or the change could be smaller such as the non-profit changing focus and transferring one of it's products to another entity. e.g. Signal could hypothetically pivot to focus on crypto lib dev/maintenance and transfer the messaging service maintenance to another org.
Discord doesn’t need to be bought by Google to be a huge privacy concern. No end-to-end encryption or even claims to not read direct messages, closed source, third-party clients are banned…
Sadly the inertia of WhatsApp is something hard to escape.
I would/do choose Signal with a few of my tech savvy friends. But the majority of people I know use WhatsApp, and consequently so do I.
That's been like that for a long time, several times a month I receive a notification that someone I know comes into Telegram, and even my close family is going into Signal bit by bit.
But yeah, here whatsapp is the biggest one still and too many people are using it.
I know various people who are not tech savvy, and use Signal. It doesn't require a lot of skill to use Signal; on the contrary. IMO, if you can use WhatsApp, you can use Signal. Some features like Axolotl and 2FA even overlap. That's why I decided to switch away from WhatsApp to Signal. Whoever doesn't follow can send me SMS or e-mail.
I have been using matrix mostly as an IRC/Gitter client but also for a small number of non-technical friends. It is making excellent progress but has a long way to come. However I do think it is the right investment due to the direction and funding it has.
Some weak points (based on using element.io clients which has some features that aren't core matrix):
- Cross-session signing is not natural to set up for users, however this likely isn't much of an issue as most of these will just use it on their phone. However this can also be an issue if they want to switch device but lost their keys.
- e2e verification is a bit awkward. No great TOFU option which makes initial setup a bit awkward, you can do it but the UI doesn't encourage it. It would also be interesting to have the option to "share" your verification. So if friend X says they trust these keys for friend Y I can import Y without further verification.
- Occasionally new devices don't want to send messages to the remote user's session. So the user just gets a "Message encrypted" notification with no indication to me that I sent a message not encrypted to all of the user's sessions.
- Voice + Video is super basic for 1:1 calls. For >2 users it uses Jitsi which is fantastic but this different UX between the two is also confusing. I'm hoping that when Jitsi launches e2e encrypted calls it can just be used for everything.
- Visually the app is cluttered and not perfectly clear. For 1:1 calls "bubbles" such as used by most chat apps are super clear. Matrix uses a design better for many user chats but can be less clear. Especially replies look a bit odd in Element.
- URL previews are only supported on web and need to be turned on per-chat (if encrypted). This is for legitimate privacy reasons but is a sacrifice of UX.
Overall once you get it set up it just works and has all of the features that a user would expect. However I'm looking forward to a lot of the polish landing which will make it compelling on UX grounds alone, whereas now it just seems like the best compromise when you consider the privacy and decentralization features.
I'm gonna stay on WhatsApp. Can't beat convenience. Also good luck getting granny and grandpa to move to some weird ass app that barely works or has weird onboarding or unintuitive UX.
I have been using Signal since before it was even called Signal (TextSecure and RedPhone), and I must say it has really refined itself over the years. It's pretty easy to set up these days, and I have more non tech oriented friends switching over seamlessly. I use Signal's voice and video calling features as well without any issues.
Why not came back to plain old email? The email delivery system is decentralized and can support p2p encryption. You can have "chat-like" user experience with apps like Mailtime (https://mailtime.com/)
The same features are just not available. And messages may arrive sometime between 2 second and 2 days with no indication what happened. (Yes, highly skewed towards 2s, until you get graylisted)
People keep saying email has encryption, but in the rare cases when email is encrypted with pgp, only the contents of the messages get encrypted. Not the metadata. And apparently the metadata is the most valuable data for government snoops. They don't care as much what you've been saying, but knowing that you've been emailing back and forth weekly with some person of interest over the last 5 years is what they're really after.
Also pgp doesn't support any of signal's key ratcheting or deniability. And the web of trust leaks information publicly about who your contacts are! (And its vulnerable to Sybil attacks.)
Don't get be wrong, I love email and think its great. But it doesn't hold a candle to Signal when it comes to secure communication.
