I hope someone corrects me if I am wrong, but around two years ago he backed out of any responsibilities (ceo) after he bundled mobilecoin into the app.
That that was his intention is the impression he left, with people like me at least - a quick glance shows its price only went down after he stepped down. Who knows how much he has invested/made ¯ \ _ ( ツ ) _ / ¯ I don't hold it against him if he is a true believer. I feel like integrating it makes as much sense as Twitter becoming a payment processor, but hey.
Would signing into Signal on a work device not negate most of the security benefits of using Signal? Genuine question; I am only vaguely familiar with Signal.
The interesting thing is that it is possible to share the account on multiple devices, as long as only one of those is a phone. You can sign in to and chat from that account just fine on the desktop app, even if your phone is off.
(I guess theoretically you could run something like PostmarketOS on a phone to run the desktop app, but you know what I mean.)
My current work-around is just to use a group chat and have both work and personal accounts part of the chat. Fortunately, I only need to be able to chat with a few people (family) while off with the work phone so this isn't that big of a hassle, but it's something I wish I didn't have to do.
Yeah, this is still my top requested feature. I have two phones, one is data only sim. I just want to be able to signal from both of them just like how I can on my mac and PC.
Unfortunately I don't. If I were to guess, I'd expect it's just a matter of the engineering hours that would need to be invested not being worth it at this time, given how few people they expect to need it.
That's useful but not quite sufficient for this use case, though. The different devices currently have no way to sync chat history, so you'd lose all your old chats.
What I'd love to have is the ability to connect my phone and my laptop to the same Signal account, have them automatically sync chat history between each other, and then in the future if I add a new phone (e.g. because I've upgraded) my phone can sync from my laptop and get all of my message history.
Whatsapp added this recently and it is very convenient. You can link a companion device in the same manner you sign into WhatsApp web.
A kind of hacky workaround (that I used to use for both signal, WhatsApp and others) is to set up a server with matrix bridges running and bridge your signal, WhatsApp etc. so then you can install the one matrix client on all your devices.
But as most apps do support multiple devices these days, bar signal, it doesn't feel like it's worth the effort. And I seem to remember the signal bridge in particular being a little buggy.
I'm sure it will become possible soon. The code is already there on iOS, as the app also work on iPad, but hidden behind the internal feature flag [0]. Same with Android [1]. If your second device in an Android, you can already use it now with [Molly](https://github.com/mollyim/mollyim-android).
Also, WhatsApp recently added this feature, so the expectations from potential new users who switched is now there.
> Note that even once these features reach everyone, both you and the people you are chatting with on Signal will need to be using the most updated version of the app to take advantage of them.
> Each version of the Signal app expires after about 90 days, after which people on the older version will need to update to the latest version of Signal. This means that in about 90 days, your phone number privacy settings will be honored by everyone using an official Signal app.
Which is also an example of a challenge for open ecosystems where everyone can create apps.
I understand that it doesn't outweigh the benefits to everyone, but it is a valid reason.
The way they say "privacy settings will be honored by everyone using an official Signal app." kinda suggests they're gonna let third parties keep getting this info...
They won't. It'll be similar to message timers or delete for everyone. You can revoke sharing your number and it will be hidden in official apps but third party apps won't magically forget the number that was previously shared. However if you choose not to share your number from the start, no one will be able to see your number.
Yup, I was on an international trip with hardly any data allowance when all of a sudden my messages stopped sending, and I couldn't receive any new ones... That'll never happen with SMS. I love Signal, but some of their product decisions have been questionable.
Their decisions seem right for the use case of a secure messaging app, but I don't care about that use case and would rather use a non-e2ee app that'll be reliable, not lock me out, and work seamlessly across devices. Also, for those who truly care about e2ee, it's pointless if you aren't checking all the safety numbers out-of-band.
Yes, this is a compromise on the CIA triad. It prefers integrity and confidentiality over availability.
That is a fine decision to make for a security-minded app, but signal has always presented themselves as a full alternative to SMS and other messaging systems where availability is prioritized over confidentiality and integrity. It should really be made more clear so that users are making an informed decision. They could also do wonders for the user experience by having the app inform the user of the problem and how to remedy it.
Yeah, but I wouldn't call SMS super available either since it relies a lot on the ends too. Had a lot of those drop when I traveled. Something like Facebook Messenger has a whole server storing messages, so it's solid, you'll receive them later even if your phone breaks.
This is a common, but terrible argument. Anyone can (mis)use, make, or weaponise technology given enough time and funding. Following this reasoning to its logical extreme, nobody should ever do anything.
The problem something like this solves is to raise the bar somewhat and discourage a fraction of those who would.
It's not a big expensive task to look at what data an app is sending/receiving. Anyone with minimal reverse-engineering skill will know how to intercept HTTPS to/from their own phone in 5 minutes. Signal uses some other protocol, but it's also doable, also it's open source anyway.
The conclusion isn't that Signal should be closed-source, it's that Signal's servers should not trust the clients not to be tampered with. So after 90 days, they will remove phone numbers from the protocol for users who have hidden them, breaking old clients, which is fine. What is the alternative solution you're thinking of?
I mean, if WhatsApp said this about the privacy of messages, Signal would be running billboard ads about how they don't care about privacy and look at how much better Signal is, right? This is the company that goes out of their way to pile on advanced encryption and insists on using dangerous secure enclaves to get this kind of thing right... until they are asked the hide phone numbers, at which point they are selling people a false bill of goods that WILL confuse someone into giving their phone number to someone who they really shouldn't have. It isn't as if it is somehow impossible to hide anyone's number at the protocol level: hell... even Snapchat does this, right?
I wish it were more obvious that Signal expires its apps every 90 days.
My mom couldn't receive signal calls on the backup phone I gave her. I had disabled auto-updates since apps break UI sometimes and she gets confused by things moving around.
When I visited, I opened the signal app and was told I had to update.
It's patently unforgivable that a message would not be delivered because the client is out of date.
The Signal team is incredibly clueless and arrogant toward its userbase. It seems to simply not have occurred to them that many people rarely/never have wifi, may not be on AC power when they are on wifi which means the phone may not check for / apply updates, etc.
In the US, cellular is often expensive and slow.
In underdeveloped countries where software like Signal could be really important, all this is even more true.
We get shit crammed down our throats to protect the most obscure edge cases for the smallest percentage of the most vulnerable users - such as not being able to sync messages between devices - but then they pull shit like this which has a huge impact for people in rural areas and underdeveloped countries?
> Delivering a message to a client which is known to be less secure than the sender expected it to be is unforgivable.
That is inconsistent with the threat model of a messaging system!
Inherently, a messaging system will deliver a plaintext copy of the message to the recipient(s). Wouldn't be much of a messaging system otherwise.
Once you sent something and it was delivered in plaintext to the recipient, the information disclosure risk is completely out of your control (and out of control of the application in use). The recipient is free to leak it however they wish.
If you don't trust the recipient to keep it private, don't send it.
Just curious, since I'm not really active in this space, but wouldn't the threat model of most concern be that an external actor breaks (maybe an outdated version of) the app or protocol? This would leak data without you or the recipient being any the wiser. It seems like that's the threat the app-expiry policy is intended to address.
You could update the protocol version if and when a protocol weakness is discovered and then stop talking the previous protocol version after a transition period.
No need to continuously expire apps in the absence of a protocol breach.
What if there's a vulnerability in the app itself?
I have no idea if that's what they're concerned about - they may just be being arseholes in this case - but from the outside it seems like a legit reason to build in the capability for app expiration.
But you don't know, at the time of sending, which version of the client will show up to retrieve it. Otherwise both clients would need to be connected at the same time before you were allowed to send.
> That is inconsistent with the threat model of a messaging system!
I disagree, the worst thing that a messaging system that aims to be "private" can do is to actually not be private. Sending to a known-insecure client is a violation of, like, the one thing signal claims to do.
> If you don't trust the recipient to keep it private, don't send it.
My threat model is some combination of "third party actors who I don't trust" and "second parties who I trust but who are non-experts"[1]. I would like Signal to protect me from the first (by not delivering things to known-insecure clients that can be middlemanned or otherwise discovered) and the second, by having privacy-respecting and mistake-preventing defaults. Things like disappearing messages and such. Keeping my trusted-but-nonexpert peers from making mistakes that can harm either of us in the future is a key part of my threat model.
For example, disappearing messages prevent me from being harmed by my friend, who I trust to discuss things with, not having a lockscreen password and getting warrented by the police. An outdated or third party client that lets you keep them forever, even if well intentioned, can break that aspect of the threat model. And yes, a peer who is actually nefarious can still do that, but that's not my threat model. I think my friends aren't privacy-experts, I don't think they're feds.
[1]: This is, for example, the reason that I think PGP is not a good tool. Even if I do everything right, a well meaning peer who is using the PGP application can unintentionally leak my plaintext when they don't mean to, because of the tool's sharp edges.
I think this is the tradeoff that Signal makes versus the messenger most similar to it, WhatsApp. Though of course everyone in a group chat must pick one or the other, so it's not much of a free choice. (My friend group in the bay area is entirely on Signal, for example, though I also have a WhatsApp account.)
If the app has to be updated on a 90 day schedule, then it's likely that most of those updates aren't making anything more secure. So it's not "known" that someone running last quarter's version is less secure than the sender expects.
> In the US, cellular is often expensive and slow.
Mint will sell you a plan for 5GB of data for $15/mo. Its not that expensive to have a basic cellular plan. And that's assuming you're not poor enough to have your cellular plan almost entirely subsidized. And also assuming you're pretty much never anywhere with wifi.
In the vast majority of markets in the US it'll take a minute or less to download, it'll probably take more time unpacking on your device and installing.
Sure, but the thing I was responding to was "in the US".
There's cheaper per-gig plans in the US. Visible has unlimited plans for $30/mo which is cheaper per-gig if you use a lot but more if you're using less than 5GB anyways. And if 200MB/yr currently seems like an expensive amount of data to you, you're probably already using less than 5GB a month.
I have been bitten by this in the past. At least now they give warnings in-app that the app will expire soon. But if you don't use the app regularly, you wouldn't even know. Also, I'm not aware of any other apps that die in this way, so it's not like people are in the habit of periodically checking the app to make sure they're still on a version that can receive incoming messages.
This has more sinister implications in some places. For example, Apple app store in Russia can get banned at any time. So if I understand this correctly, if that happens, Signal will stop working for all iPhone owners in Russia in 6 months. And guess where you really need something like Signal?
The apps and most of the backend are open source too, not just the protocol.
The important distinction is that it's not decentralized like XMPP or email, which is a conscious decision: it would become very difficult to change it to add new features and they'd be left behind by closed-source competitors (see: XMPP).
I see that it is a ton of wishful thinking and FUD on the side of Signal to claim that: XMPP is alive and kicking, has all the features one needs, runs everywhere, at scale, offers the same or better crypto, better privacy, better resilience and is more sustainable. When Signal will inevitably fail/turn against its users/enshittify itself or get acquired, all federated and P2P protocols will keep on going. For decades. That's the kind of communications systems we should be demanding in the present era, nothing less.
XMPP is underrated. A lot of people are imagining Pidgen in 2011, but the protocol has been extended, the actively developed clients are good, and it avoids the heavier parts of Matrix (both client and server side.) I wouldn't be surprised if Slack's replacement when Salesforce inevitably fucks it up will be XMPP based rather than Matrix.
"The protocol has been extended" has been XMPP's theme for decades, and also its problem. Name your favorite client, it probably won't have several extensions, and a lot of useful things require support on both ends plus the server. Lots of things that should be ubiquitous are not, including s2s auth. There needed to be more structure, like AIM back then or Signal now. Also the XML stuff is a nightmare.
Even if Google Talk kept XMPP, they weren't going to save it, cause nobody used Google Talk. Facebook was by far the biggest XMPP-supported platform (though it wasn't federated), and they stopped probably cause they didn't see enough clients. Even Slack supported XMPP for a while, did you use that?
Is it really a wish if it's already come true? I can't name a single person who uses XMPP. If a federated chat protocol ever wins, it'll probably be something more modern like Matrix. At least there's email too.
You can run Signal app forks on the Signal server. Molly is a popular one. You just can't create new servers. I wish you could, but I get the reasoning of not wanting honeypots. But that doesn't stop you from running your own network of Signal servers. So I don't see anything stopping anyone. I mean Mullvad runs their own stuff and I don't see half the complaints about them. I've always been curious why Signal is so unique here. If 1/100th the people that made these concerns developed a open community of signal servers, I'm sure we'd have a viable alternative network. What's stopping everyone?
One of the big lessons from Twitter and Reddit was third party apps are tolerated or even encouraged until they are not. Unlike, for example Discord, I haven't see any indication that third party clients are causing account bans, yet.
The status of open source, privacy respecting messaging apps looks really healthy to me, compared to where we've been over the past 30+ years (thinking starting with ICQ.) Signal was a big leap toward getting average people using much more secure messaging, although it is pretty clear even most 'tech' people don't grasp what is going on or why it is important to be able to use e2ee separate from a combined client+server provider.
Yes, but my argument is more in the realms of "why are there no projects to create an open network using the existing architecture" not "we shouldn't have an open network and completely rely on Signal forever."
I'd still appreciate a source. There's things I'm aware of that I think could be confused with this, but I've seen no indication of them actually wanting to or even caring about forks. Only in the servers.
As far as I can tell, Signal's policy is more "Do what you want, but server costs are high so we don't want to pay for your product. But if you do, here's all the code to give you a start." That's a very different policy from blacklisting.
And as I keep asking others, what's stopping everyone from making a federated Signal? If you can use the same account on both the production/official server and the staging server, why can't you on the production server __and__ a community federated server?
And if they ban you from the production server, so what? Now you're on par with literally every other federated service. Like what is Signal going to do? Stop open sourcing code? That'd be like trying to kill a mosquito by stabbing yourself in the heart. If they're willing to do that, I'd rather it be sooner than later anyways.
So I want a source because I just don't get what you all are complaining about. Is it just that someone else didn't make the thing you want? Sure, I get frustrated, but the comments more come off as Signal being nefarious and I just don't see Signal acting in any way malicious. In fact, hosting links to forks and being a common place for those forks to discuss seems like they are actively supporting them.
Who is complaining? This is confusing. The whole idea about Signal is to compete with mainstream, as well as with the federated, ecosystems by having a single implementation of both client and server, I believe the argument is that only by moving faster is it possible to compete with the more mainstream commercial messengers for the masses and still have reasonable cryptography.
Moxie wrote several articles about this and expanded on this idea in his conference talks. You are very welcome to take the code and write your own messing system, but do not connect to Signal's servers because that costs them money and they will need to take action, sooner or later.
They were very clear that LibreSignal had no future. They have also been very clear that they discourage any non-official distribution of builds. They have repeatedly told the F-Droid project that they will not publish using their reproducible build system, and any user doing the same will be kindly asked to take down their copy. The F-Droid project has complied.
This seems to be a strange thing to discuss. If the above links are representative it may be a popular subject among a subset of users, which seems misguided. Signal does not wish to be xmpp or matrix and neither should they. It must be their right to decide. There are so many chat software projects. If you don't agree with the goals of one of them, you energy is better spent elsewhere.
Lots of people are complaining. It's why Moxie wrote those many articles. It's why there's so many comments bringing up Matrix and others. People were even doing this before Matrix was E2EE! So yeah I'm tired of hearing it so calling people's complaints out. If you don't like it, fix it. It's HN and people are devs here.
The author is no longer CEO, though, and there are a lot of "I" statements in the post. Is it still accurate? Has the current CEO made any comment on it?
It's a great encapsulation of why Signal is not federated, and, unless you find the current CEO stating otherwise, is unlikely to change. Changes like the one detailed in the link simply wouldn't be possible to roll out efficiently in a federated ecosystem.
Signal has consistently focused on helping /most/ users do what they want with the app without sacrificing security. This change - away from requiring phone numbers - helps plug one of the biggest criticisms, both on the security and product side. Nothing about their mission requires federation, so I respect that they haven't sacrificed their mission in order to do it.
I tested matrix in 2021 and found the experience pretty darn awful outside the main client. And by a cursory glance the ecosystem is still pretty much controlled by the matrix.org folks. When I was using it there was a lot of accusations that Synapse did not follow the specification and that server implementera had to reverse engineer what Synapse did to be able to federate.
And talking about that: does federation work properly yet? I used a third party provider and it made my life miserable.
I am all for federation, but in my experience the "federated" part of matrix was a lot worse than the jabber one they want to replace.
Moxie's post looks solid, but there is a counter example: bitcoin nodes. They are a very loose federation of nodes that go through regular upgrades in the protocol. So it is possible.
But yes, it's also very hard. The bitcoin protocol didn't start out that way. It took a lot of knocks and bruises to get to the point they could upgrade all the servers in the federation.
