• ksynwa@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      4 years ago

      Element gets a “good” on ease of use but IME using multiple clients is a pain in butt with the way encryption keys are handled. Lots of people complain about not being able to read some messages in an encrypted room I am in. I understand if it’s a limitation of them not storing your keys on a centralised server (unless you opt for it I think) but it makes it very difficult for normie friends.

    • nutomic@lemmy.ml
      link
      fedilink
      arrow-up
      6
      arrow-down
      3
      ·
      edit-2
      4 years ago

      Where does Telegram have ads? I’ve certainly never seen any.

    • kitsunekun@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      Your post says that Threema doesn’t have voice and video calls, that’s wrong. https://threema.ch/en/blog Feature-wise Threema is very, very solid, and they will soon be adding even more features now that people are in a frenzy about not being spied upon 24/7.

    • federico3@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      4 years ago

      This comparison ignores the leaking of metadata: for that, the only viable option is Briar.

      It also ignores ease of use: Signal is still reasonable, Element is too fiddly and buggy for non-technical users.

  • poVoq@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    edit-2
    4 years ago

    People consider way to little under what jurisdiction the developers and servers are. Even if Signal was fine right now, them being under US law, is a total no-go for anyone not living there (zero rights for non-citizen) and it would be trivial for the NSA to force Signal to intercept more meta data etc. even with a gag order.

    Matrix.org is AFAIK based in the UK, which is nearly as bad, especially now with Brexit. And self-hosting while avoiding any connections with the main instance is nearly impossible.

    If you insist on a centralized platform and are a EU citizen, then Threema is probably the best option, now that they open-sourced their clients. For non-EU & non-US, I guess Telegram (Doha based, but servers on US cloud providers AFAIK). I think for east Asia (other than China), LINE would do (Japan/South Korea based).

    But IMHO, by far the best option is to selfhost XMPP or sign up with a local community run XMPP server.

    • je_vv@lemmy.ml
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      edit-2
      4 years ago

      I guess the whole point of having e2ee, storing as less users metadata as possible, and the not having to trust the service provider model, is the motto for Signal and perhaps Matrix (Signal being the messenger collecting less metadata, while Matrix backend is open sourced). Actually no matter where the service resides on these days, some probably are hosted on Amazon or other processing and storage services, which most probably have head quarters on one of the 5 eyes countries. I definitely like true decentralized and FLOSS apps and services, such as Briar or Tox. However unfortunately AFAIK Tox last protocol never got as audited as the double ratchet one, and besides, both decentralized services are energy hungry. A regular phone’s battery is not enough for a full day of such apps up and running…

      The fact of having swiss servers is not fully reassuring, since at least swiss crypto AG company has been exposed to be involved with intelligence agencies agencies (US, Germany and swiss ones at least) as well (https://web.archive.org/web/20201111074303/https://www.parlament.ch/press-releases/Pages/mm-gpdel-2020-11-10.aspx?lang=1033 - https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage). So threema, though interesting, jut by having swiss serves is not totally reassuring, and features wise, it lacks voice and video calls (it does support voice messages, which is not the same), to be in pair with Signal and Matrix, besides the backend and server is not open sourced, just the client (like for Signal, but not the case for Matrix, which is fully open sourced).

      I do like it the fact threema doesn’t depend on phone numbers, but Signal is supposed to be working on getting rid of the strict need for phone numbers (https://www.zdnet.com/article/signal-to-move-away-from-phone-numbers-as-user-ids - https://signal.org/blog/signal-pins), and Matrix doesn’t depend on phone numbers at all. I’m using both Signal and Matrix/Element, and if Signal doesn’t eventually come up with a no phone number solution, I’ll then get out of Signal, but I’m patiently waiting, particularly because I guess most people will opt out for Telegram (which is a definite no go for me, and it’s not even open sourced btw), and part of them for Signal, but I don’t see them opting out for Matrix, and even less opting out for Briar or Tox (as Tox is right now, it’s also a no go).

      BTW, Signal at least sent a communication last year, sort of indicating that if the US ever approve the “earn it act”, they would move out of the US (https://www.wired.com/story/signal-earn-it-ransomware-security-news - https://signal.org/blog/earn-it), which is somehow nice to hear from it.