Been using Telegram for a long time. I don't trust it any more than I do with WhatsApp (therefore, Facebook), however it is well done and thought out, has a real desktop client with a real desktop UI toolkit and enough of my contacts are on it already, therefore it's the best compromise to me. I greatly dislike Signal's UI when I tried it out and I've read about some weird decisions lately (that "using a PIN? uploading to cloud" debacle some time ago). I also believe it shouldn't require a phone number if its focus is privacy and security. Matrix would be my go to in concept, but its userbase is even smaller. At the same time, alas, I am forced to keep using WhatsApp because "everyone" is on it, and if you aren't, you're going to miss out, be it parents school chats, work groups, less tech-savvy friends, parents..
Signal requires phone number in order not to store your contact list on their servers. Instead of id's/email addresses/nicknames they are using your phone contact list. IMHO that's better for privacy.
That depends on what you want with privacy. If you'd want to chat anonymously, having to use your real phone number is a bummer. At least in my country, it's getting harder and harder to get a SIM-card that is not tied to your name.
The alternative is getting a burner SIM-card. Though, that will become harder once more prepaid providers require your ID.
That's very reasonable then. It's not a deal breaking issue especially so moving from or compared to less trustworthy entities already having your phone number (e.g. WhatsApp), but it had left me wondering, I thought it was used in the most part for authentication.
Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
I know their infra codebase pretty well as I've worked on it for projects unrelated to Signal/Open Whisper Systems. Unfortunately their public Github is usually ~3 months behind their running infra and often released much later than the equivalent functionality in the clients hits the public.
> Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
> Our goal with PINs is to enable non-phone # based addressing. Since that will mean your Signal contacts can't live in your address book anymore, they're Signal's responsibility. Every other messenger does this by storing them in plaintext, but that's not private, so we built SVR.
Thanks for that. I had a quick look through their blog but couldn't find anything to reference.
It's been a few months since I worked with their codebase but at the time it relied on Intel SGX for the contact storage Enclave, which is now considered compromised[0]. Additionally, if you wanted to run your own, the requirements to get licensed to use the Enclave are non-trivial.
Opinions are my own, I represent no one, etc, etc.
Yeah I think that's still true. That said, as I understand it, the enclave is used as "proof" that they're running the server-side code they say they do (which should be protecting the data), not the data itself. I could definitely be wrong there though.
> Signal requires phone number in order not to store your contact list on their servers.
That does not make sense. There is no relation between 'using phone number as id' and 'storing contact list on servers'. E-mail and same other communication protocols also do not use phone numbers and do not store contact list on servers.
Yes but do they offer the same experience? Signal figured out that you probably have a list of contacts that you want to talk to. If they use mobile numbers as identifiers then they don't have to keep the contact list - it's already there on your phone. IMHO it's a good compromise.
I'm not an advocate for Signal, but I totally get this approach.
For people that are not aware: There's a Telegram FOSS [1] fork which contains all kinds of fixes; and additionally is Google Services and tracking free, which means it will run on AOSP and LineageOS without any burden of push services.
> being FOSS just in the client side, IMO changes little in comparsion with WhatsApp.
There are efforts implementing mtproto servers that are compatible with the Telegram codebase like telegramd [1] or madelineproto [2] in case you want to host your own server.
But, if decentralization is your main focus (interpreting your statement); you probably want to switch to a Matrix-based client anyways.
I like Telegram FOSS because it doesn't rely on google's infrastructure to run. That's good enough for me given I already made the questionable decision to run a chat client with a home-baked security protocol ;)
On Telegram, login on a new device and you can see your all messages automatically. On Signal, you seems to need to perform it manually, and your history will lost forever if you phone are lost or broken.
I think the first kind of "backup" is what most people would expect, because it is convenient. But to provide this convenience, it can't be full E2E, so Telegram supports secret chat when you need max security if you are willing to sacrifice convenience.
