Good summary of several red-flags in regards to using the Signal messenger.
Also interesting is this one.
Use a locally hosted XMPP with the Conversations client :)
You know, I completely forgot about Moxie’s weird aversion to F-Droid, while happily hosting Signal on Google Play. I can’t be the only who thinks this is a joke, right?
deleted by creator
AFAIK this used to be true, but isn’t mandatory any longer. But F-droid has a policy not to make apps available against the wish of the developer (and Signal’s trademark would also be an issue then).
And Moxie has stated that he thinks F-droid is a security risk, compared to the Play-store, as F-droid sign their releases themselves instead of letting the Signal Foundation sign them. From Moxie’s perspective this might ring true, but for everyone else it is pretty clear that f-droid is more trust worthy than the Signal Foundation & Google.
F-droid sign their releases themselves instead of letting the Signal Foundation sign them
they do sign releases themselves, however:
We also support reproducible builds, so we can build a version from source and check against your official release. If they match (ignoring the signature) we can then publish your official APK with your signature used. This is a tedious task, since we have to standardize on the build parameters and tools, but it should be worth it in the long run.
Interesting. This sounds like something custom made just to defuse Moxie’s argument, yet Signal is still not on F-Droid, confirming that there are in reality other reasons.
probably has something to do with this:
We can try to reproduce your APK, as mentioned above, but if this fails (or e.g. when you want to distribute an app with closed-source components or API keys etc.)
apparently signal checks for play services even when you download the .apk from their site
AFAIK this used to be true, but isn’t mandatory any longer.
As far as I am aware, F-Droid’s policy against proprietary libraries has not changed. Their documented inclusion policy still says this.
We cannot build apps using Google’s proprietary “play-services”. Please talk to upstream about an untainted build flavor (either using microg or removing Non-Free dependencies completely).
I think microG includes libre substitutes for Google’s proprietary libraries, but IIRC Signal uses the proprietary libraries and they aren’t interested in being fully-libre.
I was referring to Signals need for Google Play Services, see: https://github.com/signalapp/Signal-Android/commit/1669731329bcc32c84e33035a67a2fc22444c24b
I don’t really agree with all the hate against Signal. Signal is a good start into easy privacy for people, with an app (that I personally find better than What’s app).
Like it or not but the federated alternatives (even though I like them) are not as easy to use as Signal, I don’t think my grandparents could use XMPP as easily for example.
It’s far from perfect but I wouldn’t say it’s not trustworthy or a bad app though.
Well, yes to some extend. But it is again a walled garden and in the end anyone switching from WhatsApp is just in the same marginally improved situation again.
I also don’t think the “grandparents” argument is fair. If you register an account and install Conversations/Quicksy/Blabber.im on their phone it is just as easy to use. The bigger problem are the semi computer literate that you would expect to be able to install it themselves, but who give up on the first sign of a slight complication such as “what server should I chose?”.
The “grandparent” argument is fair. It’s fair to claim they will always revert to modern technology in their era which I assume, the analog telephone and fax machines. They’re not going to waste their time learning the next best thing anyway.
You totally missed my point. What I meant was that there is no difference in ease of use between Signal and Conversations/Quicksy once you have an account and it is installed on the phone. In fact XMPP is easier in some ways.
A grandparent isn’t going to be using a password manager let alone remember their credentials for a multitude of accounts or even if they did, they’d be using sticky notes on their monitors or fridge doors.
It may be easier for our generation to believe in the ease of use in technology but I think it’s a futile attemtpt to be passing off this knowledge upstream whom quite literally don’t care or can’t care enough.
No password manager is needed for XMPP. You set it up once and the password is stored in the app. In case you need to add another device, you can reset your password on many servers via email, just like any other website.
Signal on the other hand is tied to your phone number. Thus if you lose your phone or contract is cancelled, simcard breaks etc. your account is lost, unless you go through a pretty complicated procedure with your mobile phone company. And even then all your messages are lost as Signal isn’t multi-client (unlike XMPP).