Interestingly, the method bitcoin came up with allows protocol changes to fail, meaning the bulk of the federation never takes them up. Everyone gets a vote, and it only succeeds if the bulk of the federation upgrades. Perhaps from Moxie's point of view that's unacceptable, as it means he is no longer the dictator of the protocol.
Nonetheless, it is possible to design a protocol so it can be upgraded relatively quickly. Even if you don't do add "quick transition" features to a protocol transitions can still haven. IPv6 will replace IPv4. But as Moxie says, it's painfully slow.
It's not [attempting to be an open ecosystem]. Their ToS used to forbid using third party clients. I don't think this has changed. They haven't banned anyone for using third party clients (to the best of my knowledge), but they're openly against an open ecosystem.
It's private, centralised and the network is closed (e.g.: non-federated), but the source code is public and open source. I think that for the server implementation they do code dumps every once in a while, rather than continuously keep it public.
> My understanding is that Signal (the app) is private, not anonymous, centralized, and closed.
You are right about that.
There used to be an open source build called LibreSignal
Moxie Marlinspike made clear [1]: You may inspect the code. You are even allowed to compile it. You are not allowed to connect your self compiled client to our message servers. We are not interested in a federated protocol. Make sure your fork creates its own bubble that does not overlap with Open Wisper Systems. Stop using the name Signal.
> Until now, someone needed to know your phone number to reach you on Signal. Now, you can connect on Signal without needing to hand out your phone number. (You will still need a phone number to register for Signal.) This is where usernames come in.
How about no phone numbers for registration at all?
Matrix doesn't have the same threat model as Signal, and isn't a 1:1 replacement for it. Matrix is great (maybe optimal) for things that would otherwise be Slack channels.
* Gives the servers virtually no control over communications between parties.
* Goes through huge pains to minimize serverside metadata storage.
* Is a sealed system end-to-end; the client and the server are part of a single coherent design that together make promises about privacy and security that apply to every user of the system; Matrix is a protocol ecosystem.
A good example of this is group messaging: Matrix servers control group membership. In Matrix, group membership is key management; a Matrix server decides who can decrypt your group messages. That's not how Signal works! But I don't think anybody seriously thinks Signal is a replacement for a large Slack.
You get that it's the literal opposite, right? There are actual rules, whether you believe NSA follows them or not, about NSA interfering with US servers. Not only are there no rules applying to overseas servers, but interfering with those servers is literally NSA's chartered mission.
Rules historically have not been an impediment to the NSA. Worst case, they can be ignored, best case, they can be interpreted with extreme creativity. Five Eyes partners are not subject to the same rules, and information can be shared freely with them.
This continued insistence (widespread - not just you!) on the benevolence and good faith of US intelligence, post-Snowden, doesn't make any sense to me.
You skipped whether you believe NSA follows them or not. Even if NSA ignores those rules, they have literally no rules about compromising foreign servers; they are required to do so, as part of their job.
Take a step back and note that nobody on HN is going to make an argument premised on "you should trust NSA to follow the rules". You can accept that as an axiom and have easier conversations here.
I guess this whole subthread is based on the assumption that non-US servers are somehow more safe than US servers; I completely agree that's obviously not true, I just want to point out that allies ratified shenanigans to pull between each other to stay compliant with internal regulations on paper but in truth have access to everything about everyone: https://en.wikipedia.org/wiki/Five_Eyes
> Even if NSA ignores those rules, they have literally no rules about compromising foreign servers
This is not good enough. Signal server is a single point of failure: NSA (and any other attacker, e.g., China) knows that the users can't go elsewhere, so it's very easy to target them all (thanks to the Signals's politics of walled garden). In case of Matrix, there are thousands of servers around the world, which you have to find and get into. They can run completely different software. This is not very scalable or easy.
For users who want strong security in messaging, yet an easy way for anyone to use the platform Signal has a much better user experience. Over 95% of my messaging is on Signal. Almost none of those users will benefit in any way by switching to Matrix. While it's a great ecosystem, it's also too much work for people who don't want those features or flexibility.
For users who want strong security is messaging signal should not be considered because they lie to users about their risks, and they store sensitive data in the cloud. It's easy to use and not a bad chat/IM system, but I would never trust it to protect your data.
In the spirit of CALEA, sealed sender basically pushes law enforcement back to good ol' days of "got the time", "got the IP addy", but "we don't know what was said".
My parents, in-laws, grandmother-in-law, and entire extended family is on Signal. It's the extended family group chat, video calls with grandparents/great grandparents, and the baby photo feed. That's mostly because you just install it and it works.
I have no idea how to get my extended family on a Matrix homeserver without extensive handholding. I can barely figure it out myself and I was a huge XMPP nerd that ran my own ejabberd server for years.
That would welcome a world of spam. Sybil identities is currently an unsolved problem, the mitigation is the requirement of unique scarce resources (like phone number in this case)
No, the phone number needs to be known by the other party and you need to accept the "friend" request.
It prevents the creation of an unlimited number of signal accounts by a single user with no cost to the user but cost to signal and other signal users.
edit:
Your are probably right in that it does not change the risk of spam for a single user, as you could guess the phone number or just iterate over all known phone numbers and try to connect to them.
requiring phone numbers only solves the cost problem for signal(The company/legal entity) and lowers(hopefully) the amount of spam that would get send.
You can restrict who can message you first ("start a conversation") to Contacts on Telegram, not sure how spam is an issue. I hope Signal does the same thing.
If I'm reading this correctly, this also means that a person that already has my phone number in their contacts will necessarily be able to link my number to my username after they have scanned my QR code.
By "link" I mean they immediately know what person the username belongs to iff they already had that person's phone number because the chat that is initialized after they scan the QR code is just the old chat being continued.
But if they have my number, why would I be worried that they know my username? The username is there so I can avoid sharing my number, not the other way around.
Ah, that's what you mean. Yeah, if you want to be anonymous to Signal itself, I don't think that's possible. If you want to be anonymous to people, I think you can delete and recreate your account. I think that might do the trick.
If you set your privacy to nobody and someone saves your phone number, to them it will appear that you do not have a signal account, even if they start chatting with you via your handle.
I've been a Signal beta tester on iOS for as long as I remember, knowing that they were going to introduce usernames, and I wanted to get my (relatively common) name as my username. Now they finally introduced it, but they require it to end in at least 2 digits "a choice intended to help keep usernames egalitarian and minimize spoofing".
Edit: this is not actually a serious problem for me, don't worry! Rather, I think it's funny. And honestly I kind of like having the numbers required, it's a good idea. It does remove a lot of the vanity from usernames.
I can't wait to talk to elonmusk420! I'm sure it'll be the real Elon. His online antics are such anyone with that username will instantly trigger Poe's Law. Getting rid of phone numbers as identifiers is a good idea but I think it would be better to just assign user IDs or generate hashes based on user inputs or something.
> generate hashes based on user inputs or something.
Because friend codes were so popular on Nintendo.
Hey add me real quick, my id is 12716472-83647281746-8172649! Or use the hash code, 0x28A56ED9! Super easy to remember, way better than giantrobot22 or vel0city66.
Given nintendo's user base includes a LOT of children who are very young, the long codes may have been a feature, not a bug - the equivalent of a child latch - to slow down/discourage young users from adding people themselves so their parents have a better idea of who they are interacting with.
Don't get me wrong I get there were intentional reasons for it in regard to friend codes and I don't necessarily fully mind with that in mind in that use case. I do kind of wish there was an "I'm 13/18+, let's take the training wheels off" feature though.
I expect it's more a combination of several factors:
- if we don't have usernames we don't have to deal with obscene usernames, trademarked usernames, impersonation claims, and similar
- if we don't have usernames and our generated friend codes aren't guessable, we don't have to worry about people getting random unexpected friend requests from people they don't know
The issue there is "veI0city66". Depending on the font that capital "I" might look identical to a lower case "l". A hash with an alphabet that doesn't include homoglyphs would reduce ambiguity.
There's also the "weedlordbonerhitler69" issue. A user name that seemed hilarious at 16 likely seems less hilarious at 26.
If users were identified with a hash derived from an input user name you could type in "weedlordbonerhitler69" and what would be displayed is a hash on the client side. The contact add UI could simply return the UID for the input username. So you could give out the UID or username and another user could still add you.
> The issue there is "veI0city66". Depending on the font that capital "I" might look identical to a lower case "l". A hash with an alphabet that doesn't include homoglyphs would reduce ambiguity.
They're not going to get mixed up typing it in from me verbally telling me the name. They're not going to get confused typing it in. And even then, validate the user after, that's another feature of signal is in person/out of band validation of the ends. So start the convo the verify through a channel you otherwise trust.
> There's also the "weedlordbonerhitler69" issue. A user name that seemed hilarious at 16 likely seems less hilarious at 26.
And with their setup you can change it at any time, so once again not really an issue.
Usernames are only used for the initial connection, so "getting" a username doesn't really gain you anything other than the "username" you give to people who don't already have you as a contact: "a username is not the profile name that’s displayed in chats, it’s not a permanent handle, and not visible to the people you are chatting with in Signal"
It's a brilliant design choice. At first I was like "What?" and now the more I think about it, the more I realize it is an absolute genius move.
People need to get trained out of (even informally) assuming they can identify someone because their username looks familiar, and this is a great way to do it.
> more or less completely eliminates “vanity names” and the “value”
With notable exceptions, i’m sure, being username69 and username420 and a few others (a similar phenomenon happened in magic the gathering, when they introduced limited edition 500 print runs of cards with the serial number stamped on them, and the only ones you can really sell or command a good price for are 1, 69, 420 and 500)
There is desktop electron app that works mostly OK (as far as electon apps go). Unfortunately, you need a mobile phone with the signal app to start using it.
I think (but don't quote me on this) that you don't need the Signal phone app to start using it. As long as you have a phone that can receive text messages, I think you can also enter the confirmation number into the desktop app.
When my phone gets turned off I get a signal can't connect error message on the current desktop app. I don't know if that's just how my account and desktop app is linked, but that's my current experience.
Actually, I retract my earlier statement. I just successfully sent a message on Signal while my phone was turned off. I'm not sure when that changed or if its different on other machines, but I've definitely seen the yellow warning of not being available to send messages on a different computer in the past month or two.
The Desktop app is definitely independent from your primary device, once it's been linked. The WhatsApp desktop app used to require a connection to your phone, but even they updated it recently to the same architecture as Signal, where each device connects directly to the server.
If you don't open the Desktop app for a few weeks though, there is a "syncing" step where it fetches the recent messages queue from the server (can't remember the exact number, might be the last 1000 messages or all messages from the last 30 days or something similar).
Also, if you forget to open the desktop app for a few weeks, it breaks the link and you have to go get your phone anyway.
And it doesn't show any messages that came in on the phone during that time, so you're missing context and in practice you just have to use the phone for everything anyway.
So basically copying telegram way. That being said, why does Signal still require a phone number in the first place? Exactly, because when needed, it will be used to be linked back to your real identity, it has nothing to do with spam or anything, Signal isn’t a social media with public posts and what not, it is a messaging app.
It is a way to increase usability for casual users, decrease spam by requiring some other source of identity tied to real existence (emails are easier to generate than throwaway phone numbers).
It may decrease privacy philosophically, but it isn't nefarious.
If you want a private messaging platform with zero prerequisite identity, use Briar.
> It is a way to increase usability for casual users
You can keep it as an option.
> decrease spam by requiring some other source
Phone numbers never been a good way to counter spam, just look at social media, you can buy phone numbers in bulk these days, not to mention spam might work in social media because there’s the concept of “public space” where everyone shares and talk, so it does make sense for some bad actors to spam or even trying to influence others, that’s not the case in messaging app, because first I need to know your “unknown” username that I can’t see it elsewhere, and second, the efforts are worthy for such unsolicited message, which in case it was, you can get a burner to send it. The point is requiring a phone number to counter spam doesn’t work, and it doesn’t make sense either for messaging apps.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Well, personally I don’t use Signal, never will in its current state, but they always try to promote it as privacy messaging app while still relying on a broken system known as GSM.
A lot of spammers opt for media that does not require the effort of obtaining a phone number. It's the bike lock model: no bike lock is ever safe, but as long as your bike is parked next to bikes with a weaker lock, you have a pretty good chance of not having to walk home on foot.
> It may decrease privacy philosophically, but it isn't nefarious.
It doesn't decrease privacy. It decreases anonymity which is distinctly different.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Or Session which is a fork of Signal that runs it's own network using standard PKI instead of a phone number for identities and a decentralised message delivery/onion routing system.
> It is a way to increase usability for casual users, decrease spam by requiring some other source of identity tied to real existence (emails are easier to generate than throwaway phone numbers).
You either end up discriminating against users who have to use VOIP for whatever reasons (and there are legitimate reasons) by blocking VOIP numbers, or your barrier to entry for spammers is almost negligible. It's not a good system.
If you want to prove that users are humans, use a webcam and an id, or delegate the task to some bigcorp who already has a similar system. If that's too much for you in terms of privacy, you shouldn't be attempting to prove that users are humans in the first place. Maybe you should prevent spam via product driven solutions, e.g. whitelisted contacts.
As if you can't get a whole lot of information on most people with just their phone number. The number of people whose Signal ID is built off a burner phone ad no longer traceable back to them is miniscule.
> As if you can't get a whole lot of information on most people with just their phone number. The number of people whose Signal ID is built off a burner phone ad no longer traceable back to them is miniscule.
Yes, but what are you going to do with this information? All you know is how long they've been a signal user and when they last connected.
You're not thinking this through. You might have someone else's device with access to their signal chats, but need to confirm the identity of someone they're talking to. You might have been able to ID a person but only have had temporary access to the message data (eg undercover agents who sneak or are granted a look at someone else's Signal messages). You might have a Signal conversation with someone you suspect of crime, and want to establish correlation with their use of signal (by most-recently-accessed timestamps) and some other activity.
That doesn't explain why it has nothing to do with spam.
If you know how to build an anonymous communication platform, that is convenient to use, and is also spam resistant/proof, you have the miracle platform idea.
That's why Signal only stores your phone number (and when you last connected) - they know nothing about your real identity, so they can't link it back to you.
And then when you're faced with potential criminal suits and/or the security state coming after you for "national security" reasons, you implement the tracking the government wants so you don't potentially go to trial and/or prison.
Obviously doesn't include warrants they may have received where a gag order is in place, but you can see from the responses they do publish that they only store phone number, initial registration date, and last connection date.
They love to brag about the times when they were asked to hand over data and they had to tell the feds that they couldn't because that kind of data was never collected or stored in their systems in the first place. They still love to brag about it, but it's no longer true. They now collect and permanently store in the cloud exactly the kind of data that the police and feds were asking them to provide. Your name, your phone number, your username, your profile picture, and most importantly a list of everyone you have contacted with signal.
This is in direct opposition to the very first line of their privacy policy which lies when it states "Signal is designed to never collect or store any sensitive information." and they've refused for years now to correct that lie and update their policy to detail all the new data collection they're doing.
Do you have details on this? Given that usernames just came out, I don’t expect they’re storing many of them, but I’m interested in specifically a source for “a list of everyone you have contacted with signal”
This has been true for many years now. At the time it caused a major uproar among the userbase (myself included) whose concerns were almost entirely ignored. Their misleading communication at the time caused a lot of confusion, but if you didn't know that Signal was collecting this data that should tell you everything you need to know about how trustworthy they are.
Note that the "solution" of disabling pins mentioned at the end of that last article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
My personal feeling is that Signal is compromised and the fact that the very first sentence of their privacy policy is a lie and they refuse to update it to detail their new data collection is a big fat dead canary warning people to find a new solution for secured communication. Other very questionable Signal moves that make me wonder if it wasn't an effort to drive people away from the platform as loudly as they were allowed to include the killing off of one of the most popular features (the ability to get both secured messages and insecure SMS/MMS in the same app) and the introduction of weird crypto shit nobody was asking for.
I was a user and a fan. Spent years recommending Signal to others. People are pretty used to software turning to shit but it still sucks to have to reach out to tell people they should look for alternatives to the software I'd once recommended to them.
I swear if VLC ever turns evil I'm giving up on recommending software forever (in the meantime, check out VLC if you haven't already!).
> I was a user and a fan. Spent years recommending Signal to others.
I don’t blame you, I think it did start with a good promise initially, but I believe just like anything centralized that turns big, it will become evil.
> in the meantime, check out VLC if you haven't already!
The player? Or is that a new messaging app? For messaging I usually use Matrix/simpleX/Session.
Even before they added all the data collection and cloud storage 'sealed sender' didn't do much to protect users.
"Even under the sealed sender, observers said, Signal will continue to map senders' IP addresses. That information, combined with recipient IDs and message times, means that Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the "from" information from the outside of Signal messages, the service is incrementally raising the bar." (https://arstechnica.com/information-technology/2018/10/new-s...)