      XMPP requires a server, and in that sense is not truly decentralized, unless you self host, as you pointed out, but that might be out of scope for some (I at least can’t trust my electricity service, not even the internet one as to be able to self host), or might even be too complex for non tech people, and the alternative for most would be a central server… If I could self host, not only XMMP would be an option, also email and NextCloud (meaning, I would not depend on several services being hosted or not by US or non US service providers)… And I don’t know how many users would be moving to XMMP (and even less self hosting, for a non centralized experience), and I suspect as with the Matrix case, very few would…

      Matrix solution, so far has clients and backends fully open sourced, which is a big win compared to other solutions, since it can be explored and audited by any one interested, and not just the protocols it uses or some APIs. Also by being federated, there can be instances everywhere. If someone doesn’t feel comfortable with matrix.org instance, can look for some other instances. And furthermore, as with XMMP, you can self host your own instance as well, and still communicate with the rest of instances, so you can make it non centralized if you and your contacts all self host. I then see Matrix as one of the best options out there, except by 2 major issues. Main one being adoption. As mentioned, I doubt I can make even a fraction of my contact move to a Matrix client, though one of the cool things about being federated is that there’s no only Element, but that’s not the point… And 2nd one being that at least group video calls (not sure if voice calls as well) are not e2ee, but instead are webrtc encrypted, since jitsi is used underneath, and in this regard Signal is better, though currently limited to 5 people video calls (they have in plan to increase that limit).

      So to me, it’s not as simple as saying the service provider or the servers are not based on any of the 5 eyes countries, or the extended 5 eyes for that matter, since in the end countries intelligence agencies make alliances, and when there’s money involved as well, then one can’t assure how ethical things are. I’m still to see truly decentralized solutions like Briar or Tox, providing usable solutions on regular users (not just whistle blowers or protesters, on special situations, for which some suppose Briar is made), and becoming, if not main stream, at least easy and energy/battery safe to adopt as well, so it doesn’t become that hard to convince others to also join the decentralized experience.

  • marmulak@lemmy.ml
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    4 years ago

    If you use Android then Conversations is probably your best choice. Some people won’t use it because it requires them to create an XMPP account on some server, which apparently is too much trouble. Signal is more appropriate for normies who just want to open an app and have it work like WhatsApp out of the box. (It supports iOS as well.)

    • poVoq@lemmy.ml
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      4 years ago

      It really isn’t, just read the below messages.

      Switching from WhatsApp to Signal, while being an improvement in the short term, is in the end the same story. You are still stuck in a centralized walled garden that falls under US jurisdiction and has clients that are controlled externally (and thus it is trivial for US intelligence services to force the Signal Foundation to push an update that kills all the privacy features without you ever knowing).

      Edit: Probably FUD, but I wouldn’t be surprised if Signal is used as a honeypot by the NSA already. They did a similar game with a Swiss encryption product company for decades. And as much as I like Snowden, he is still very much a US intellgence service insider and can’t be fully trusted when it comes to recommendations for non-US citizens.

      • gorugorugo@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        4 years ago

        I use Signal to chat with my friends and family.

        • I like the fact that it’s E2EE

        • I like that it’s very easy to signup with a simple download, install, text code confirm.

        • I like the UI to an extent, it has nice features and looks nice enough. Text is text, pictures are pictures… we don’t need to obsess with “the shiny”.

        • I do not like that it’s hosted in the US

        • I do not like that it requires a phone number (for now)

        • I do not like that the servers are centralized, that the devs do not take decentralization into consideration, and that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)

        Which is why there are alternatives like Matrix, Session, and lots of others; however:

        • Matrix requires a bit more from the user to signup, such as username and email. This arguably is less worse than a phone number (although temporary or one-time phone numbers are available).

        • There’s also some shared disappointment around the web with the standard Element UI, can’t necessarily back those claims up though.

        • And to be really secure, you’d probably want to self-host a Matrix instance, which requires considerably more time, resources and effort to maintain, especially if you have poor internet at home, and feel that renting a VPS off-site would perhaps defeat the purpose of self-hosting (as I do).

        • Session is backed and developed by an Australian based company, which should immediately raise alarms for anyone familiar with Australia’s crazy backdoor encryption law [1] [2]

        Obviously this is all personal anecdotes, my bottom line being that Signal is not perfect, far from it, but if you’re using Whatsapp, now is probably the easiest time to shift your contact groups off. It’s an equivalent that’s far better, while still having some usage pains.

        If anyone wants sourcing on any of the above claims, please reply or otherwise offer a source up. I know they’re out there, I don’t have the energy right now for it. I do not intend to lie.

        [1] [2]

        • poVoq@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          4 years ago

          that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)

          This argument is very weak IMHO, as Signal is a free app and anyone using it with a 3rd party client puts the same load on the servers as someone signing up for free. They do also say that having only a first party client allows them to quickly and easily change and innovate, but then why are they hostile to 3rd parties compiling and distributing the first party app?

          If you think about it a bit more closely, then it becomes apparent that by forcing everyone to only use the 1st party client and distribution channel, they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices. And maybe I am a bit paranoid, but that is exactly how an intelligence service would operate in order to compromise the communication of selected individuals.