I’m still discussing about our grandparents. I’ll break it down more succinctly: grandparents aren’t going to care about an online service/app security and features. They just want shit to work and all those extra steps we take for granted won’t necessarily be as productive for their generation.
Maybe you can automate the setup of xmpp or Signal with all the immediate members of their family but when something breaks, they’re not going to be tech savvy enough to troubleshoot.
Which is exactly why XMPP is the much better option for them once it is set up. Much less can go wrong and shit just works. Proven for nearly 20 years now. Yes, they will probably need some advise setting it up, but this is true for pretty much anything other than WhatsApp as well.
XMPP also works great on desktop computers with really old hardware… something that a lot of grandparents will surely appreciate.
Signal’s plug and play.
Conversations app requires a sign up. We can’t miss out the ‘once you sign up’ bit - it’s an important step, because it stops users.
I’d prefer XMPP myself, but, my experience tells me this isn’t the best method. In a hostel people complained about privacy concerns. I told them about Signal. A few go to the PlayStore page and nearly clicked ‘Install’.
At this point a bigger privacy enthusiast told them not to download it, that it’s not decentralized, and to go and download new super-private thing and also add your own keys to a server here, and people just put down their phones without installing either.
If you would have showed them Quicksy or Blabber.im it would have been exactly the same as Signal, except that it would not be tied to a phone number, which some travelers in a Hostel might not have available, so in fact it would have been even easier.
I don’t read German.
https://blabber.im/en/, I think
I haven’t tried conversations but I bet it’s really simple to use. Element on android has gotten extremely simple to use just in the last few months, a much easier UI even than signal. I would def recommend either to a gran.
I agree with you. I life that in my environment.
Also I am not sure XMPP is made to work the same way Whatsapp or Signal does. Signal works with phone number, just the same way as whatsapp, it’s not made to be an anonymous chatting app, also XMPP doesn’t support audio and voice calls. I don’t know if there are decentralized alternatives to Whatsapp that works the same way.
But actually, yes, it’s sad that at any complication people just stops learning stuff believing it’s a too ‘geeky’ stuff for them.
XMPP does support audio and voice calls. All 3 of Conversations/Quicksy/Blabber.im do that. Furthermore, you can signup with your phone number exactly as in whatsapp/signal if you use Quicksy.
I recommend you try one of them out to see the current state of XMPP today before judging it :)
I think I am blind. I am using XMPP for some nice channels. But I never saw integrated voice and video though. I love XMPP but I wouldn’t say it’s as easy as Signal.
There are no voice channels as in Discord, but you can do voice and video calls with Conversations, Movim, Siskin and JSXC (with slight issues) all interoperable these days.
How do I do that with conversations? I can’t see the icon :(
The contact you want to call has to have a compatible client as well otherwise it does not show AFAIK. And your server might not be configured for STUN autodiscovery.
Check if your server is in this list. https://compliance.conversations.im/test/stun/
Second, any contact you wish to call must be both on one of the above servers and have a client that supports calling (such as the ones previously mentioned).
deleted by creator
Building yet another walled garden is a bit sketchy in itself and ultimately harms end users. It also harms other FLOSS projects simply by chipping away at their userbase and contributors.
Usability is not the only aspect to consider.
Jeez, I just looked at moxie’s comments here, and was like woahhhh! - https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217339450
> Some time ago you federated with CyanogenMod. What has changed since then? What changed was going through that experience. It seriously degraded the UX for our users and held us back in the development process at many times. I'd estimate that all told, we lost about 6 months to a year of progress. It's something we'll probably never do again, and has fully convinced me that federated protocols are a thing of the past in this world of ours. > I hope you see the difference between LibreSignal and the SignalPlus-like apps that just want to earn something using somebody else's work. I really see the space for a good cooperation here. If people want to use our source code to develop their own products, that's fine, so long as it's done under the terms of the license. That's the deal we're making with everyone, and I agree that it allows for possible collaboration. However, we are not running a service for other people's products, and we are not letting other people use our name in their products. Those things aren't part of the deal. > Let's just use XMPP/Conversations and be done... You have no idea how much I would love it if you did, but the fact that you don't is sadly telling.It’s something we’ll probably never do again, and has fully convinced me that federated protocols are a thing of the past in this world of ours.