A couple years after that "incremental" improvement Signal started keeping everything forever in the cloud which means that today governments can get a signal user's information just by brute forcing a PIN
At this point that's entirely unclear. Because they're keeping your data in the cloud my guess is that the US government can easily access that data and any other government can get anyone's data as long as they can guess the person's PIN. You can find a discussion on the problems with their security here: https://community.signalusers.org/t/proper-secure-value-secu...
> We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.
I'm not sure why you need to assume that it will be linked back to your real identity; I haven't seen anything that indicates any motivation to do something like that. I'm all for being cautious, but being overly cynical can lead to letting perfect being the enemy of the good.
For the spam part, I commented below how’s that doesn’t work and it doesn’t even make sense for a messaging app.
> I'm not sure why you need to assume that it will be linked back to your real identity;
I’m not assuming, only North America (edit: and some European countries) doesn’t require an ID for a phone number (1), and even in here, you would use it in other services that are linked to your real ID like banks or paying the phone bill online. The concept simply boils down to as soon as you find an account’s phone number, it’s a game over for that said privacy.
> The concept simply boils down to as soon as you find an account’s phone number, it’s a game over for that said privacy
You completely misunderstand what kind of privacy Signal aims to achieve. Signal protects you from eavesdropping and data hoarding, two major privacy issues with solutions like Facebook Messenger for example.
They do not and have never claimed to offer a service where “privacy” means nobody knows who anyone is, it isn’t Tor and I wouldn’t want it to be.
If you don’t like the goals and design choices of Signal, just use another service.
There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”, which I think is great. It’s not a social network, it’s a messaging app between friends that solves issues presented by alternatives like SMS or Instagram; that’s it.
As long as you can’t host and use your own server, you should never assume that.
> There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”
You communicate with your colleagues and clients over emails and you know they are real, you probably play games too and use discord and you know they are real, meanwhile you can be talking to bot in twitter that they are registered with a “real” phone number.
Focus on the issue, not the person (Tucker), you might not trust a person which is fair, but you are still trusting Signal’s server, you can NEVER know if they have a memory injection backdoor running in there, you can audit the code as much as you want and it still passes, yet, the messages are compromised.
There are ways of getting messages without breaking Signal or using a backdoor. One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host. Something else that might happen is you ending up with your phone hacked because you're talking with someone close to Putin.
The only way to know for sure is for you to create an alternative service, write all code yourself, and host everything without ever leaving your server alone. And even then you can't be sure you haven't been hacked.
On a side note, if we're getting information from someone that lies a lot and often leaves out details that don't fit the narrative, then perhaps we should also look at the person, not just the issue.
> One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host.
You certainly can, the self destruction messages are one of the ways, sure, it is not the only solution as you need to make sure the OS is secure itself too, but definitely helps in that case, no messages stored at rest and all are encrypted in transit.
> Something else that might happen is you ending up with your phone hacked
Which is essential to have a messaging platform that allows multi-client/cross platform, say running that app on a hardened OS is an option and possible compared to only iOS with a phone a number for example.
> write all code yourself, and host everything without ever leaving your server alone.
You don’t need to write it yourself, as long as you can read it, and host it knowing no other services are spying on that server, should be miles ahead of other apps like signal, sure, you can still have that server breached, but first you need to know where’s that server, or even you are using this messaging app in the first place, contrary to Signal for example, all I need is checking if you use it by the phone number. Not to mention it will make it harder for whoever is trying to spy on you, if most people ran their instances, but that’s a little bit more of a dream as the average person won’t, but at least the option should be provided.
Signal makes the app open source and you can build it yourself and use it. The messages are E2EE so we don't need to trust the server in the same way because they aren't being decrypted there. They can't have the key. They could be logging the messages and metadata, but that's a different argument. And it really would come down to the NSA being able to hack AES with a quantum encryption (though I don't think this was out at that time). So I have pretty good reason to trust signal despite there still being some gray areas that I could still want more light on. It's just that we're the shadows are I'm unconvinced it could undermine the whole system. You can't fit an elephant in the shadow of a mouse.
On the other hand Tucker isn't even being consistent in his telling of the story. He says that he hasn't told anyone and makes a big deal to even mention his wife, so we think even his closest confidants. But then what message did he send over signal that was extracted? The personal notes? There's also much more reasonable pathways for the NSA to get that information. If he's researching and just storing notes on signal he's still leaving breadcrumbs somewhere. He's a popular news host so I'd be surprised if the NSA hasn't tried to compromise his whole phone, and signal only protects your messages in transit. The only evidence we have is his word that someone from the NSA told him. Which itself would be really weird because it'd completely undermine that capability or imo a more likely explanation is someone is lying. Gov does disinformation all the time and convincing people a secure channel isn't seems pretty useful since they'll turn to easier methods.
So I don't have to rely on my distrust of Tucker or his history of misinformation. If this was my only and first encounter there's more than enough for me to be suspicious in just his telling.
It's a lot less like data hoarding than keeping a separate copy of your social graph. What is an adversary going to do with a list of phone numbers that are known to have signal accounts and nothing else?
Because they don’t know anything except the phone number so all they have is a list of phone numbers which maybe people use. Quite different from Facebook reading everything you send, for example
> On the opposite end of the spectrum, users who want to live on the edge can enable an optional setting that allows them to receive incoming “sealed sender” messages from non-contacts and people with whom they haven’t shared their profile or delivery token. This comes at the increased risk of abuse, but allows for every incoming message to be sent with “sealed sender,” without requiring any normal message traffic to first discover a profile key.
By default, the first message between someone and you clearly identifies who is communicating with whom. That's enough.
We don't know whether an intelligence agency is listening in on their servers and logging this data.
Assuming an eavesdropper that can defeat TLS or is listening via DMA attacks on the signal servers,
- you can log initial signup or login, which allows you to connect user id and phone number
- you can log the first time a chat is created, which allows you to build a social graph of which person is connected to which other people
- even with sealed sender, you still know the identity of the receiver and the IP address of the sender, which is often enough to figure out who is in contact with whom
This would be enough dragnet surveillance to automatically figure out the contacts of people you've already identified as threats. You'd also have enough evidence to get a sealed court order to do targeted surveillance on these people.
And how to these black markets connect the phone numbers to names? I guess from data collected from more insecure sources. So I think Signal is being responsible with their data.
Also, you need some way to log in to your account. So you need an identifier and some way to validate that you are the owner of that identity. And next to that you want to prevent spam. So I think the choice to use a phone number as an identifier for a text-messaging app that is meant to be a secure replacement of SMS is not that weird.
But let's say they are data hoarding our phone numbers, and they can get other details about us through the black market because we use other more insecure services where we suddenly don't seem to care about privacy. Then what do you think Signal does with this data? They can't resell it because they don't have anything unique, they actually need to invest money to link their database of just phone numbers to something else. And then? What malicious things will they be able to do?
Ok, now you have a list of people's names and you know they have signal installed. Google and Apple also have this (presuming you installed it via a mobile app store). Your carrier has this (from the IP addresses on your messages).
What have you gained? What does the attack look like?
Hoarding =/= collecting the bare necessities. Signal needs one piece of data to distinguish users from each other, and collects that. Hoarding would be to collect (significantly) more pieces of identifying data, more than needed to distinguish users. Signal does not appear to be doing that.
The news today is a step in the right direction for sure, but more needs to be done if they want more privacy and anonymity-focused people to use it. This section on what makes a good messaging platform still resonates: https://dessalines.github.io/essays/why_not_signal.html#what...
Neither Signal nor Telegram allow to pay a small amount in cryptocurrency to prove you are not a spammer. This shows that they are really interested in knowing who is their user.
Sure, but that means that your phone number is linked to your identity even without Signal? There's no additional data that Signal links to it, other than that you're a Signal user and when you sent your last message.
Your previous question was "I'm not sure why you need to assume that it will be linked back to your real identity?"
If it's not possible to buy a phone without a strong attestation of identity, as is the general case in at least one country, then the identity relationship is baked in.
It's probably possible to buy a burner phone even in South Korea. But for those who are using their standard-issue phone with Signal, the problem most certainly exists.
And even in countries where there isn't some national phone-as-identifier policy, effectively most people's phone numbers tie them to their real-space identity even if there's no explicit personal data association[1], and in most cases, phone number, IMEI, AAID, and/or billing data (credit card payment authorisation) provide far greater assurance.
Point remains that 33 bits will identify any given person among the 8 billions now living, and a phone number itself, plus ancillary leakage (activity patterns, location) are an exceptionally poor basis for an anonymous or pseudonymous identifier.
Definitely not a copy of Telegram. I'm not actually sure what the draw is with Telegram but given it's origins I'll choose Signal over Telegram.
If you read the thread the linkage between a phone number and a Signal account cuts down on fake accounts significantly - which has nothing to do with "social media" but it does have a lot to do with SPAM as you've incorrectly stated. I understand why it's not ideal, but there are tradeoffs in both directions. It's unlikely that usernames are going to expose users more than they currently are if they're already using Signal. And it's also unlikely that this new feature changes much, but I welcome the ability to prevent users from associating my known number to my Signal account. In this way the security model has improved considerably.
I know right? Telegram is one of my favourite iPhone apps, hands down, purely on the basis of the interface. It’s also incredibly performant, which means a lot considering I use a 6S model from 2015. In comparison, the last discord update became literally unusable, for performance reasons (it was so bad, i ended up deleting it).
Telegram has channels and groups that work in a weird but very useful way. That's mostly the draw for me, not really the private messaging. Though the UX is just amazing, even for private messages. Everything is just super neat and where you expect it to be. I'd still probably not use it if it wasn't for how channels work
This feature requires you to press the button that says “make myself visible” — and then it shares location. Like most apps, you can deny the location access at a system level and never worry about it.
The interesting thing is that it does share your location when you open that screen even before you click that button. I don’t know why they did it, but it is definitely a shady thing.
Because the social graph sitting in people's phone address books isn't easily replicated, and using phone numbers is basically the only chance of overcoming the chicken-and-egg problem with network effect.
There are no backups available on the iPhone/iPad app, only a device-to-device transfer while setting up a new device assuming your previous device and new device are both iPhones/iPads. This is despite support for apps storing files to the filesystem that was added some years ago now, and many other apps on those platforms supporting backups of custom file formats (or JSON, etc.).
My cousin comment [1] provides a bit more detail, but this is not available on iOS/iPadOS despite Apple allowing apps to save files to the filesystem and many other apps supporting this for years now.
I see it, but it just looks like it uses internal storage. So far as I know, there's no Drive File Stream/Dropbox sync for Android, so you'd still lose your shit if you weren't manually backing them up somewhere.
I doubt that's a habit many people will develop for a setting they didn't even know existed.
It's not going to help a casual user but I solved the problem by putting the Signal backup in a Syncthing shared folder. It's been a workable solution at least 2 phone swaps now
Please stop peddling this horrible experience as a form of a valid backup. A process that requires full manual interaction and requires you to know ahead of time when your phone will break or be stolen is not a useful backup process.
I think GP is being a little too harsh, but I also think you're being a little too generous. If it requires a third-party tool like sync thing, then it seems like a hard point to argue that signal has Auto backups. It's better than nothing, but it is definitely not as seamless as most users would expect from a backup solution.
It doesn't "require" Syncthing, I just choose to use it. I could choose to keep it on my device, or upload it to Dropbox or something else. Even keeping it locally is still a backup that protects against the device corrupting it's local database or accidentally getting uninstalled / cleared.
There's no single obvious thing called "this is what everyone wants from backup".
> My Signal auto-backups every night to a device folder which I then replicate off with Syncthing
> It doesn't "require" Syncthing
I'm talking about your solution, and yes it does seem to require syncthing, unless you are using some fourth party tool that sets up syncthing automatically for you, and in that case it still isn't built in to Signal.
There are other possible solutions, but you used your solution as an example. If you have a different solution that doens't require syncthing and also doesn't require manual intervention (i.e. Signal app can automate the process), please share it. Remember what the comment said that we are replying to:
> Please stop peddling this horrible experience as a form of a valid backup. A process that requires full manual interaction and requires you to know ahead of time when your phone will break or be stolen is not a useful backup process.
Did you not have to manually setup syncthing (or some other sync tool) to get it working? Or do you know of some way to do that with just Signal?
Unless you are saying that Signal has a built-in backup solution that doesn't require manual intervention (like configuring some sort of third-party syncing service) then you aren't rebutting anything.
If we're widening the definition of "manual intervention" to "I have to configure my device to do what I want", then yes. Setting up backups is a task that requires a manual intervention.
You want signal to fully automate the process of configuring your device with an arbitrary third party service to send backups to with zero "manual intervention"? I think you're asking for the moon on a stick.
It's pretty safe to say that most users will want a type of "backup" that actually leaves the device so the data doesn't disappear if your phone falls out of your pocket and breaks or gets stolen.
It's after all, a device that's carried around and much easier to destroy than pretty much any other.
For most of population (you know, the ones we all want to get onto Signal so they stop using Meta and Apple stuff) not losing their valuable pictures, memories and conversations is way above the paranoia of some theoretical government official deciding to give up while trying to unlock your phone.
I don't think that's a safe assumption at all. And even if it were, there's eleventy billion different ways to have the data leave the device and wind up somewhere else.
Should Signal support/implement all of these? Some of them? Which ones?
They're pretty bad. You can't specify where the backup goes, so if you are running low on storage space (eg if you have a lot of photos or videos to back up) and add an SD card, tough luck because you can't save there. The best you can do is manually export your media (also without any choice over where it goes) and then manually move it to the SD card to make space on your internal storage. They say this is for security but if an attacker is in a position to export your backup, they are already in your signal account.
Same story with the PIN signal requires if you haven't used it in a few hours. It's the same as your phone PIN and there isn't anywhere you can change it, so it's just security theater.
> Same story with the PIN signal requires if you haven't used it in a few hours. It's the same as your phone PIN and there isn't anywhere you can change it, so it's just security theater.
This is not the Signal PIN. It sounds like you have the Screen Lock option enabled.
Oh, please, stop already with this phone number nonsense. I want to use signal from my computer, without need for a mobile phone at all. (Also, to be able to easily synchronize history between different computers).
I'd willingly provide a copy of an official ID to rid my Signal and Whatsapp accounts from the phone number. I mean, if it's good enough for the mobile company, why not just skip the middleman?
No idea about signal, but I haven't encountered any recent verification that worked on anything but a non-VoIP mobile number. My landline is useless for this and it isn't even VoIP.
I couldn't believe it when I first signed up for Signal and people who had my number were * sent notifications * that I had just signed up. This could've included people I had blocked on my phone.
Same. One included an unstable individual who I was happy had forgotten me. Suddenly he messages me out of nowhere -- "Oh hey, you still exist! And you just installed Signal.... hmm, given what day it is, I'm guessing you're at such-and-such event?"
I think the Signal devs hadn't thought this through at all and just blindly copied what Telegram was already doing thinking it must be cool and trendy with the masses, without understanding their core user base at all.
Same with prioritizing stories, stickers and crypto payments as core features of Signal when that's not what most of their users care for. Meanwhile there's still no official way to port your existing chat history on PC and iOS to your new device, or support for Android tablets. Obviously, stickers are more important.
Signal (and Signal's phone number model) predates Telegram. It was designed as an SMS and WhatsApp replacement; that is, it was originally designed to replace insecure phone-number-addressed systems.
Obviously, the cryptographic guarantees of the two systems aren't even close to comparable.
They're messengers. They have messenger features. The details of how those features are implemented is what matter. Last I checked, Telegram doesn't even have encrypted group messaging, and it has a serverside database of who's talking to who.
I don't know what "feature" you're talking about not existing until 2014, but before Open Whisper Systems, the thing we call Signal was "TextSecure", a literal SMS replacement.
This is true. At every point where Telegram and Signal had the choice between being a pleasant messenger experience or being secure and private, each made decisions consistent with all their previous decisions.
Forcing you to use your phone number and then the same second you created your account go behind your back and spam everyone you just did so is neither private nor something many would associate with secure.
I guess something doesn't have to be secure if you can pretend it is public.
Of course Signal has carefully designed their goals to allow them to do that but in doing so that is a straight up asshole move in a context where they should be seeking trust?
Absolutely mind bending.
This is a great improvement, but they have already proven they can't be trusted with anyone's phone number so it is a damn shame they still won't allow you to create an account without one.
It is a decent service otherwise, but my fricking god I hope they at some point realize the harm they've done.
Up until today I've been ashamed of suggesting signal. Hopefully that will change with this feature.
My general experience in discussing this over the last 10 years is that nerds like us generally find it absolutely mindbending when privacy services make decisions in the interests of ordinary people, such as using the phone-number-based addressing ordinary people already use in order to minimize serverside metadata. But I think it mostly just speaks to how carefully people aren't thinking about the project's goals, and the fixation they have on their own goals. A lot of people are just super angry they can't write their own TUI for Signal.