You can get the same convenience with the Signal/Whatsapp E2E type of app. All you need additionally is to keep a passphrase stored somewhere. As long as you do that you can have automatic backups that allow you to setup a new device without access to the old one and get all your history back, without losing the E2E encryption benefits by having unencrypted backups on a server somewhere. Signal UX for this is poor though.
Nothing prevents Telegram from not implementing that architecture and reading every single group message and non-secret chat. Telegram is sketchy in many ways, I wouldn't trust that easily.
Because the founder is Russian and Russophobia is very strong in the USA and Western Europe.
People find other reasons for this (“they made their own crypto”, “marketing says secure but it isn’t by default”) but the core of the argument is that Pavel Durov is Russian and he’s not trusted. If it had been Elon Musk who had created it- I have little doubt that it would be the hottest thing on the market.
I'm facing the same problems. All the people in my (real life) social circle are using WhatsApp. All of my friends are calling me crazy that I don't have Instagram, so talking about alternative messaging apps is probably not going to work. I think this is true for most people in the western culture. I value my privacy, but the struggle is to big for me.
Maybe an open-source protocol, like how e-mail works, could be a solution for this problem. That you can choose your messaging apps and that they can interfere with each other, like email clients.
I'm really shocked that people these days don't even ask for phone numbers. They ask for Instagram. I don't have it and do feel like I'm "missing out" on updates from friends. But then it reminds me how much I hated Facebook before I quit. These days my WhatsApp bio says "text me on Telegram" and usually my WhatsApp is not running on the background.
There already are IM protocols. The problem is that companies prefer to create walled gardens. Even if a protocol were to take off, what usually happens is that one company leverages the protocol to gain traction, spends enough resources to build a really great user experience, and once they’ve amassed a big enough percentage of users, they toss the protocol and use something proprietary. You’d need the protocol to have at least two popular clients so that the user base is split between them. That might prevent one from dropping support for the protocol.
Thanks for your comment. I quickly searched for the IM protocols and there are plenty of open-source projects with promising functionalities.
I think that the mindset of the majority of the people is the source of this problem. Most of the people I speak to don't care about their privacy. They say that they have nothing to hide and that's a valid statement. The problem is that we don't get to choose. If someone wants to share all of their personal information it's their choice, but to not share your personal information seems almost impossible. Social standards expect that you have WhatsApp and LinkedIn and such.
Is Matrix a good alternative to Signal? I'm currently using Signal, but I'm not entirely satisfied. My major issues are that I don't like their stance on a couple of issues: third party clients are not allowed, mobile first and desktop is only synced, phone number required, and distribution only over the app stores. Also we frequently get "encryption errors" and everybody ignores them, this is worse than with SSH key errors :-).
There is more metadata with Matrix but the privacy and security of message content is good. I find the UX a bit clunky because it's kind of trying to combine bits of a instant messenger with something like slack.
matrix-synapse(server) suffers from performance issues[1], dendrite[2], the replacement should be resolving that but is currently in beta.
Apart from that it integrates fairly well with other networks through bridges.[3]
It can be self hosted and it federates, which is a pro.
Not too sure about audits and security, it has improved much, when I started using it (2019) they didn't have login throttling[4] and shortly after that were breached.[5]
Much has improved since.
Speaking as a Matrix user: it definitely still has performance issues. I'm regularly running into sudden lag spikes that have no clear justifiable reason to exist.
I'm sure this will eventually be fixed, and honestly the performance is probably good enough for most people, but Synapse is definitely not as performant yet as a homeserver should be.
I like matrix, and the chat feature is pretty rock solid. However for calls and sending files it's currently not as good as Signal. I quite often have an issue with calls connecting (need several tries) while I hardly ever see this with signal. Similarly, sometimes I get failed sending of files (especially if they are big) and they somehow stay as a failed message in your chat afterwards, which is really annoying.
Yeah. I'd love to love Matrix but the clients are getting in the way.
I did find a native macOS Matrix client and quite honestly I'd love to be able to use a native client since all platforms really only have Electron apps. But the macOS client only gets me so far since I also want to use it on my phone.