          PS.: You should rather compare it to XMPP with the Conversations client (or the fork blabber.im). Works great, is fully e2ee and has a UI and functionality very similar to WhatsApp or Signal. And you can easily get it from Fdroid or compile it yourself, so the risk of the developers messing with the binaries is minimal.

          • gorugorugo@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            Thank you for this reply, I did not consider that. The small unseen changes due to forced use of a single client. I always want to use a decentralized platform if I can which is why Fediverses are so nice, but my friends are not as keen. Signal is the gap for now

          • Rugged Raccoon@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices.

            Is it possible though? like Google Play updates the modified app only for certain individual devices

            • poVoq@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              4 years ago

              Sure that is easily possible. They can also push an update to everyone and a slightly modified version the same time only to certain devices.

              In fact if this is still true then Google could even dynamically push a exploit into Signal without an update to the app itself.

      • Lowey@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        4 years ago

        Android builds are reproducible builds(download from website). As such I can be sure I get what it says, as for US jurisdiction I think it has been published extensively that they were only able to give account creation and deletion date.

  • TheAnonymouseJoker@lemmy.mlM
    link
    fedilink
    arrow-up
    7
    arrow-down
    5
    ·
    edit-2
    4 years ago

    Favourite answer: Signal for personal chats and Telegram for public groups and public chat boards

    Honest answer: keep WhatsApp to have an open presence in social public sphere, devoid of permissions except contacts, but use Signal for personal and sensitive chats

    If you want to read more, read conclusion part in my writeup: https://lemmy.ml/post/46726

    • e44nbe4@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      4 years ago

      Don’t agree with that, if you keep the mind of “keep WhatsApp to have contact with people and don’t be alone”, what is not true, people will never stop using it.

      • TheAnonymouseJoker@lemmy.mlM
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        edit-2
        4 years ago

        WhatsApp for some people can be integral to participation in academia (schools or colleges) or businesses. For them getting rid of WhatsApp is work suicide, hence the advice.

        • e44nbe4@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 years ago

          I’m a student, ALL my friends use WhatsApp, you want to talk with me? Signal. Come on today people have mobiles with at least 64GB of storage, delete your nudes and install Signal.

          • TheAnonymouseJoker@lemmy.mlM
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            Personal chats is surely fine on other secure messengers, which is what my own OPSEC is. What I meant was that universities and schools have their groups for notes and announcements on WhatsApp, and one would not like to miss out on that essential information.

          • AgreeableLandscape@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            4 years ago

            I’m a student, ALL my friends use WhatsApp, you want to talk with me? Signal.

            I wish I could do this. Facebook Messenger group chat is the platform of choice for organizing group projects at my university, and obviously I can’t refuse to communicate with classmates for assignments. I tried suggesting other platforms but practically no one is interested. Other communication, I direct them to email or Matrix.

  • Rugged Raccoon@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    4 years ago

    The only thing that Signal seems to ask for is the phone number. But, in terms of privacy, do they collect any other metadata and can the phone number be linked back to device or the user externally?

      • onlooker@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        4 years ago

        Yeah, it’s not great. It’s also an electron app, which gobbles up more memory than I’m comfortable with AND last I used Wire, it wouldn’t detect my mic unless I was using the web version. Just no thanks.

  • Nevar@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    4 years ago

    What about Threema? Open source, e2ee, easy user interface, no metadata collection

    • Echedenyan@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      4 years ago

      As far I see, Threema only became FLOSS in the client side and few things in the server side, the rest is still propietary software.

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        4 years ago

        Yes, similar to Telegram. Still that opens a lot of possibilities for reproducible builds and bridging etc. and they are also not hostile to 3rd party clients: https://www.openmittsu.de/ Servers located in Germany/Switzerland afaik. Recently got a larger cash investment from a large German investor.

        • Echedenyan@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 years ago

          Yes, my point was only that and I apply the same to Telegram. It is a disadvantage for me and a major one.

  • Nevar@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    2
    ·
    4 years ago

    I don’t know if any of you are on Telegram but Durov’s Channel is doing a takedown of privacy criticisms. He’s essentially calling people who demand server side code open sources misinformed.

    • TheAnonymouseJoker@lemmy.mlM
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      4 years ago

      Telegram is okay only as a public board/group messenger service, nothing more. They take time in open sourcing their client code, around 3-4 months.

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        4 years ago

        That’s not that relevant, as long as older versions compiled from source still work.

        • TheAnonymouseJoker@lemmy.mlM
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          edit-2
          4 years ago

          Older versions work, but would also have security flaws. So Telegram is open source depending on what definition of security or feature updates you are okay with.

          Most (spoiler: nearly all) people have no clue about this in privacy community.