Having to share your phone number does not meaningfully affect security and privacy. Being able to sign up without a phone number enables anonymity. Anonymity and privacy are related, to be sure, but anonymity is not required for privacy.
I think it's a mischaracterization to say that they spam "everyone" when you create an account. They only tell others who a) have you in their contact lists, and b) have an account with Signal too. I agree, though, that they should be more transparent about this, and require that you opt in to this behavior.
Personally, though, I don't mind it; for the most part this is how I've discovered other contacts on Signal, and vice versa. But I can understand why it makes some people uncomfortable.
What I find "absolutely mind bending" is that this is such a big deal-breaker for people such as yourself. While I wouldn't call it a nothingburger, it's -- to me -- at most a simple error in assuming what people are comfortable with.
Edit: I re-read what a few others had said upthread about how indiscriminate this new-user notification is. The examples of notifications being sent to users that had been blocked via the phone's built-in call/SMS blocking features are especially chilling. There's really no excuse for that, but still, to me this automatic notification is a feature developed in good faith, with good intentions, not some nefarious privacy invasion. They should be taken to task for its failings, but dismissing the entire platform over it seems a bit over the top.
> Having to share your phone number does not meaningfully affect security and privacy.
Of course it does, way more than "meaningfully". I actually wonder if I got your message right taken that I am not a native speaker of English.
Do you mean that if your phone is public (and you are known to be the owner) you will not get creepy calls, have ot listed as a free pizza delivery for calls after 23:00, having it blacklisted, ....
I must have understood wrong.
Otherwise what is the number of your president/prime minister? Or the CEO of Google/Apple/... I do not think they are public.
TextSecure and Redphone did not upload your contacts to the cloud. No need to be a security expert to know that it's unwise to leak user state to contacts. In fact textsecure (now Silence) is the first SMS app to have a different colors for each contact to help the user avoid mistakingly messaging the wrong person.
Stickers are more important because just like every other tech company, growth is the only way to stay in business. You can just run a business on delivering a good product to your customers anymore. You have to grow constantly, which means bringing in new customers which, by definition, aren't part of the core user base. It's gross and depressing and it enshitifies everything
>You can just run a business on delivering a good product to your customers anymore.
Who said Signal was a good product to begin with? And who though adding sticker would improve market share?
Casual users value UX and porting their chat history and VoIP calling vastly more than they value E-2-E encryption. You can't talk about growth when you fail to deliver on these fronts first. That's how Telegram and WhatsApps rule the market.
Adding stickers won't move the userbase needle when you already lost your potential users at the lack of chat history and UX.
That's not the point. The point is if stickers make people love Signal. Sticker are popular on other platforms as well but because those platforms are popular not because they have stickers.
What fantasy land are you posting from? Signal has 40 million users as of 2022 (this was the first stat I found on a quick DDG search, which is all the effort your post deserves).
Also: "Who said Signal was a good product to begin with?" LOL. Just read the comments on this link bro.
How does Signal count it's active userbase? Like I said, me and almost everyone else I know have it installed but don't regularly use it because most people don't really like it versus the established Telegram and Whatsapp.
Signal is known to store two points of data per (hashed) phone number: the first login date, and the most recent login date. The second point is sufficient to get a user count.
Having a "most recent login" doesn't prove someone is an active user. I use it about once every two days, am I also an active users? Compare that to WhatsApp which most people use multiple times a day or even multiple times per hour, and you get the picture of how popular or lack thereof Signal is by comparison.
Like I said, a lot of people have Signal, but very few use it as their primary messenger on a regular basis, and more of a "it's just there in case one of those tech nerds who told me to install it decided to message me on"
Yes, that is definitely a non-standard definition of "active user". It's not really a relative term - if you're signed in and sending/receiving messages, you're an active user.
Nothing about Signal is haphazardly borrowed from Telegram. The feature we're discussing was chosen to help Signal to grow from a few thousand users to 50M+ without needing to build a social graph on Signal servers.
This mechanism may not be ideal for all users, and it's possible that Signal has now outgrown it, but without it, there would be no Signal as we know it today.
>The feature we're discussing was chosen to help Signal to grow from a few thousand users to 50M+ without needing to build a social graph on Signal servers.
How did THAT feature help Signal grow?
You only receive that spammy message if you already have Signal installed and your contact already has it too.
Signal grew a lot in 2021 (in Europe) because of the pandemonium created by Meta when they announced a change in WhatsApp Privacy Policy so everyone rushed to install Signal but the initial surge, was short lived.
Moving the clocks forward to today, looking at my extended network of family, friends and acquaintances, almost everyone has Signal installed, but most don't use it anymore as it's too frustrating and feels dead, so everything is still on WhatsApp, especially groups. All the Signal groups I have, originally meant to replace the WhatsApp groups, slowly died out and people stopped posting on them or following them, defaulting instead back to the WhatsApp groups.
You don't fix this lack of retention with stickers and spammy messenges.
I was all excited about Signal, but rarely use it because of this very feature. Once it started sending me notices about other users, I was extremely not happy. I was very hesitant since one of the first things it did was ask for access to contacts. I'm still pissed at myself for allowing it.
> We've discussed at length why this is not possible, but if you have more thoughts then please visit the forums. Please try not to open duplicate issues in the future, even if you feel like something is important.
The list of phone numbers with signal accounts is basically public. It kind of has to be. When a new number gets added and it matches someone in your address book, your app will tell you that one of your contacts has joined. People have always had the ability to turn off that feature, but that's not what the feature request seems to be asking.
People seem to be asking for a way they can join Signal without their number showing up in the registry of Signal users. This is why it's "not possible".
edit: This may have changed today. I'm now seeing an option that lets me hide my number from the registry. This means that even someone with my phone number will not be able to message me on Signal, which seems like a good deal to me.
After I realized this happened to me, I uninstalled signal. But because of the way signal jumps in and replaces normal sms, I found out later that signal users were no longer sending/receiving plain text messages to/from me properly. I forget the details but it was really frustrating.. first it ate my contact list and contacted them, then after I uninstalled it held those contacts hostage, breaking comms with them because those users didn’t know they were still signaling me, not using a normal text message. I text, they reply with signal, I can’t ask them to uninstall their app, so now if I don’t reinstall the app myself or borrow a friends phone to try and reconfigure it then I guess we’re now out of touch forever? It’s not privacy-friendly to replace or hide built in functionality, it’s just an attempt to coerce people and to bolster your user numbers.
>now if I don’t reinstall the app myself or borrow a friends phone to try and reconfigure it then I guess we’re now out of touch forever? It’s not privacy-friendly to replace or hide built in functionality, it’s just an attempt to coerce people and to bolster your user numbers.
yeah, you need to authenticate to delete the account (aka deregister). How else would they verify that you are the owner of the account you want to delete?
So because they elected to blur the line between their own opt in service and a built in service, I have to jump through extra hoops to properly opt out and get my comms back up? That’s if you even realize any of this is happening. Whether it’s down to design or to negligence, that’s a pretty hostile user experience and it feels deliberate, especially since they pawed through my Contacts to “help” me into this position. I felt disrespected and no longer very confident in their stated values/mission. Hard to use or recommend after something like that
It would be interesting to know whether signal decided to fix the awful UX I’m describing or if the android/iOS app stores noticed the abuse and disallowed it
This and the iPad "We'll remind you later" iPad notification nag are significant problems. I am a big supporter of Signal, but it's certainly hostile to those escaping an abusive situation. Usernames are a step in the right direction at least.
Yes, this drove at least two people I know/encouraged to use it off the platform. When people see this they also think that Signal snooped their contacts. Very bad.
Hi there, engineer on the Signal Android app here. Just an FYI that the notifications are generated on the receiving client by detecting that one of their contacts newly showed up as a registered user -- they're not "sent out" by you when you register or anything. Also, these notifications have defaulted to being disabled for the last 1.5 years or so. So only people who go into their settings to manually turn them on should be seeing them at this point.
That said, the complaint around this is usually that people don't want others to know that they use Signal. And unfortunately there was no way to _really_ do that (until now), because if you open your chat list, you'll see all of your registered contacts. But in the 7.0 release, we added the ability to hide yourself from being discoverable by phone number at all. So for people who don't want anyone else to know that their phone number is registered with Signal, they now have that option.
How come it wasn't the default right from the start?
How can a privacy oriented company not see the privacy implication of this? Sometimes, you want to be forgotten by some people, and Signal is telling them you are still there and active on that number. I remember reading a story about someone getting into real trouble for that.
Without "usernames", the proper way to handle it would have been to not let anyone know you are on signal when they look up your number. To get into contact, send a message, then the recipient will receive a notification with the message and an option to rely. If the recipient doesn't respond, from the sender point of view, it should be as if the account didn't exist.
I personally don't have a problem with this feature, and it's actually how I discovered Signal use among many of my friends.
But I think it's inexcusable that these sorts of notifications could essentially allow someone to circumvent blocking done by one of their contacts. If I've blocked someone via my phone's default contact blocking mechanism, and then I join Signal, and that person is already on Signal, they should not suddenly be able to contact me... and even be explicitly invited to do so on their end!
I wouldn't be surprised, though, if neither Android nor iOS gives regular apps access to the blocked contacts list. So I'm not really sure how an app like Signal could solve this problem.
Oh yeah, privacy oriented messaging app requires phone number for sign up. Telegram has this feature for years already? It seems to me that they are positioning themselves as privacy saviours just because they are non-profit organization and their app is open source.
Maybe in the US you don‘t need to mandatory register a phone number with a valid id, in most of the world you have to. If anyone can require the phone company to reveal your identity, it‘s the government.
The TL;DR is that they collect and forever store sensitive data in the cloud, meaning that the US gov could almost certainly access that data and any other government could access any one person's data too just by brute forcing a PIN
Source code is open source doesn't mean squat for safety. Have you audited the code? Do you have the skills etc required to prove its not backdoored?
Because I know I don't have that skill set or time. I do have however some big fat red flags on using it because it was opted for by an entity whose entire existence is based around backdoors and spying.
Honestly i find it absurd that some folks say just because something is open source it's automatically safe. The vast majority of us whether the project is open source or not lack the skill or capacity to pick up on a well obfuscated hole. Hell even the best of us aren't that good.
Signal is one of the great undertakings of our time. And it's one of the last bastions of internet freedom.
A free-to-use global communications platform that doesn't censor, respects user privacy from the ground-up, and is run by a non-profit foundation that is faithfully dedicated to its mission. https://signal.org/bigbrother/.
We should support it. If you haven't already, then consider signing up for a recurring donation to the Signal Foundation. I try to give what I can afford, because I believe that digital freedom is essential for the progress of all humankind, https://signal.org/donate/
Without such projects, our civilization will stagnate and die in darkness.
It encrypts your metadata (the most important data) and doesn't use it to manipulate you. It's a non-profit. And now you can use it without exposing your phone number to other users.
Whatsapp only e2e encrypts message contents. The only thing Signal knows about you at any given time is the time of account creation and the date of your account’s last connection to Signal servers. That's tied to your phone number. They don't know who you chat with, the contents of those messages, your phone contacts, anything.
I'd get a chuckle out of comparing that with the privacy of Whatsapp.
Again: Metadata. WhatsApp records a timestamp of every message you send/receive, and who the other party is. Signal only records two pieces of metadata: timestamp of when you signed up, timestamp of the last time you sent a message.
1. Facebook owns WhatsApp and uses it to collect data about people, such as who they communicate with, how and when. They also know about many of the websites you visit and what you do there. They know everything you do on Facebook, Facebook Messenger and Instagram. They buy mountains of data about us from other sources. By analysing all of that data they can probably do a reasonable job at guessing the content of your WhatsApp messages.
2. WhatsApp tries to get every user to accept the option to backup messages and photos to Google Drive, where they sit unencrypted and accessible by Google. Even if you reject that option yourself, your correspondents are likely to have enabled it (if only just to stop WhatsApp from nagging about it) and so your messages are available for Google to read. Example of why this can be bad: https://www.vice.com/en/article/zm8q43/paul-manafort-icloud-...
3. Google Photos asks WhatsApp users if they'd like it to back up their WhatsApp photos. Even if you reject that option, your correspondents may have enabled it and so your photos are stored online unencrypted and accessible by Google.
4. Why should we limit what Google and Facebook know about us? Google and Facebook influence our behaviour for the benefit of their paying customers. Their computer systems are too powerful for our minds. They work against us, not for us. Companies like Facebook will come to be seen like tobacco companies, except that the harm is as from mind altering drugs. There is a documentary on Netflix called The Social Dilemma which explains this well. The polarisation of societies and the spread of conspiracy theories are some of the effects. The only defence is to disengage.
My 2¢, as someone who tried using WhatsApp once and ran away screaming:
WhatsApp requires you to give it access to all your contacts (your entire address book) in order to use it at all. This information is uploaded straight to Facebook’s servers where they’ll inevitably use it to place your WhatsApp account in a social graph so they know who you are based on your contacts. I found this to be unacceptable so I uninstalled it.
Even if all the other things sibling posters mentioned didn't exist, the simple fact that Whatsapp is owned by Meta and Signal is not... well, that'd be enough for me.
Yeah, nah, it might be fashionable but I'm not 100% convinced that it's not an operation intended to be a lightening rod for "private" communication.
Given how tightly they control development, disallow third-party clients, disallow federation, disallow self-hosting servers, have a history if disallowing use without google play and have hid huge development features from the public (mobile-coin) despite being open source. etc;
The idea that it's a great undertaking of our time is so bombastic that it's guaranteed to be false even if you truly believe that they are completely altruistic (which I'm willing to believe but it's not coming easy to me based on the above).
"What's better"? Matrix. Which seeks to solve all of my points, the only thing lacking is market share which honestly is partially caused by these "easy to use" services which trade off everything else, which also consumes developer mind-share even if you're unwilling to acknowledge that. (devs are motivated to solve issues for friends, family and themselves if they are exposed more frequently to systems and services that are sub-par).
I don't know if there is a straightforward correlation. I agree that my first Matrix experience was also not that satisfactory, but my university switched from XMPP to Matrix. I really liked conversations and quicksy. It just worked for me out of the box even with OTR stuff. However, it seems that there was not enough development on the server side, which I guess it led to the switch by our computing Center. Also the whole German health system as well as the army is switching to Matrix. I still think it is completely over engineered but it has a decent push.
I think this is a false dilemma; you can have the high-quality implementations and be more open.
I've criticized Matrix before for their "protocol-first" approach and "too neutral" stance towards clients (which they've changed somewhat it seems; previously [1] was a table of clients with no clue what to choose, now it at least has "featured clients"). I feel they repeated the same mistakes as XMPP, which has not improved their client list.[2] Protocol nerds will say that's a good thing, but all it really does is ensure your protocol remains marginal because most people just get confused. People choose software, not protocols.
But you can write a high-quality client and a specification and allow people to write their own apps. IMHO Signal is needlessly restrictive. Sure, focus on your own implementation and the quality of that first. 100% the right decision. But there's no reason to not at least allow some things down the line. Signal is just a few months shy of their tenth birthday – they're well past the "ensure the quality of our official client"-phase.
At the end of the day, the problem with this model is that it expects free labor to take over the next part. Which might work for a little bit -- until it doesn't. Then you have the situation we're currently in where everything related to matrix is mediocre.
As soon as you do that though, it becomes a nightmare to adjust anything about the protocol, and you end up with incompatible clients. So you can use the app perfectly with friend 1 that has the official app, but with friend 2 who uses one client, sending photos doesn't work, and with friend 3 voice calls don't work, and adding friend 4 to a group chat somehow breaks it entirely for everyone.
Friend 2 insists on using their client because it has dark mode, and for the average user, what they see isn't "friend 2 is extra and has a broken client", they see "that app fails to send pictures about a quarter of the time, let's use whatsapp".
in a world where iOS users won't install another free app from the app store because they already use iMessage, matrix is like asking for your friends to perform calculus just to talk to you.
Sure, but I don't see whatsapp/telegram as worse realistically if you've already lost at that level.
Signal is very much in the same area of: "trust us".
With a caveat that they also say: "here's a bunch of information on why you should: but you can't really verify any of it and we have proven bad faith before- also we have an army of people who will pile-on if you call us out for not being actually verified, so, just trust us- we are the secure messenger and all those scary things are just so we are easy to use".
Definitely not true. Facebook literally censors private conversations. You simply can't send certain text strings to your friends. That is far more dangerous than relying on a third party that claims to be protecting your privacy. Especially since all signs point to them being honest.