To a certain degree I'd say this is apples vs oranges.
Before you shoot me down, let me explain. The reason I say that is because of the core focus of the different platforms.
Signal's priority-one use-case is clearly person-to-person IM and communication. The UI, setup-process and entire architecture is optimized for this one use-case, with all other use-cases being shoehorned in to fit whatever was built for that.
I'd say Matrix (for the moment disregarding a key feature, bridging) has as its primary use-case to be a discord/slack/IRC alternative, to handle "channels", long term group chats and basically persistent online collaboration workspaces.
Sure. Technically speaking, Matrix has a full support for E2E encrypted person-to-person IM and communications (even phone-calls and audio!), and you can use it for that. But this was clearly not the primary use-case Matrix was designed to solve.
Therefore IMO Matrix person-to-person chat has this slightly shoehorned-in feeling, so you may have a somewhat lesser user-experience when using Matrix to do these things than other platforms which had this as their primary goal.
Disclaimer: Happy Matrix-user, running own server, bridging both FB, WhatsApp and Signal into the matrix-verse.
I’m just saying that if you try to suggest Matrix as a “drop in” replacement for WhatsApp or other dedicated IM platforms, it may not immediately give you that “at home” feeling right now.
It’s much more capable, but different. For better and worse.
As far as I know, the Matrix protocol shouldn't be limiting when it comes to one-to-one chats.
There are already Matrix mobile clients focusing on this use case, aiming at being a WhatsApp replacement. Examples are: Ditto Chat[1], Nio[2], and FluffyChat[3].
Before trying to solve the network-effect issue (i.e. all people using WhatsApp), we should make one of the mentioned clients at least as good as WhatsApp, or else users won't switch.
Wire is pretty popular in my social circles, less so lately, unfortunately.
The "always on" encryption is great, and it's always been more stable, and had a more complete feature set than Signal, even at launch. Most importantly, migration between devices with Wire is super smooth.
971 comments
[ 3.0 ms ] story [ 386 ms ] threadhttps://duckduckgo.com/?q="zom"+messaging
[0]: https://chatsecure.org/blog/chatsecure-conversations-zom/
[1]: https://github.com/zom/zom-android-matrix
- Only Secret Chats are E2EE. Normal use is just subject to transport encryption. However, this is true for any platform with server-side chat history.
If the latter, well played.
- Tying back into the encryption point, in the event of a breach or an MITM, whoever intercepts or accesses WhatsApp messages will get encrypted dumps, while my Telegram messages are pretty much going to be in plaintext.
Only if you trust Facebook with their proprietary software.
And on Telegram you can easily export your history at any time and delete from the servers.
Isn't MTProto proprietary as well?
Also, the option to delete on a periodic basis is not an alternative to not having things stored in the first place. That said, there is no way you can verify that copies are not retained on the servers in either case (WhatsApp or Telegram) so there's not much to argue there.
Clients are open-source, so you can see the code for e2e encryption.
> That said, there is no way you can verify that copies are not retained on the servers in either case (WhatsApp or Telegram) so there's not much to argue there.
This is exactly true, so I actually prefer Matrix.
Cool. Unfortunately the cases where it's applicable are too limited for my liking.
> Matrix.
Matrix is great, I just wish I had more luck onboarding my network onto it. I really enjoy using Element.
This type of pressure on centralized systems is exactly why it is unethical as technologists to suggest people centralize the internet.
When you choose to send friends to centralized systems you are voting for the internet to have all the problems and advantages of dictatorships.
When you support open decentralized protocols you get the problems and advantages of a democracy.
Dictatorships can move fast and make sweeping changes. Look at China.
Signal, Telegram, WhatsApp, iMessage are all examples of centralized walled gardens, aka dictatorships. They are all doomed to be co-opted into doing something you don't like at some point and you will have no recourse.