I don't know about WhatsApp (but I also didn't mention WhatsApp), but go to FB Messenger right now, open up a conversation with yourself, and try to send a message containing the string "thedonald.win". You'll get an error message saying "Couldn't send", with no further explanation. The list of banned strings used to be longer, but they've unbanned a lot of them since the election ended.
To be clear, this is in private conversations. Not just posting publicly on Facebook or w/e.
I read somewhere here that, in the case of what's app more metadata is shared with meta, and telegram doesn't have E2EE by default for groups.
Didn't check though.
You're correct. There are more security features with signal too like the server stuff. It's true that they don't update the code enough but the parent is being overly critical. It's not like WhatsApp is giving us access to the server in any form. So it's not a fair comparison. (Edit: Also, the app can be built from source and you can verify that the communication isn't happening in a way where the server could decrypt it. So it's not too big a deal that the server isn't perfectly up to date on public commits)
To their point, there are benefits to federated systems. But I've yet to see a federated system have moderate to large usage without becoming centralized. Think email. And until this problem can be solved you're still left with a "trust us" problem. There's no trustless system out there, yet. But hopefully it comes in the future. In the meantime, signal is the best if you also want to communicate with anyone that can't tell you if a stack is FIFO or LIFO (or even know those acronyms).
Funny enough the best way I found to convince iOS users to talk to me on signal is by telling them it's like iMessage but cross platform. Sure there are differences but most people aren't using those features. I do think signal could really benefit by just linking signalstickers.com into the app since that's the biggest complaint I actually get.
Signal has its problems, some of them sever. It's also buying "us" much needed time to build out federated and self-hosted chat platforms.
I truly believe they are altruistic, although it is unrealistic to expect that to last forever.
By the way, some of the claims you made about their "bad actions" are actually false. And Matrix is still incredibly annoying to work with for "normies" and only recently got first-class E2EE and retention policy, both things needed for a secure chat experience. And btw, those things aren't deeply supported in the ecosystem, and also it doesn't have client feature flag alerting (to allow good intentioned clients to de-facto report they don't support certain security features).
I do think Matrix (or something like it) is the future, but it's certainly not the present.
Just because a project is open source doesn't mean everything the team works on or releases will be in the public eye, nor does it even imply that it has to be open source as well.
I agree about the passing utility of Signal [0] but Matrix (which I do use) is a barely adequate dumpster fire. They spent all this effort developing a generic synchronization protocol, but yet didn't include native encryption in 2014 and had to bolt it on as an afterthought? And the last time I tried to find a native client it seemed like they were all still using web engines for rendering (inherently slow and insecure), presumably because the markup is too complex to make straightforward native apps.
[0] I don't even use Signal. My tack is to isolate and contain my "mobile phone" device as much as possible (when I'm home it generally stays next to the door on a charger). Whereas Signal has been designed around that single device as a critical part of my life. When I can sign up using only a username, and use Signal from a native client or web browser without any sort of Android device in the picture, then I'll be interested.
I really like the idea of federation, but I haven't seen it be successful in practice. I can't think of a federated service that isn't also highly centralized. This was a big problem for cryptocurrencies and it's not like email isn't almost all Microsoft or Google. Mastodon has been struggling as well.
While I think there are better services to be private and secure from a technical perspective, there's one killer security and privacy feature that Signal has that on one else does: usability. It's pretty hard to get my grandma onto Matrix, but it isn't hard to get her on Signal. The truth of the matter is that you can't have private and secure conversations if there is no one on the other side. So while I really do like Matrix and the like, I think of them as more alpha or beta type projects. I don't find that the bashing of Signal is helpful (like we also do with Firefox) because all it does is creates noise for people that don't understand the bashing is coming over a nuanced and biased point of view (we're mostly highly tech literate here on HN, it is a bubble. But people still read our comments that aren't). End of the day, if we aren't getting 1 click server installs (or literally everyone is a host), federated systems are going to become highly centralized at some point. PGP's always failed because the easiest way to hack a PGP email was to reply that you couldn't decrypt. It wasn't appropriate for the masses even when it wasn't difficult to use. Don't get me wrong, I love Matrix, but it's got a long way to go to get mass adaptation.
Fwiw, I remember a user awhile back offering a bounty for a decentralized pathway in Signal[0]. The idea was to create an AirDrop like system to help with things like local file sharing but then extend the project forward to create a mesh network. Seems like a reasonable idea to me. I think it may be more advantageous to try to push Signal in the right direction than rebuild from scratch. I'd highly encourage people with other opinions to participate in the Signal community because it is a crazy echo chamber in there and for some reason the devs treat it as a strong signal.
I agree with all this, but only to a certain extent. The big disadvantage of a centralized system is the ability to control an entire ecosystem. The same reason we dislike monopolies. It's because monopolies of any kind have the ability to abuse their power, though that doesn't mean they do. I mean browsers are "decentralized" and that doesn't stop Google from exerting significant control, especially considering most browsers are chromium (I find it weird people say to fight Chrome by switching to a different color of Chrome).
Like I said, I'm all for Signal becoming federated. It's why I dropped that link to the airdrop feature request. I'd also be in favor of people running their own servers. I mean the server code is available, you just can't connect it with the main network. So as far as I see it, there's nothing stopping this from happening. I see a lot of people complaining but I'm not aware of any major roadblocks. That doesn't mean there aren't any, but I'm just not aware of any. And fwiw, there are alternative Signal clients like Molly[0]. So at least the app can be disjoint from the official ecosystem.
Signal has said that they don't want a decentralized network until they have settled on their standard and implementation as they see decentralized federation as what has prevented email from modernizing . I'm assuming they will never get to the point where they feel Signal is stable enough to decentralize.
I'm not sure why people keep responding with this. Signal doesn't want to work on the federated problem, sure, I'm well aware. But everything is open source. We're on a forum of hackers, makers, and programmers. So what is in the way? People keep saying "Signal this" "Signal that", what are they gonna do, stop sourcing the code? Ruin their entire business model? I doubt it. The code is open, so seriously, someone tell me what's stopping you all from creating a federated version?
Easy to use is important and it's a shame that you're downplaying that. More accessible than PGP/OTR? Sure. But maybe by a hair's width of an alligator's back.
If I am working with a source who gets frustrated by the impenetrability of communicating with me because I insist they use matrix while they're not technical and likely impatient, then that person will be much more likely to use a fallback method such as SMS or email, and they'll do it without warning. It's legal risk, period. My job is to make sure that they can share information with me as easily as possible and during a particularly sensitive period of that person's life, usually. Matrix, as a sibling post highlighted well, is too difficult for this use-case. That is an enormous failure for a use-case of sensitive information sharing.
XMPP cries in a corner. I wish XMPP had more accessible (to the general public) desktop clients. Conversations is great, but speaking from experience, people aren't going to want to use Gajim because it looks like it's ten years old (even though that's a good thing ;). XMPP needs better clients in general. The last time I used Profanity it had very annoying bugs about sending and saving OMEMO encrypted files.
We really should convince Moxie Marlinespike to push the implementation of an out-of-the-box working bridge between the Signal client and the Matrix network. With e2e encryption, of course.
I think we're definitely approaching time when Signal / WhatsApp / Facebook Messenger / Google Messages / Matrix / etc will all become at least somewhat interoperable, and it's gonna happen very fast (~Q3), mostly because EU's Digital Markets App is basically forcing them to. (Well okay, only Meta-owned platforms are forced to.)
> It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult.
> ... I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world. ...
Wow, I never really followed Signal's anti-federation drama that closely, but reading that thread is nuts. The LibreSignal folks just don't get it, despite Moxie's clear (at least to me) and plain language. The entitlement there is mind-boggling.
The license in the repo says otherwise, and the license is what governs your use and modification and redistribution of the client app, not their indignation.
Forks are a natural consequence of releasing free software. This is the life they chose.
Also, free software isn’t a product.
The ToS is the only thing that governs end users connecting to the API, and it doesn’t deny end users the use of third party clients. Also, even if it did, that would be insane, like Google saying you can’t even load google.com when browsing with Firefox. It would be pretty much without precedent on the web, and bonkers.
The GPL is the only thing that governs developers’ use of the client codebase. The GPL of course allows forking and modification and redistribution.
Such forks and redistributions obviously cannot use Signal’s trademarks, so LibreSignal was dumb to do so. Ultimately the feelings of the Signal team don’t matter here - only the license under which they officially released the code. You can’t be more explicit about permitted uses than that.
You can’t be open source but then claim you don’t want forks. It’s one or the other.
> The ToS is the only thing that governs end users connecting to the API, and it doesn’t deny end users the use of third party clients.
"You must not (or assist others to) access, use, modify, distribute, transfer, or exploit our Services in unauthorized manners" [1]
By my reading, the ToS does deny the use of third party clients. Someone could try to argue that a third party is using the services in the same manner as the authorized first party client, therefore it doesn't break the ToS; but since the company's leadership have said that's not OK (causing the mentioned client to stop being updated), I'd assume that if that argument worked in court, they'd just change the ToS to be more explicit about stopping it.
Who would you take to court? LibreSignal is simply distributing software, it's the users who are potentially breaking Signal's ToS by connecting to their servers using unauthorized clients.
This is like attempting to sue qBittorrent for copyright infringement.
Matrix?! As someone who runs is own Matrix homeserver, oh, man, no way. Matrix is super fiddly, unreliable, and user-unfriendly (and I say this as someone who has at times agreed that Signal can be user-unfriendly).
Matrix also is just not particularly private. Servers control and know far too much about users, and pretty much no mainstream client enables E2E encryption by default. Matrix is an impressive piece of technology, but it has a long way to go before it's as usable for an average mobile phone user as Signal is.
> We should support it. If you haven't already, then consider signing up for a recurring donation to the Signal Foundation.
I always like to remind people that you can also donate through your employer and many will match. This is a great way to multiply your donation and everybody wins. Your org is going to donate x amount a year anyways and so might as well "vote" on where some of this money goes.
While I am thankful that Signal exists and is a considerate of privacy concerns I don't think their decisions are always right.
For instance, I would love to see picture sent to me by my spouse automatically saved to camera roll. Signal has no option for this because it could put the privacy of me and the sender in jeopardy.
They have a community forum with a feature request system. Though I'll admit it's a big echo chamber there. But every new user adds a new voice and I can't see how that isn't a good thing.
Fwiw, I want this feature too. And others. I've submitted feature requests in the past. I even asked that usernames add QR codes and links. I'm not sure if I was heard, but hey, the feature is there and even some of the echo people were against it.
WhatsApp has this feature and it drives me nuts. My roll is full of crap people (especially chat groups) send me and I have to clean it up every now and then. I surely hope Signal doesn't do this and keeps the current approach of allowing users the option to download the images they want, when they want.
I actually like it this way. Occasionally (not always, which is even more confusing), images from random Whatsapp conversations ends up in the Android equivalent of my camera roll, and it annoys me to no end.
My camera roll is for photos that I have taken. If I want to put something from someone else in there, that's a decision I will pro-actively make. Other apps shouldn't be doing that for me.
> And it's one of the last bastions of internet freedom.
I don't want to be too negative on Signal since they do some good work and I do use it.
But freedom? No. It is another completely proprietary platform. A better one, but still proprietary, so the antithesis of internet freedom.
For example just earlier this month the Signal client overnight stopped working on my old Mac because they decided to no longer support older OSX releases. So I can longer use it on that machine, my primary desktop.
If Signal was in any way open or free (as in freedom) I'd just compile my own client to speak an open protocol and be back in business. But no, Signal is just a proprietary service with a proprietary client.
>If Signal was in any way open or free (as in freedom) I'd just compile my own client to speak an open protocol and be back in business. But no, Signal is just a proprietary service with a proprietary client.
Isn't the source code available? What's preventing you from compiling your own copy?
The server is centralized -- you might be able to stand up your own but it doesn't matter because you can't use it to talk to anyone else who isn't using your custom built app that uses your server
In other words you're complaining that it's not federated? That point has been relitigated in other parts of this thread so I don't want to go down that path. More to the point, I don't think that's what the parent post is talking about. He's complaining how he can't run signal on his outdated machine, not that he can't run his own private server.
As far as I'm aware, everything is open[0]. Only issue I know of is that the server code isn't consistently up to date and you can't run your own. But you can compile the app and desktop clients yourself. I guess there's also the issue of reproducible builds but AFAIK this is a play store issue and doesn't seem that problematic since you can compile from source. I mean they even have a commit from 4 days ago for the Android app.
I believe what the grandparent comment meant was that you can't run a server that participates in the public network, not that you can't run a private server. That was my prior understanding, at least.
I might very well be wrong, and if so, someone please correct me.
That is correct. I should have been clearer in my distinction. You can run your own server but that server won't connect to the official Signal network. You're completely fine to run your own[0]. FWIW I've seen other software roll their own servers and use the Signal protocol. I mean WhatsApp uses the Signal protocol but I think they've diverged a lot since.
[0] There's always talk about the big deal breaker for Signal being that it isn't federated. So I've always wondered why this passion isn't used to generate a federated Signal network and is more focused on Matrix (who only recently started being E2EE). I don't know how these things work, I'm not that kind of programmer, but I can't see why you couldn't modify the server code to work in a federated fashion and edit the app code to be able to connect to both? I'm actually interested to know why if someone actually has an answer.
From my understanding, they're not a fan of it (not sure if it's officially against their TOS or not) but they don't go out of their way to stop them. At least as long as you don't use the Signal name and make it clear you're not an official app.
Even in this blog post about usernames, they clearly make sure to mention them: "This means that in about 90 days, your phone number privacy settings will be honored by everyone using an official Signal app."
How old OSX are we talking? Is it older than current Xcode with Sonoma supports? If it's that, then you have your answer. If you want to daily drive and older machine Linux or even Windows should be fine, but this is not really the way with Apple hardware - if it was, Xcode would make this easier for the developer. For reference, you can still build for Windows Vista using current Windows 10 SDK - I haven't tried Windows 11 SDK, so not sure how things are there.
That's correct, but so what? So does Tor. The US isn't a single unified entity. They get some funding from groups that promote encryption. Gov still wants encryption for their own people and for people in authoritarian countries (it's hard for normal people to overturn an authoritative government when all communications are watched. No need to discuss CIA). But also remember there's plenty of US gov groups that attack Signal too. Just saying "US funded" isn't strong enough on it's own. The gov has it's hands in everything so it's too noisy. You'd need to make an argument about it's dependency on that money, which they aren't. Records are public btw, they are a nonprofit.
They need to actually listen to users. Signal needs to support SMS, they need to support backups, they need to support easily migrating to new devices. I don't care if it makes me slightly less secure, make it a checkbox in the client that I agree if I enable the features, I'm a moron because some nation state could abuse it.
Otherwise, it'll always be niche. I'm never getting non-technical friends and family to adopt a messaging app that isn't unified for SMS and secure messaging. When they say "users might not know they're sending insecure SMS messages" - fine, you own the client. Make the client bright red with a flashing "INSECURE MESSAGES" across it for all I care. It's not hard to inform a user in 2024 that they are sending a less secure message.
Signal has so many footguns that I stopped recommending it. I know more than one person who lost all their messages and pictures when they switched phones.
> I'm never getting non-technical friends and family to adopt a messaging app that isn't unified for SMS and secure messaging
Er, what? So no one you know uses Whatsapp, FB Messenger, Telegram, Google Talk, or anything else? I suppose it's possible that's true, but even if so, you and the people you know do not represent the common-case user.
> Note that if provided with the plaintext of a username known to be in use, Signal can connect that username to the Signal account that the username is currently associated with. However, once a username has been changed or deleted, it can no longer be associated with a Signal account.
The "no longer associated", I will need to get Signal word for that, right. (You cannot cryptographically prove something was deleted, right.)
You shouldn't need to cryptographically prove that an old username is unavailable. You should be able to simply send a request to Signal servers asking if it's available and receive "no" as a response.
You'd have to take their word that this wouldn't change, though.
When they announced usernames I thought I will be able to install Signal on my TV desktop (linux) and send / receive messages from to it (links, files, etc).
Now that I know it still needs phone number I assume it will need to be unique so my use case fails.
For the record, I am still a happy Signal user and a monthly supporter, thank you very much.
Just hair splitting obviously but I don’t think it’s really a contact, it’s just what the recipient shows as when you send something to your own number.
906 comments
[ 3.1 ms ] story [ 347 ms ] thread(I guess theoretically you could run something like PostmarketOS on a phone to run the desktop app, but you know what I mean.)
Do you know why this limitation?
What I'd love to have is the ability to connect my phone and my laptop to the same Signal account, have them automatically sync chat history between each other, and then in the future if I add a new phone (e.g. because I've upgraded) my phone can sync from my laptop and get all of my message history.
Whatsapp added this recently and it is very convenient. You can link a companion device in the same manner you sign into WhatsApp web.
A kind of hacky workaround (that I used to use for both signal, WhatsApp and others) is to set up a server with matrix bridges running and bridge your signal, WhatsApp etc. so then you can install the one matrix client on all your devices.