Meanwhile we have decentralized systems like like HTTP, SMTP, and Matrix. Yes they move slower, are more fragmented, need long periods of carefully discussed and rolled out protocol changes and many implementations and servers to all agree on those to function. Decentralized control is messy, and good UX takes longer to materialize, but that is how the internet was built, and how we kept it from being controlled by a single ISP/Browser like AOL.
If you want a modern e2e chat protocol that lets you use any client, server, operating system, or architecture you want and take your social graph with you when you change your mind on any of those things, where no one single entity can change the rules of the network for profit or other reasons... you are looking for Matrix.
Apple pressured Telegram to remove specific posts. There was no way to stop spamming the posts, so they removed the whole channel because it was a lot easier.
Care to elaborate? Haven't heard/read anything that points in that direction. Except for the "nearby people" feature but that its up to you to enable.
I agree its a downgrade in security. But I dont agree with it being a downgrade in privacy.
Another point is to compartmentalize information shared.
Id rather share my whole profile in parts to 100 different companies who all arent allowed to share it with each other, than all of it to one company.
No published source code or alternative implementations so it may take months of RE to notice if it is ever noticed at all.
If only a single party with no accountability controls your encryption keys with binaries they compiled from code they wrote that no one else can practically review with an undocumented protocol they can silently change or backdoor at any time, it is not end to end encryption. It is marketing.
I hate and refuse to use Telegram like all centralized chat services and feel it is hostile to freedom, privacy, and security but unlike Signal, WhatsApp, iMessage and others Telegram at -least- lets independent third parties like F-droid compile and distribute binaries offering accountability for their E2E claims.
Also in the comments on that "article" some people link against a cryptoanalysis of telegram, which can be found here: http://cs.au.dk/~jakjak/master-thesis.pdf
Someone else also mentions that telegram stores message logs on their server, if that's true it is definitely a big no no.
Seems like an okay compromise to me, but I'm no security expert.
a. It doesn't require a cellphone always on (most important point for me)
b. It's not run by Facebook, or any other FAANG
c. It's not based in the USA
d. It has a great UX.
Maybe it's time to try again, but all the docs seem to be written by people who assume the wrong things about their readers.
Edit: OK, I've added it.
Also if they ever sell out, the server & clients are completely opensource. It wouldn't take much for someone else to fork the whole thing and run a competing service if we ever need to.
Anything not decentralized is going to get abused eventually. The US government could seize the client signing keys, release s backdoored client, and dump the SGX keys and gag order everything in the name of national security. We have seen similar play out in China. Even the mighty Apple gave up HSM keys and caved to CCP censorship demands. It is only a matter of time.
I fear they are well meaning but woefully naive.
We need censorship resistant standard protocols anyone can implement and help host so there is no SPOF.
Or the change could be smaller such as the non-profit changing focus and transferring one of it's products to another entity. e.g. Signal could hypothetically pivot to focus on crypto lib dev/maintenance and transfer the messaging service maintenance to another org.
Please also mention if there are any client/servers FLOSS
Those are the only alternatives with enough penetration to rival WhatsApp (that I know of).
I know that they are not secure, but neither is WhatsApp.
Once RCS gets established though, text messaging may be a reasonable alternative. (As long as telcos don't try to use stupid pricing)
Android now has some compatibility with iMessage, and SMS is standard and supported on most mobile devices, even really old phones.
Why lock-in to WA or any of these options in the poll?
I'd understand if it were vendor-neutral and decentralized, but I don't see that.
One great advantage over WhatsApp is emoji reactions on messages like Slack does to avoid the dreaded “haha” taking up threads.
Signal seems to support all media I threw at it, and has an awesome MacOS desktop client.
Downsides were no web search for group icons (a great feature of WhatsApp) and live location sharing.
Overall I am happy to have nearly all of my conversations migrated to Signal over the preview few weeks.
Which one are you referring to? Signal Desktop is just an Electron application AFAICT.
But yeah, here whatsapp is the biggest one still and too many people are using it.
Some weak points (based on using element.io clients which has some features that aren't core matrix):
- Cross-session signing is not natural to set up for users, however this likely isn't much of an issue as most of these will just use it on their phone. However this can also be an issue if they want to switch device but lost their keys.