But as most apps do support multiple devices these days, bar signal, it doesn't feel like it's worth the effort. And I seem to remember the signal bridge in particular being a little buggy.
Also, WhatsApp recently added this feature, so the expectations from potential new users who switched is now there.
[0] https://community.signalusers.org/t/allow-android-ios-device... [1] https://community.signalusers.org/t/allow-android-ios-device...
> Each version of the Signal app expires after about 90 days, after which people on the older version will need to update to the latest version of Signal. This means that in about 90 days, your phone number privacy settings will be honored by everyone using an official Signal app.
Which is also an example of a challenge for open ecosystems where everyone can create apps.
I understand that it doesn't outweigh the benefits to everyone, but it is a valid reason.
I have not investigated this at all, but I have enough faith in Signal/Whisper Systems to be optimistic.
That is a fine decision to make for a security-minded app, but signal has always presented themselves as a full alternative to SMS and other messaging systems where availability is prioritized over confidentiality and integrity. It should really be made more clear so that users are making an informed decision. They could also do wonders for the user experience by having the app inform the user of the problem and how to remedy it.
The problem something like this solves is to raise the bar somewhat and discourage a fraction of those who would.
Done right, that fraction will be significant.
The conclusion isn't that Signal should be closed-source, it's that Signal's servers should not trust the clients not to be tampered with. So after 90 days, they will remove phone numbers from the protocol for users who have hidden them, breaking old clients, which is fine. What is the alternative solution you're thinking of?
My mom couldn't receive signal calls on the backup phone I gave her. I had disabled auto-updates since apps break UI sometimes and she gets confused by things moving around.
When I visited, I opened the signal app and was told I had to update.
The Signal team is incredibly clueless and arrogant toward its userbase. It seems to simply not have occurred to them that many people rarely/never have wifi, may not be on AC power when they are on wifi which means the phone may not check for / apply updates, etc.
In the US, cellular is often expensive and slow.
In underdeveloped countries where software like Signal could be really important, all this is even more true.
We get shit crammed down our throats to protect the most obscure edge cases for the smallest percentage of the most vulnerable users - such as not being able to sync messages between devices - but then they pull shit like this which has a huge impact for people in rural areas and underdeveloped countries?
Refusing to deliver is inconvenient.
That is inconsistent with the threat model of a messaging system!
Inherently, a messaging system will deliver a plaintext copy of the message to the recipient(s). Wouldn't be much of a messaging system otherwise.
Once you sent something and it was delivered in plaintext to the recipient, the information disclosure risk is completely out of your control (and out of control of the application in use). The recipient is free to leak it however they wish.
If you don't trust the recipient to keep it private, don't send it.
No need to continuously expire apps in the absence of a protocol breach.
I have no idea if that's what they're concerned about - they may just be being arseholes in this case - but from the outside it seems like a legit reason to build in the capability for app expiration.
I disagree, the worst thing that a messaging system that aims to be "private" can do is to actually not be private. Sending to a known-insecure client is a violation of, like, the one thing signal claims to do.
> If you don't trust the recipient to keep it private, don't send it.
My threat model is some combination of "third party actors who I don't trust" and "second parties who I trust but who are non-experts"[1]. I would like Signal to protect me from the first (by not delivering things to known-insecure clients that can be middlemanned or otherwise discovered) and the second, by having privacy-respecting and mistake-preventing defaults. Things like disappearing messages and such. Keeping my trusted-but-nonexpert peers from making mistakes that can harm either of us in the future is a key part of my threat model.
For example, disappearing messages prevent me from being harmed by my friend, who I trust to discuss things with, not having a lockscreen password and getting warrented by the police. An outdated or third party client that lets you keep them forever, even if well intentioned, can break that aspect of the threat model. And yes, a peer who is actually nefarious can still do that, but that's not my threat model. I think my friends aren't privacy-experts, I don't think they're feds.
[1]: This is, for example, the reason that I think PGP is not a good tool. Even if I do everything right, a well meaning peer who is using the PGP application can unintentionally leak my plaintext when they don't mean to, because of the tool's sharp edges.
Mint will sell you a plan for 5GB of data for $15/mo. Its not that expensive to have a basic cellular plan. And that's assuming you're not poor enough to have your cellular plan almost entirely subsidized. And also assuming you're pretty much never anywhere with wifi.
In the vast majority of markets in the US it'll take a minute or less to download, it'll probably take more time unpacking on your device and installing.
There's cheaper per-gig plans in the US. Visible has unlimited plans for $30/mo which is cheaper per-gig if you use a lot but more if you're using less than 5GB anyways. And if 200MB/yr currently seems like an expensive amount of data to you, you're probably already using less than 5GB a month.
My understanding is that Signal (the app) is private, not anonymous, centralized, and closed.
The underlying protocol is open and could be used for an open ecosystem, but I didn't think Signal aspired to do that.
The important distinction is that it's not decentralized like XMPP or email, which is a conscious decision: it would become very difficult to change it to add new features and they'd be left behind by closed-source competitors (see: XMPP).
XMPP is underrated. A lot of people are imagining Pidgen in 2011, but the protocol has been extended, the actively developed clients are good, and it avoids the heavier parts of Matrix (both client and server side.) I wouldn't be surprised if Slack's replacement when Salesforce inevitably fucks it up will be XMPP based rather than Matrix.
Even if Google Talk kept XMPP, they weren't going to save it, cause nobody used Google Talk. Facebook was by far the biggest XMPP-supported platform (though it wasn't federated), and they stopped probably cause they didn't see enough clients. Even Slack supported XMPP for a while, did you use that?
https://github.com/signalapp/Signal-Android https://github.com/signalapp/Signal-Server
There are forks like Session which doesn't require a phone number to sign up
https://github.com/oxen-io/session-android
The status of open source, privacy respecting messaging apps looks really healthy to me, compared to where we've been over the past 30+ years (thinking starting with ICQ.) Signal was a big leap toward getting average people using much more secure messaging, although it is pretty clear even most 'tech' people don't grasp what is going on or why it is important to be able to use e2ee separate from a combined client+server provider.
In fact, in this thread they are discussing how you can, with Molly, use both the official and staging servers with the same number: https://community.signalusers.org/t/signal-fork-with-passphr...
A mod recommends Molly here: https://community.signalusers.org/t/how-to-use-signal-on-3-d...
A list of forks: https://community.signalusers.org/t/list-of-unofficial-forks...
And here's people arguing: https://community.signalusers.org/t/on-forking-signal/31651/...
As far as I can tell, Signal's policy is more "Do what you want, but server costs are high so we don't want to pay for your product. But if you do, here's all the code to give you a start." That's a very different policy from blacklisting.
And as I keep asking others, what's stopping everyone from making a federated Signal? If you can use the same account on both the production/official server and the staging server, why can't you on the production server __and__ a community federated server?
And if they ban you from the production server, so what? Now you're on par with literally every other federated service. Like what is Signal going to do? Stop open sourcing code? That'd be like trying to kill a mosquito by stabbing yourself in the heart. If they're willing to do that, I'd rather it be sooner than later anyways.
So I want a source because I just don't get what you all are complaining about. Is it just that someone else didn't make the thing you want? Sure, I get frustrated, but the comments more come off as Signal being nefarious and I just don't see Signal acting in any way malicious. In fact, hosting links to forks and being a common place for those forks to discuss seems like they are actively supporting them.
Moxie wrote several articles about this and expanded on this idea in his conference talks. You are very welcome to take the code and write your own messing system, but do not connect to Signal's servers because that costs them money and they will need to take action, sooner or later.
They were very clear that LibreSignal had no future. They have also been very clear that they discourage any non-official distribution of builds. They have repeatedly told the F-Droid project that they will not publish using their reproducible build system, and any user doing the same will be kindly asked to take down their copy. The F-Droid project has complied.
This seems to be a strange thing to discuss. If the above links are representative it may be a popular subject among a subset of users, which seems misguided. Signal does not wish to be xmpp or matrix and neither should they. It must be their right to decide. There are so many chat software projects. If you don't agree with the goals of one of them, you energy is better spent elsewhere.
Signal has consistently focused on helping /most/ users do what they want with the app without sacrificing security. This change - away from requiring phone numbers - helps plug one of the biggest criticisms, both on the security and product side. Nothing about their mission requires federation, so I respect that they haven't sacrificed their mission in order to do it.
And talking about that: does federation work properly yet? I used a third party provider and it made my life miserable.
I am all for federation, but in my experience the "federated" part of matrix was a lot worse than the jabber one they want to replace.
But yes, it's also very hard. The bitcoin protocol didn't start out that way. It took a lot of knocks and bruises to get to the point they could upgrade all the servers in the federation.
Interestingly, the method bitcoin came up with allows protocol changes to fail, meaning the bulk of the federation never takes them up. Everyone gets a vote, and it only succeeds if the bulk of the federation upgrades. Perhaps from Moxie's point of view that's unacceptable, as it means he is no longer the dictator of the protocol.
Nonetheless, it is possible to design a protocol so it can be upgraded relatively quickly. Even if you don't do add "quick transition" features to a protocol transitions can still haven. IPv6 will replace IPv4. But as Moxie says, it's painfully slow.
It's private, centralised and the network is closed (e.g.: non-federated), but the source code is public and open source. I think that for the server implementation they do code dumps every once in a while, rather than continuously keep it public.
You are right about that. There used to be an open source build called LibreSignal
Moxie Marlinspike made clear [1]: You may inspect the code. You are even allowed to compile it. You are not allowed to connect your self compiled client to our message servers. We are not interested in a federated protocol. Make sure your fork creates its own bubble that does not overlap with Open Wisper Systems. Stop using the name Signal.
[1] https://github.com/LibreSignal/LibreSignal/issues/37#issueco...
How about no phone numbers for registration at all?
* Gives the servers virtually no control over communications between parties.
* Goes through huge pains to minimize serverside metadata storage.
* Is a sealed system end-to-end; the client and the server are part of a single coherent design that together make promises about privacy and security that apply to every user of the system; Matrix is a protocol ecosystem.
A good example of this is group messaging: Matrix servers control group membership. In Matrix, group membership is key management; a Matrix server decides who can decrypt your group messages. That's not how Signal works! But I don't think anybody seriously thinks Signal is a replacement for a large Slack.
And yet uses AWS: https://news.ycombinator.com/item?id=39414322
The threat model assumes attackers have maximal control of the server environment.
Hence my position remains unmoved.
This continued insistence (widespread - not just you!) on the benevolence and good faith of US intelligence, post-Snowden, doesn't make any sense to me.
Take a step back and note that nobody on HN is going to make an argument premised on "you should trust NSA to follow the rules". You can accept that as an axiom and have easier conversations here.
...and this is the declassified part.
This is not good enough. Signal server is a single point of failure: NSA (and any other attacker, e.g., China) knows that the users can't go elsewhere, so it's very easy to target them all (thanks to the Signals's politics of walled garden). In case of Matrix, there are thousands of servers around the world, which you have to find and get into. They can run completely different software. This is not very scalable or easy.
https://eprint.iacr.org/2016/1013.pdf
https://www.nybooks.com/online/2014/05/10/we-kill-people-bas...
The paper you linked to was published before they started collecting and storing sensitive user data in the cloud
I have no idea how to get my extended family on a Matrix homeserver without extensive handholding. I can barely figure it out myself and I was a huge XMPP nerd that ran my own ejabberd server for years.
Then let your phone number receive the spam instead?
It prevents the creation of an unlimited number of signal accounts by a single user with no cost to the user but cost to signal and other signal users.
edit: Your are probably right in that it does not change the risk of spam for a single user, as you could guess the phone number or just iterate over all known phone numbers and try to connect to them.
requiring phone numbers only solves the cost problem for signal(The company/legal entity) and lowers(hopefully) the amount of spam that would get send.
Signal v7.0.0 with phone number privacy - https://news.ycombinator.com/item?id=39413417 - Feb 2024 (107 comments)
This sounds unfortunate, but I guess there's no way around this as long as Signal insist on keeping phone numbers as primary identifier.
By "link" I mean they immediately know what person the username belongs to iff they already had that person's phone number because the chat that is initialized after they scan the QR code is just the old chat being continued.
Exactly. I think that's important to know before people start giving out their Signal handles left and right because they think they're anonymous now.
If you set your privacy to nobody and someone saves your phone number, to them it will appear that you do not have a signal account, even if they start chatting with you via your handle.
Edit: this is not actually a serious problem for me, don't worry! Rather, I think it's funny. And honestly I kind of like having the numbers required, it's a good idea. It does remove a lot of the vanity from usernames.
Because friend codes were so popular on Nintendo.
Hey add me real quick, my id is 12716472-83647281746-8172649! Or use the hash code, 0x28A56ED9! Super easy to remember, way better than giantrobot22 or vel0city66.
- if we don't have usernames we don't have to deal with obscene usernames, trademarked usernames, impersonation claims, and similar
- if we don't have usernames and our generated friend codes aren't guessable, we don't have to worry about people getting random unexpected friend requests from people they don't know
There's also the "weedlordbonerhitler69" issue. A user name that seemed hilarious at 16 likely seems less hilarious at 26.
If users were identified with a hash derived from an input user name you could type in "weedlordbonerhitler69" and what would be displayed is a hash on the client side. The contact add UI could simply return the UID for the input username. So you could give out the UID or username and another user could still add you.
They're not going to get mixed up typing it in from me verbally telling me the name. They're not going to get confused typing it in. And even then, validate the user after, that's another feature of signal is in person/out of band validation of the ends. So start the convo the verify through a channel you otherwise trust.
> There's also the "weedlordbonerhitler69" issue. A user name that seemed hilarious at 16 likely seems less hilarious at 26.
And with their setup you can change it at any time, so once again not really an issue.
Unless I got the wrong end of the stick, that's exactly what they are not doing.
People need to get trained out of (even informally) assuming they can identify someone because their username looks familiar, and this is a great way to do it.
With notable exceptions, i’m sure, being username69 and username420 and a few others (a similar phenomenon happened in magic the gathering, when they introduced limited edition 500 print runs of cards with the serial number stamped on them, and the only ones you can really sell or command a good price for are 1, 69, 420 and 500)
Or tons of (mistaken) conversation requests?
... notes HN user jenny91
If you don't open the Desktop app for a few weeks though, there is a "syncing" step where it fetches the recent messages queue from the server (can't remember the exact number, might be the last 1000 messages or all messages from the last 30 days or something similar).
And it doesn't show any messages that came in on the phone during that time, so you're missing context and in practice you just have to use the phone for everything anyway.
It may decrease privacy philosophically, but it isn't nefarious.
If you want a private messaging platform with zero prerequisite identity, use Briar.
You can keep it as an option.
> decrease spam by requiring some other source
Phone numbers never been a good way to counter spam, just look at social media, you can buy phone numbers in bulk these days, not to mention spam might work in social media because there’s the concept of “public space” where everyone shares and talk, so it does make sense for some bad actors to spam or even trying to influence others, that’s not the case in messaging app, because first I need to know your “unknown” username that I can’t see it elsewhere, and second, the efforts are worthy for such unsolicited message, which in case it was, you can get a burner to send it. The point is requiring a phone number to counter spam doesn’t work, and it doesn’t make sense either for messaging apps.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Well, personally I don’t use Signal, never will in its current state, but they always try to promote it as privacy messaging app while still relying on a broken system known as GSM.
It doesn't decrease privacy. It decreases anonymity which is distinctly different.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Or Session which is a fork of Signal that runs it's own network using standard PKI instead of a phone number for identities and a decentralised message delivery/onion routing system.
You either end up discriminating against users who have to use VOIP for whatever reasons (and there are legitimate reasons) by blocking VOIP numbers, or your barrier to entry for spammers is almost negligible. It's not a good system.
If you want to prove that users are humans, use a webcam and an id, or delegate the task to some bigcorp who already has a similar system. If that's too much for you in terms of privacy, you shouldn't be attempting to prove that users are humans in the first place. Maybe you should prevent spam via product driven solutions, e.g. whitelisted contacts.
What experience do you have to have gained this confident knowledge?
Yes, but what are you going to do with this information? All you know is how long they've been a signal user and when they last connected.
The metadata itself is just as valuable as the content of the messages.
If you want to prove that criminal A was in correspondence with criminal B, that's how you do it.
As per this comment, they store much more than just the last connection time[1].
[1] https://news.ycombinator.com/item?id=39445791
If you know how to build an anonymous communication platform, that is convenient to use, and is also spam resistant/proof, you have the miracle platform idea.
https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subjec...
Obviously doesn't include warrants they may have received where a gag order is in place, but you can see from the responses they do publish that they only store phone number, initial registration date, and last connection date.
This is in direct opposition to the very first line of their privacy policy which lies when it states "Signal is designed to never collect or store any sensitive information." and they've refused for years now to correct that lie and update their policy to detail all the new data collection they're doing.
Here's some reading from the time of the change:
https://community.signalusers.org/t/proper-secure-value-secu...
https://community.signalusers.org/t/dont-want-pin-dont-want-...
https://old.reddit.com/r/signal/comments/htmzrr/psa_disablin...
https://www.vice.com/en/article/pkyzek/signal-new-pin-featur...
Note that the "solution" of disabling pins mentioned at the end of that last article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
My personal feeling is that Signal is compromised and the fact that the very first sentence of their privacy policy is a lie and they refuse to update it to detail their new data collection is a big fat dead canary warning people to find a new solution for secured communication. Other very questionable Signal moves that make me wonder if it wasn't an effort to drive people away from the platform as loudly as they were allowed to include the killing off of one of the most popular features (the ability to get both secured messages and insecure SMS/MMS in the same app) and the introduction of weird crypto shit nobody was asking for.
I swear if VLC ever turns evil I'm giving up on recommending software forever (in the meantime, check out VLC if you haven't already!).
I don’t blame you, I think it did start with a good promise initially, but I believe just like anything centralized that turns big, it will become evil.
> in the meantime, check out VLC if you haven't already!
The player? Or is that a new messaging app? For messaging I usually use Matrix/simpleX/Session.
If there was such a hoo-hah and it was trivial to patch out, I expect we'd have a thriving patched fork up and running by now.
"Even under the sealed sender, observers said, Signal will continue to map senders' IP addresses. That information, combined with recipient IDs and message times, means that Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the "from" information from the outside of Signal messages, the service is incrementally raising the bar." (https://arstechnica.com/information-technology/2018/10/new-s...)
A couple years after that "incremental" improvement Signal started keeping everything forever in the cloud which means that today governments can get a signal user's information just by brute forcing a PIN
https://eprint.iacr.org/2016/1013.pdf
See https://sgaxe.com/files/SGAxe.pdf for an attack that leaked Signal contacts.
From https://signal.org/blog/signal-is-expensive/
> We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.
I'm not sure why you need to assume that it will be linked back to your real identity; I haven't seen anything that indicates any motivation to do something like that. I'm all for being cautious, but being overly cynical can lead to letting perfect being the enemy of the good.
> I'm not sure why you need to assume that it will be linked back to your real identity;
I’m not assuming, only North America (edit: and some European countries) doesn’t require an ID for a phone number (1), and even in here, you would use it in other services that are linked to your real ID like banks or paying the phone bill online. The concept simply boils down to as soon as you find an account’s phone number, it’s a game over for that said privacy.
(1) https://www.comparitech.com/blog/vpn-privacy/sim-card-regist...
You completely misunderstand what kind of privacy Signal aims to achieve. Signal protects you from eavesdropping and data hoarding, two major privacy issues with solutions like Facebook Messenger for example.
They do not and have never claimed to offer a service where “privacy” means nobody knows who anyone is, it isn’t Tor and I wouldn’t want it to be.
If you don’t like the goals and design choices of Signal, just use another service.
There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”, which I think is great. It’s not a social network, it’s a messaging app between friends that solves issues presented by alternatives like SMS or Instagram; that’s it.
Do they?! We can ask Tucker Carlsons about that https://www.reddit.com/r/signal/comments/16evuej/did_the_nsa...
As long as you can’t host and use your own server, you should never assume that.
> There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”
You communicate with your colleagues and clients over emails and you know they are real, you probably play games too and use discord and you know they are real, meanwhile you can be talking to bot in twitter that they are registered with a “real” phone number.
A lot of people in the comments have things to say about that video.
Personally, I wouldn't trust anything that comes out of Tucker's mouth.
The only way to know for sure is for you to create an alternative service, write all code yourself, and host everything without ever leaving your server alone. And even then you can't be sure you haven't been hacked.
On a side note, if we're getting information from someone that lies a lot and often leaves out details that don't fit the narrative, then perhaps we should also look at the person, not just the issue.
You certainly can, the self destruction messages are one of the ways, sure, it is not the only solution as you need to make sure the OS is secure itself too, but definitely helps in that case, no messages stored at rest and all are encrypted in transit.
> Something else that might happen is you ending up with your phone hacked
Which is essential to have a messaging platform that allows multi-client/cross platform, say running that app on a hardened OS is an option and possible compared to only iOS with a phone a number for example.
> write all code yourself, and host everything without ever leaving your server alone.
You don’t need to write it yourself, as long as you can read it, and host it knowing no other services are spying on that server, should be miles ahead of other apps like signal, sure, you can still have that server breached, but first you need to know where’s that server, or even you are using this messaging app in the first place, contrary to Signal for example, all I need is checking if you use it by the phone number. Not to mention it will make it harder for whoever is trying to spy on you, if most people ran their instances, but that’s a little bit more of a dream as the average person won’t, but at least the option should be provided.
On the other hand Tucker isn't even being consistent in his telling of the story. He says that he hasn't told anyone and makes a big deal to even mention his wife, so we think even his closest confidants. But then what message did he send over signal that was extracted? The personal notes? There's also much more reasonable pathways for the NSA to get that information. If he's researching and just storing notes on signal he's still leaving breadcrumbs somewhere. He's a popular news host so I'd be surprised if the NSA hasn't tried to compromise his whole phone, and signal only protects your messages in transit. The only evidence we have is his word that someone from the NSA told him. Which itself would be really weird because it'd completely undermine that capability or imo a more likely explanation is someone is lying. Gov does disinformation all the time and convincing people a secure channel isn't seems pretty useful since they'll turn to easier methods.
So I don't have to rely on my distrust of Tucker or his history of misinformation. If this was my only and first encounter there's more than enough for me to be suspicious in just his telling.
How on Earth collecting a phone number may be considered as not data hoarding?
That's the vast majority of what intelligence agencies actually care about. They rarely care about message contents anymore.
By default, the first message between someone and you clearly identifies who is communicating with whom. That's enough.
We don't know whether an intelligence agency is listening in on their servers and logging this data.
Assuming an eavesdropper that can defeat TLS or is listening via DMA attacks on the signal servers,
- you can log initial signup or login, which allows you to connect user id and phone number
- you can log the first time a chat is created, which allows you to build a social graph of which person is connected to which other people
- even with sealed sender, you still know the identity of the receiver and the IP address of the sender, which is often enough to figure out who is in contact with whom
This would be enough dragnet surveillance to automatically figure out the contacts of people you've already identified as threats. You'd also have enough evidence to get a sealed court order to do targeted surveillance on these people.
Also, you need some way to log in to your account. So you need an identifier and some way to validate that you are the owner of that identity. And next to that you want to prevent spam. So I think the choice to use a phone number as an identifier for a text-messaging app that is meant to be a secure replacement of SMS is not that weird.
But let's say they are data hoarding our phone numbers, and they can get other details about us through the black market because we use other more insecure services where we suddenly don't seem to care about privacy. Then what do you think Signal does with this data? They can't resell it because they don't have anything unique, they actually need to invest money to link their database of just phone numbers to something else. And then? What malicious things will they be able to do?
What have you gained? What does the attack look like?
(Or a phone, even)
The news today is a step in the right direction for sure, but more needs to be done if they want more privacy and anonymity-focused people to use it. This section on what makes a good messaging platform still resonates: https://dessalines.github.io/essays/why_not_signal.html#what...
<https://www.nfcw.com/2022/10/20/379863/south-korea-to-roll-o...>
If it's not possible to buy a phone without a strong attestation of identity, as is the general case in at least one country, then the identity relationship is baked in.
It's probably possible to buy a burner phone even in South Korea. But for those who are using their standard-issue phone with Signal, the problem most certainly exists.
And even in countries where there isn't some national phone-as-identifier policy, effectively most people's phone numbers tie them to their real-space identity even if there's no explicit personal data association[1], and in most cases, phone number, IMEI, AAID, and/or billing data (credit card payment authorisation) provide far greater assurance.
________________________________
Notes:
1. <https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymo...>
2. IMEI: <https://en.wikipedia.org/wiki/International_Mobile_Equipment...>, AAID: <https://support.google.com/authorizedbuyers/answer/3221407?h...> <https://noyb.eu/en/buy-phone-get-tracker-unauthorized-tracki...>
Point remains that 33 bits will identify any given person among the 8 billions now living, and a phone number itself, plus ancillary leakage (activity patterns, location) are an exceptionally poor basis for an anonymous or pseudonymous identifier.
If you read the thread the linkage between a phone number and a Signal account cuts down on fake accounts significantly - which has nothing to do with "social media" but it does have a lot to do with SPAM as you've incorrectly stated. I understand why it's not ideal, but there are tradeoffs in both directions. It's unlikely that usernames are going to expose users more than they currently are if they're already using Signal. And it's also unlikely that this new feature changes much, but I welcome the ability to prevent users from associating my known number to my Signal account. In this way the security model has improved considerably.
Governments won't go on a crusade against Signal as long as they keep records of who is using their platform to commit crimes.
Signal won't commit to being an anonymous platform likely for that reason.
https://support.signal.org/hc/en-us/articles/360007059752-Ba...
The process to transfer the history is to scan a QR code displayed on the new phone by the app on the old phone.
Well, the camera on my old iPhone is broken. The phone has 3 other working cameras, but I cannot switch which one the app uses…
update: only on android. turns out there are quite a few caveats for backup. See https://support.signal.org/hc/en-us/articles/360007059752-Ba...
[1] https://news.ycombinator.com/item?id=39445286
I doubt that's a habit many people will develop for a setting they didn't even know existed.
There's no single obvious thing called "this is what everyone wants from backup".
> It doesn't "require" Syncthing
I'm talking about your solution, and yes it does seem to require syncthing, unless you are using some fourth party tool that sets up syncthing automatically for you, and in that case it still isn't built in to Signal.
There are other possible solutions, but you used your solution as an example. If you have a different solution that doens't require syncthing and also doesn't require manual intervention (i.e. Signal app can automate the process), please share it. Remember what the comment said that we are replying to:
> Please stop peddling this horrible experience as a form of a valid backup. A process that requires full manual interaction and requires you to know ahead of time when your phone will break or be stolen is not a useful backup process.
Did you not have to manually setup syncthing (or some other sync tool) to get it working? Or do you know of some way to do that with just Signal?
Unless you are saying that Signal has a built-in backup solution that doesn't require manual intervention (like configuring some sort of third-party syncing service) then you aren't rebutting anything.
You want signal to fully automate the process of configuring your device with an arbitrary third party service to send backups to with zero "manual intervention"? I think you're asking for the moon on a stick.
It's after all, a device that's carried around and much easier to destroy than pretty much any other.
For most of population (you know, the ones we all want to get onto Signal so they stop using Meta and Apple stuff) not losing their valuable pictures, memories and conversations is way above the paranoia of some theoretical government official deciding to give up while trying to unlock your phone.
Should Signal support/implement all of these? Some of them? Which ones?
Same story with the PIN signal requires if you haven't used it in a few hours. It's the same as your phone PIN and there isn't anywhere you can change it, so it's just security theater.
This is not the Signal PIN. It sounds like you have the Screen Lock option enabled.
https://support.signal.org/hc/en-us/articles/360007059792-Si...
I tried element, somehow that keeps kicking him out, or I need to validate new sessions or something.
Or sama's crypto eyeball scanning thing? (WorldCoin?)
Absolutely unacceptable.
Same with prioritizing stories, stickers and crypto payments as core features of Signal when that's not what most of their users care for. Meanwhile there's still no official way to port your existing chat history on PC and iOS to your new device, or support for Android tablets. Obviously, stickers are more important.
Obviously, the cryptographic guarantees of the two systems aren't even close to comparable.
I don't know what "feature" you're talking about not existing until 2014, but before Open Whisper Systems, the thing we call Signal was "TextSecure", a literal SMS replacement.
And some are better at being messengers than others.
Forcing you to use your phone number and then the same second you created your account go behind your back and spam everyone you just did so is neither private nor something many would associate with secure.
I guess something doesn't have to be secure if you can pretend it is public.
Of course Signal has carefully designed their goals to allow them to do that but in doing so that is a straight up asshole move in a context where they should be seeking trust?
Absolutely mind bending.
This is a great improvement, but they have already proven they can't be trusted with anyone's phone number so it is a damn shame they still won't allow you to create an account without one.
It is a decent service otherwise, but my fricking god I hope they at some point realize the harm they've done.
Up until today I've been ashamed of suggesting signal. Hopefully that will change with this feature.
1. Users were properly informed
2. Users were given the option to opt-out
And please don't pretend being annoyed about not being able to write third party client is in the same realm, that is just disingenuous.
And I'm not talking about something obnoxious like a cookie-banner here, something in the fine-print would go a long way.
I think it's a mischaracterization to say that they spam "everyone" when you create an account. They only tell others who a) have you in their contact lists, and b) have an account with Signal too. I agree, though, that they should be more transparent about this, and require that you opt in to this behavior.
Personally, though, I don't mind it; for the most part this is how I've discovered other contacts on Signal, and vice versa. But I can understand why it makes some people uncomfortable.
What I find "absolutely mind bending" is that this is such a big deal-breaker for people such as yourself. While I wouldn't call it a nothingburger, it's -- to me -- at most a simple error in assuming what people are comfortable with.
Edit: I re-read what a few others had said upthread about how indiscriminate this new-user notification is. The examples of notifications being sent to users that had been blocked via the phone's built-in call/SMS blocking features are especially chilling. There's really no excuse for that, but still, to me this automatic notification is a feature developed in good faith, with good intentions, not some nefarious privacy invasion. They should be taken to task for its failings, but dismissing the entire platform over it seems a bit over the top.
Of course it does, way more than "meaningfully". I actually wonder if I got your message right taken that I am not a native speaker of English.
Do you mean that if your phone is public (and you are known to be the owner) you will not get creepy calls, have ot listed as a free pizza delivery for calls after 23:00, having it blacklisted, ....
I must have understood wrong.
Otherwise what is the number of your president/prime minister? Or the CEO of Google/Apple/... I do not think they are public.
Who said Signal was a good product to begin with? And who though adding sticker would improve market share?
Casual users value UX and porting their chat history and VoIP calling vastly more than they value E-2-E encryption. You can't talk about growth when you fail to deliver on these fronts first. That's how Telegram and WhatsApps rule the market.
Adding stickers won't move the userbase needle when you already lost your potential users at the lack of chat history and UX.
My daughter loves stickers.
Also: "Who said Signal was a good product to begin with?" LOL. Just read the comments on this link bro.
How does Signal count it's active userbase? Like I said, me and almost everyone else I know have it installed but don't regularly use it because most people don't really like it versus the established Telegram and Whatsapp.
Like I said, a lot of people have Signal, but very few use it as their primary messenger on a regular basis, and more of a "it's just there in case one of those tech nerds who told me to install it decided to message me on"
Yes. I think your definition of "active user" is non-standard.
If you only use it a couple of times per week you're not really an active users when messenger apps on average get used multiple times per day.
So I don't think I;[m unreasonable at all to compare Signal to the average messaging apps in term of screen time.
This mechanism may not be ideal for all users, and it's possible that Signal has now outgrown it, but without it, there would be no Signal as we know it today.
How did THAT feature help Signal grow?
You only receive that spammy message if you already have Signal installed and your contact already has it too.
Signal grew a lot in 2021 (in Europe) because of the pandemonium created by Meta when they announced a change in WhatsApp Privacy Policy so everyone rushed to install Signal but the initial surge, was short lived.
Moving the clocks forward to today, looking at my extended network of family, friends and acquaintances, almost everyone has Signal installed, but most don't use it anymore as it's too frustrating and feels dead, so everything is still on WhatsApp, especially groups. All the Signal groups I have, originally meant to replace the WhatsApp groups, slowly died out and people stopped posting on them or following them, defaulting instead back to the WhatsApp groups.
You don't fix this lack of retention with stickers and spammy messenges.
https://support.signal.org/hc/en-us/articles/360007061452-Do...
Settings > Notifications > Notify When > Contact joins Signal
> We've discussed at length why this is not possible, but if you have more thoughts then please visit the forums. Please try not to open duplicate issues in the future, even if you feel like something is important.
I wonder why this is "not possible"
People seem to be asking for a way they can join Signal without their number showing up in the registry of Signal users. This is why it's "not possible".
edit: This may have changed today. I'm now seeing an option that lets me hide my number from the registry. This means that even someone with my phone number will not be able to message me on Signal, which seems like a good deal to me.
yeah, you need to authenticate to delete the account (aka deregister). How else would they verify that you are the owner of the account you want to delete?