- e2e verification is a bit awkward. No great TOFU option which makes initial setup a bit awkward, you can do it but the UI doesn't encourage it. It would also be interesting to have the option to "share" your verification. So if friend X says they trust these keys for friend Y I can import Y without further verification.
- Occasionally new devices don't want to send messages to the remote user's session. So the user just gets a "Message encrypted" notification with no indication to me that I sent a message not encrypted to all of the user's sessions.
- Voice + Video is super basic for 1:1 calls. For >2 users it uses Jitsi which is fantastic but this different UX between the two is also confusing. I'm hoping that when Jitsi launches e2e encrypted calls it can just be used for everything.
- Visually the app is cluttered and not perfectly clear. For 1:1 calls "bubbles" such as used by most chat apps are super clear. Matrix uses a design better for many user chats but can be less clear. Especially replies look a bit odd in Element.
- URL previews are only supported on web and need to be turned on per-chat (if encrypted). This is for legitimate privacy reasons but is a sacrifice of UX.
Overall once you get it set up it just works and has all of the features that a user would expect. However I'm looking forward to a lot of the polish landing which will make it compelling on UX grounds alone, whereas now it just seems like the best compromise when you consider the privacy and decentralization features.
https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHal...
2-3 People are using other contact options like Discord or SMS. Which is fine with me.
But just explaining the concept of clients in 2021 is an undertaking.
Also pgp doesn't support any of signal's key ratcheting or deniability. And the web of trust leaks information publicly about who your contacts are! (And its vulnerable to Sybil attacks.)
Don't get be wrong, I love email and think its great. But it doesn't hold a candle to Signal when it comes to secure communication.
The alternative is getting a burner SIM-card. Though, that will become harder once more prepaid providers require your ID.
Or if you did mean Colombia, why would the average HNer have friends there?
I know their infra codebase pretty well as I've worked on it for projects unrelated to Signal/Open Whisper Systems. Unfortunately their public Github is usually ~3 months behind their running infra and often released much later than the equivalent functionality in the clients hits the public.
It is: https://mobile.twitter.com/moxie/status/1281353119369097217
> Our goal with PINs is to enable non-phone # based addressing. Since that will mean your Signal contacts can't live in your address book anymore, they're Signal's responsibility. Every other messenger does this by storing them in plaintext, but that's not private, so we built SVR.
It's been a few months since I worked with their codebase but at the time it relied on Intel SGX for the contact storage Enclave, which is now considered compromised[0]. Additionally, if you wanted to run your own, the requirements to get licensed to use the Enclave are non-trivial.
Opinions are my own, I represent no one, etc, etc.
[0]https://arstechnica.com/information-technology/2020/03/hacke...
That does not make sense. There is no relation between 'using phone number as id' and 'storing contact list on servers'. E-mail and same other communication protocols also do not use phone numbers and do not store contact list on servers.
I'm not an advocate for Signal, but I totally get this approach.
You can verify this yourself with AppWarden [2].
[1] https://github.com/Telegram-FOSS-Team/Telegram-FOSS
[2] https://gitlab.com/AuroraOSS/AppWarden
There are efforts implementing mtproto servers that are compatible with the Telegram codebase like telegramd [1] or madelineproto [2] in case you want to host your own server.
But, if decentralization is your main focus (interpreting your statement); you probably want to switch to a Matrix-based client anyways.
[1] https://github.com/nebula-chat/telegramd
[2] https://github.com/danog/MadelineProto
Definitely a better alternative to WhatsApp in any case.
On Telegram, login on a new device and you can see your all messages automatically. On Signal, you seems to need to perform it manually, and your history will lost forever if you phone are lost or broken.
I think the first kind of "backup" is what most people would expect, because it is convenient. But to provide this convenience, it can't be full E2E, so Telegram supports secret chat when you need max security if you are willing to sacrifice convenience.