That said, the complaint around this is usually that people don't want others to know that they use Signal. And unfortunately there was no way to _really_ do that (until now), because if you open your chat list, you'll see all of your registered contacts. But in the 7.0 release, we added the ability to hide yourself from being discoverable by phone number at all. So for people who don't want anyone else to know that their phone number is registered with Signal, they now have that option.
great, but what about all of those people that installed before 7.0 and had it already happen to them? "oops" doesn't help. at. all.
How can a privacy oriented company not see the privacy implication of this? Sometimes, you want to be forgotten by some people, and Signal is telling them you are still there and active on that number. I remember reading a story about someone getting into real trouble for that.
Without "usernames", the proper way to handle it would have been to not let anyone know you are on signal when they look up your number. To get into contact, send a message, then the recipient will receive a notification with the message and an option to rely. If the recipient doesn't respond, from the sender point of view, it should be as if the account didn't exist.
But I think it's inexcusable that these sorts of notifications could essentially allow someone to circumvent blocking done by one of their contacts. If I've blocked someone via my phone's default contact blocking mechanism, and then I join Signal, and that person is already on Signal, they should not suddenly be able to contact me... and even be explicitly invited to do so on their end!
I wouldn't be surprised, though, if neither Android nor iOS gives regular apps access to the blocked contacts list. So I'm not really sure how an app like Signal could solve this problem.
The TL;DR is that they collect and forever store sensitive data in the cloud, meaning that the US gov could almost certainly access that data and any other government could access any one person's data too just by brute forcing a PIN
Because I know I don't have that skill set or time. I do have however some big fat red flags on using it because it was opted for by an entity whose entire existence is based around backdoors and spying.
Honestly i find it absurd that some folks say just because something is open source it's automatically safe. The vast majority of us whether the project is open source or not lack the skill or capacity to pick up on a well obfuscated hole. Hell even the best of us aren't that good.
A free-to-use global communications platform that doesn't censor, respects user privacy from the ground-up, and is run by a non-profit foundation that is faithfully dedicated to its mission. https://signal.org/bigbrother/.
We should support it. If you haven't already, then consider signing up for a recurring donation to the Signal Foundation. I try to give what I can afford, because I believe that digital freedom is essential for the progress of all humankind, https://signal.org/donate/
Without such projects, our civilization will stagnate and die in darkness.
Edit: Ok, ok, I was wrong, signal does have advantages over whatsapp.
I'd get a chuckle out of comparing that with the privacy of Whatsapp.
FBI doc on what messaging apps can provide via subpoena pulled by a FOIA request...
https://propertyofthepeople.org/document-detail/?doc-id=2111...
> Message Content: Limited*
> * If target is using an iPhone and iCloud backups enabled, iCloud returns may include WhatsApp data, to include message content
Your own link does not say that. At all. It directly disputes that.
https://signal.org/bigbrother/
2. WhatsApp tries to get every user to accept the option to backup messages and photos to Google Drive, where they sit unencrypted and accessible by Google. Even if you reject that option yourself, your correspondents are likely to have enabled it (if only just to stop WhatsApp from nagging about it) and so your messages are available for Google to read. Example of why this can be bad: https://www.vice.com/en/article/zm8q43/paul-manafort-icloud-...
3. Google Photos asks WhatsApp users if they'd like it to back up their WhatsApp photos. Even if you reject that option, your correspondents may have enabled it and so your photos are stored online unencrypted and accessible by Google.
4. Why should we limit what Google and Facebook know about us? Google and Facebook influence our behaviour for the benefit of their paying customers. Their computer systems are too powerful for our minds. They work against us, not for us. Companies like Facebook will come to be seen like tobacco companies, except that the harm is as from mind altering drugs. There is a documentary on Netflix called The Social Dilemma which explains this well. The polarisation of societies and the spread of conspiracy theories are some of the effects. The only defence is to disengage.
5. Read about Chinese-style social credit to understand why you want companies like Facebook and Google to know as little about you as possible. This is a good overview: https://nhglobalpartners.com/wp-content/uploads/2021/10/chin...
WhatsApp provides an option (off by default) to encrypt the backup with a password so that it cannot be decrypted by Google.
WhatsApp requires you to give it access to all your contacts (your entire address book) in order to use it at all. This information is uploaded straight to Facebook’s servers where they’ll inevitably use it to place your WhatsApp account in a social graph so they know who you are based on your contacts. I found this to be unacceptable so I uninstalled it.
Given how tightly they control development, disallow third-party clients, disallow federation, disallow self-hosting servers, have a history if disallowing use without google play and have hid huge development features from the public (mobile-coin) despite being open source. etc;
The idea that it's a great undertaking of our time is so bombastic that it's guaranteed to be false even if you truly believe that they are completely altruistic (which I'm willing to believe but it's not coming easy to me based on the above).
"What's better"? Matrix. Which seeks to solve all of my points, the only thing lacking is market share which honestly is partially caused by these "easy to use" services which trade off everything else, which also consumes developer mind-share even if you're unwilling to acknowledge that. (devs are motivated to solve issues for friends, family and themselves if they are exposed more frequently to systems and services that are sub-par).
https://blog.koehntopp.info/2024/02/13/the-matrix-trashfire.... explains why Matrix is lacking market share, and I think Signal's decision to be aggressively closed is due to a justified fear of becoming that.
The mantra of every network that stays mediocre and never achieves critical mass
I've criticized Matrix before for their "protocol-first" approach and "too neutral" stance towards clients (which they've changed somewhat it seems; previously [1] was a table of clients with no clue what to choose, now it at least has "featured clients"). I feel they repeated the same mistakes as XMPP, which has not improved their client list.[2] Protocol nerds will say that's a good thing, but all it really does is ensure your protocol remains marginal because most people just get confused. People choose software, not protocols.
But you can write a high-quality client and a specification and allow people to write their own apps. IMHO Signal is needlessly restrictive. Sure, focus on your own implementation and the quality of that first. 100% the right decision. But there's no reason to not at least allow some things down the line. Signal is just a few months shy of their tenth birthday – they're well past the "ensure the quality of our official client"-phase.
[1]: https://matrix.org/ecosystem/clients/
[2]: https://xmpp.org/software/
Friend 2 insists on using their client because it has dark mode, and for the average user, what they see isn't "friend 2 is extra and has a broken client", they see "that app fails to send pictures about a quarter of the time, let's use whatsapp".
It complains that cyberfurz.chat is a "server with profanity in the name".
...why?
Signal is very much in the same area of: "trust us".
With a caveat that they also say: "here's a bunch of information on why you should: but you can't really verify any of it and we have proven bad faith before- also we have an army of people who will pile-on if you call us out for not being actually verified, so, just trust us- we are the secure messenger and all those scary things are just so we are easy to use".
Definitely not true. Facebook literally censors private conversations. You simply can't send certain text strings to your friends. That is far more dangerous than relying on a third party that claims to be protecting your privacy. Especially since all signs point to them being honest.
To be clear, this is in private conversations. Not just posting publicly on Facebook or w/e.
To their point, there are benefits to federated systems. But I've yet to see a federated system have moderate to large usage without becoming centralized. Think email. And until this problem can be solved you're still left with a "trust us" problem. There's no trustless system out there, yet. But hopefully it comes in the future. In the meantime, signal is the best if you also want to communicate with anyone that can't tell you if a stack is FIFO or LIFO (or even know those acronyms).
I truly believe they are altruistic, although it is unrealistic to expect that to last forever.
By the way, some of the claims you made about their "bad actions" are actually false. And Matrix is still incredibly annoying to work with for "normies" and only recently got first-class E2EE and retention policy, both things needed for a secure chat experience. And btw, those things aren't deeply supported in the ecosystem, and also it doesn't have client feature flag alerting (to allow good intentioned clients to de-facto report they don't support certain security features).
I do think Matrix (or something like it) is the future, but it's certainly not the present.
It's not just any open-source project.
It's a privacy-orientated open-source project.
They could at least BSL the server code and allow others to verify the server code and host but not compete.
This is exactly what they do (except they use AGPL): https://github.com/signalapp/Signal-Server
[0] I don't even use Signal. My tack is to isolate and contain my "mobile phone" device as much as possible (when I'm home it generally stays next to the door on a charger). Whereas Signal has been designed around that single device as a critical part of my life. When I can sign up using only a username, and use Signal from a native client or web browser without any sort of Android device in the picture, then I'll be interested.
While I think there are better services to be private and secure from a technical perspective, there's one killer security and privacy feature that Signal has that on one else does: usability. It's pretty hard to get my grandma onto Matrix, but it isn't hard to get her on Signal. The truth of the matter is that you can't have private and secure conversations if there is no one on the other side. So while I really do like Matrix and the like, I think of them as more alpha or beta type projects. I don't find that the bashing of Signal is helpful (like we also do with Firefox) because all it does is creates noise for people that don't understand the bashing is coming over a nuanced and biased point of view (we're mostly highly tech literate here on HN, it is a bubble. But people still read our comments that aren't). End of the day, if we aren't getting 1 click server installs (or literally everyone is a host), federated systems are going to become highly centralized at some point. PGP's always failed because the easiest way to hack a PGP email was to reply that you couldn't decrypt. It wasn't appropriate for the masses even when it wasn't difficult to use. Don't get me wrong, I love Matrix, but it's got a long way to go to get mass adaptation.
Fwiw, I remember a user awhile back offering a bounty for a decentralized pathway in Signal[0]. The idea was to create an AirDrop like system to help with things like local file sharing but then extend the project forward to create a mesh network. Seems like a reasonable idea to me. I think it may be more advantageous to try to push Signal in the right direction than rebuild from scratch. I'd highly encourage people with other opinions to participate in the Signal community because it is a crazy echo chamber in there and for some reason the devs treat it as a strong signal.
[0] https://community.signalusers.org/t/signal-airdrop/
An analogy is the U.S. is a two-party system, but most would consider this significantly different than the one-party system in North Korea or Russia.
A federated system with a few large players is still much better than a centralized one.
Like I said, I'm all for Signal becoming federated. It's why I dropped that link to the airdrop feature request. I'd also be in favor of people running their own servers. I mean the server code is available, you just can't connect it with the main network. So as far as I see it, there's nothing stopping this from happening. I see a lot of people complaining but I'm not aware of any major roadblocks. That doesn't mean there aren't any, but I'm just not aware of any. And fwiw, there are alternative Signal clients like Molly[0]. So at least the app can be disjoint from the official ecosystem.
[0] https://github.com/mollyim
B) Network effects drive the value of tools that are networked. The forks aren't popular at all.
C) Signal is well funded and not in financial trouble, so they can sustain effort on development and infrastructure.
D) I suspect you already knew all this too. So why did you respond the way you did?
If I am working with a source who gets frustrated by the impenetrability of communicating with me because I insist they use matrix while they're not technical and likely impatient, then that person will be much more likely to use a fallback method such as SMS or email, and they'll do it without warning. It's legal risk, period. My job is to make sure that they can share information with me as easily as possible and during a particularly sensitive period of that person's life, usually. Matrix, as a sibling post highlighted well, is too difficult for this use-case. That is an enormous failure for a use-case of sensitive information sharing.
Matrix did an interoperability talk on FOSDEM (https://fosdem.org/2024/schedule/event/fosdem-2024-3345-open...) and it's basically confirmed (https://www.wired.com/story/whatsapp-interoperability-messag...) there was some experimental work done on connecting WhatsApp (and ergo every other Signal protocol compatible app) and Matrix.
> It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult.
> ... I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world. ...
Also, hasn't Moxie basically left Signal?
> If you think running servers is difficult and expensive (you're right), ask yourself why you feel entitled for us to run them for your product.
Forks are a natural consequence of releasing free software. This is the life they chose.
Also, free software isn’t a product.
The ToS is the only thing that governs end users connecting to the API, and it doesn’t deny end users the use of third party clients. Also, even if it did, that would be insane, like Google saying you can’t even load google.com when browsing with Firefox. It would be pretty much without precedent on the web, and bonkers.
The GPL is the only thing that governs developers’ use of the client codebase. The GPL of course allows forking and modification and redistribution.
Such forks and redistributions obviously cannot use Signal’s trademarks, so LibreSignal was dumb to do so. Ultimately the feelings of the Signal team don’t matter here - only the license under which they officially released the code. You can’t be more explicit about permitted uses than that.
You can’t be open source but then claim you don’t want forks. It’s one or the other.
"You must not (or assist others to) access, use, modify, distribute, transfer, or exploit our Services in unauthorized manners" [1]
By my reading, the ToS does deny the use of third party clients. Someone could try to argue that a third party is using the services in the same manner as the authorized first party client, therefore it doesn't break the ToS; but since the company's leadership have said that's not OK (causing the mentioned client to stop being updated), I'd assume that if that argument worked in court, they'd just change the ToS to be more explicit about stopping it.
[1] https://signal.org/legal/
This is like attempting to sue qBittorrent for copyright infringement.
Matrix also is just not particularly private. Servers control and know far too much about users, and pretty much no mainstream client enables E2E encryption by default. Matrix is an impressive piece of technology, but it has a long way to go before it's as usable for an average mobile phone user as Signal is.
I always like to remind people that you can also donate through your employer and many will match. This is a great way to multiply your donation and everybody wins. Your org is going to donate x amount a year anyways and so might as well "vote" on where some of this money goes.
For instance, I would love to see picture sent to me by my spouse automatically saved to camera roll. Signal has no option for this because it could put the privacy of me and the sender in jeopardy.
Fwiw, I want this feature too. And others. I've submitted feature requests in the past. I even asked that usernames add QR codes and links. I'm not sure if I was heard, but hey, the feature is there and even some of the echo people were against it.
My camera roll is for photos that I have taken. If I want to put something from someone else in there, that's a decision I will pro-actively make. Other apps shouldn't be doing that for me.
I don't want to be too negative on Signal since they do some good work and I do use it.
But freedom? No. It is another completely proprietary platform. A better one, but still proprietary, so the antithesis of internet freedom.
For example just earlier this month the Signal client overnight stopped working on my old Mac because they decided to no longer support older OSX releases. So I can longer use it on that machine, my primary desktop.
If Signal was in any way open or free (as in freedom) I'd just compile my own client to speak an open protocol and be back in business. But no, Signal is just a proprietary service with a proprietary client.
Isn't the source code available? What's preventing you from compiling your own copy?
https://github.com/signalapp/Signal-Desktop
[0] https://github.com/signalapp
Why can't you run your own? Sounds like it is not entirely open. (Never looked into it, so would be interesting to understand what is missing.)
> But you can compile the app and desktop clients yourself.
This has been talked at length here in HN before, they prohibit any clients other than their proprietary binary distribution.
If that has changed, I'd be thrilled. Can anyone point at it having changed?
I might very well be wrong, and if so, someone please correct me.
[0] There's always talk about the big deal breaker for Signal being that it isn't federated. So I've always wondered why this passion isn't used to generate a federated Signal network and is more focused on Matrix (who only recently started being E2EE). I don't know how these things work, I'm not that kind of programmer, but I can't see why you couldn't modify the server code to work in a federated fashion and edit the app code to be able to connect to both? I'm actually interested to know why if someone actually has an answer.
source?
From my understanding, they're not a fan of it (not sure if it's officially against their TOS or not) but they don't go out of their way to stop them. At least as long as you don't use the Signal name and make it clear you're not an official app.
Even in this blog post about usernames, they clearly make sure to mention them: "This means that in about 90 days, your phone number privacy settings will be honored by everyone using an official Signal app."
https://github.com/signalapp/Signal-Android/blob/main/reprod...
> older OSX
How old OSX are we talking? Is it older than current Xcode with Sonoma supports? If it's that, then you have your answer. If you want to daily drive and older machine Linux or even Windows should be fine, but this is not really the way with Apple hardware - if it was, Xcode would make this easier for the developer. For reference, you can still build for Windows Vista using current Windows 10 SDK - I haven't tried Windows 11 SDK, so not sure how things are there.
Otherwise, it'll always be niche. I'm never getting non-technical friends and family to adopt a messaging app that isn't unified for SMS and secure messaging. When they say "users might not know they're sending insecure SMS messages" - fine, you own the client. Make the client bright red with a flashing "INSECURE MESSAGES" across it for all I care. It's not hard to inform a user in 2024 that they are sending a less secure message.
Er, what? So no one you know uses Whatsapp, FB Messenger, Telegram, Google Talk, or anything else? I suppose it's possible that's true, but even if so, you and the people you know do not represent the common-case user.
> Note that if provided with the plaintext of a username known to be in use, Signal can connect that username to the Signal account that the username is currently associated with. However, once a username has been changed or deleted, it can no longer be associated with a Signal account.
The "no longer associated", I will need to get Signal word for that, right. (You cannot cryptographically prove something was deleted, right.)
But it's good enough I guess
You'd have to take their word that this wouldn't change, though.
Now that I know it still needs phone number I assume it will need to be unique so my use case fails.
For the record, I am still a happy Signal user and a monthly supporter, thank you very much.