People find other reasons for this (“they made their own crypto”, “marketing says secure but it isn’t by default”) but the core of the argument is that Pavel Durov is Russian and he’s not trusted. If it had been Elon Musk who had created it- I have little doubt that it would be the hottest thing on the market.
Maybe an open-source protocol, like how e-mail works, could be a solution for this problem. That you can choose your messaging apps and that they can interfere with each other, like email clients.
I think that the mindset of the majority of the people is the source of this problem. Most of the people I speak to don't care about their privacy. They say that they have nothing to hide and that's a valid statement. The problem is that we don't get to choose. If someone wants to share all of their personal information it's their choice, but to not share your personal information seems almost impossible. Social standards expect that you have WhatsApp and LinkedIn and such.
Apart from that it integrates fairly well with other networks through bridges.[3]
It can be self hosted and it federates, which is a pro. Not too sure about audits and security, it has improved much, when I started using it (2019) they didn't have login throttling[4] and shortly after that were breached.[5] Much has improved since.
[1] https://github.com/matrix-org/synapse/issues?q=is%3Aissue+is...
[2] https://matrix.org/docs/projects/server/dendrite
[3] https://matrix.org/bridges/
[4] https://github.com/matrix-org/synapse/issues/1452
[5] https://securityaffairs.co/wordpress/83751/data-breach/matri...
Searching on an issue tracker for the word 'performance' is not a good source for claiming there are performance issues.
Synapse used to have scaling issues. Those are pretty much fixed.[1]
[1] https://matrix.org/blog/2020/11/03/how-we-fixed-synapses-sca...
More details about my specific case are found here: https://github.com/matrix-org/synapse/issues/8612 - and occasionally other performance issues pop up for other people too.
I'm sure this will eventually be fixed, and honestly the performance is probably good enough for most people, but Synapse is definitely not as performant yet as a homeserver should be.
Fluffy chat may be the best, but still needs lots of love.
I did find a native macOS Matrix client and quite honestly I'd love to be able to use a native client since all platforms really only have Electron apps. But the macOS client only gets me so far since I also want to use it on my phone.
To a certain degree I'd say this is apples vs oranges.
Before you shoot me down, let me explain. The reason I say that is because of the core focus of the different platforms.
Signal's priority-one use-case is clearly person-to-person IM and communication. The UI, setup-process and entire architecture is optimized for this one use-case, with all other use-cases being shoehorned in to fit whatever was built for that.
I'd say Matrix (for the moment disregarding a key feature, bridging) has as its primary use-case to be a discord/slack/IRC alternative, to handle "channels", long term group chats and basically persistent online collaboration workspaces.
Sure. Technically speaking, Matrix has a full support for E2E encrypted person-to-person IM and communications (even phone-calls and audio!), and you can use it for that. But this was clearly not the primary use-case Matrix was designed to solve.
Therefore IMO Matrix person-to-person chat has this slightly shoehorned-in feeling, so you may have a somewhat lesser user-experience when using Matrix to do these things than other platforms which had this as their primary goal.
Disclaimer: Happy Matrix-user, running own server, bridging both FB, WhatsApp and Signal into the matrix-verse.
I’m just saying that if you try to suggest Matrix as a “drop in” replacement for WhatsApp or other dedicated IM platforms, it may not immediately give you that “at home” feeling right now.
It’s much more capable, but different. For better and worse.
There are already Matrix mobile clients focusing on this use case, aiming at being a WhatsApp replacement. Examples are: Ditto Chat[1], Nio[2], and FluffyChat[3].
Before trying to solve the network-effect issue (i.e. all people using WhatsApp), we should make one of the mentioned clients at least as good as WhatsApp, or else users won't switch.
[1] https://dittochat.org
[2] https://nio.chat
[3] https://fluffychat.im
I like that they have published the server source code https://github.com/wireapp/wire-server
The "always on" encryption is great, and it's always been more stable, and had a more complete feature set than Signal, even at launch. Most importantly, migration between devices with Wire is super smooth.
It definitely should be in the poll.