This one!
This response by the matrix devs is a good read.
Thanks, will give it a read.
https://signal.org/blog/there-is-no-whatsapp-backdoor/
It is great that The Guardian thinks privacy is something their readers should be concerned about. However, running a story like this without taking the time to carefully evaluate claims of a “backdoor” will ultimately only hurt their readers. It has the potential to drive them away from a well-engineered and carefully considered system to much more dangerous products that make truly false claims. Since the story has been published, we have repeatedly reached out to the author and the editors at The Guardian, but have received no response.
We believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.
There we have it, let’s all switch back to WhatsApp and be done with this issue :D
‘Believe me, there is no back door’
Not if average users fall into herd mentality and guilt by association. WhatsApp is part of Facebook after all. Given how hyper-polarized everything can be now, I’m not surprised people are flocking to alternatives.
Great post, I fully agree with it (the one from drewdevault).
Excellent post! While Signal is an upgrade over WhatsApp, there are many sketchy things surrounding their app that need to be clarified. Until then, I find it hard to trust Signal as much as people are doing nowadays. Still, as I said, it’s clearly an upgrade over Whatsapp.
Maybe in a technical sense, but there is a risk that people who used whatsapp for years, are going to stay on signal for many years. Maybe they should wait for a better alternative instead.
But we shouldn’t let anyone think that most people fully switched to signal and deleted whatsapp. The majority probably only gave it a try.
Do you remember when you could pay one dollar a year for WhatsApp? I remember those days. Developers get money to pay for infrastructure, features, upgrades, and services, and people get to keep their privacy. That ended the day FB bought them out. I remember those days. Maybe it is a bit of nostalgia and that’s why I like Threema so much. Signal’s best “selling” point is that it’s free and Snowden shills for it --mind you, Snowden is a former NSA contractor, and let’s not talk about the Signal foundation and their developers… It’s all so damn sketchy! Long live Threema, until proven wrong, of course.
Threema shares many of the issues of Telegram or Signal though. But I still think if you are a EU citizen, it is a better option than Signal, and that it isn’t linked to a phone number and for now allows 3rd party clients is definitely a plus.
I think that in general it’s the better choice for most people on Earth. The privacy laws in Switzerland, while not perfect, are very strict regarding the safe-guarding of people’s right to privacy.
That Switzerland is super privacy secure is sadly a myth these days, and it is not without precedence (look up “Crypto AG”) that a Swiss company and the Swiss & German intelligence agencies were cooperating with the US intelligence agencies for decades.
Anyways, I do use Threema since their clients became open source. It is an ok choice, but in no way any better than XMPP.
No one has a perfect track record. However, you’d have to give me more than one example beyond a company that was secretly acquired by the CIA to do that, and that is based in Switzerland. Broadly speaking, I’d rather my data stay in Switzerland than in any other 14 eyes country. Hell, I would even trust the Russians more to store my data than most American companies.
Yes I remember that, and I even paid for whatsapp back then. Less than a year later they were taken over by facebook. Since then I am extremely hesitant to give money to any company, because they can sell out from one day to the other.
I think I should mention that any product emerging from USA or USA fanboy country that has this problem of startup investor capitalist culture in youth minds (where youths love Warren Buffett ideas) should not be entrusted with such subscription style money. They are destined to sell out unless they are non profit style entities, and even then one must research.
It would sound a little weirdly worded (tried my best) but I think anyone should get the idea here.
If you make broad and inaccurate statements about your communications product being “secure”, then when the political prisoners who believed you are being tortured and hanged, it’s on you.
That’s quite true. People delightful at their need to provide high-horsed “recommendations” about messaging products should refrain from doing so.
Aside the security practices and workflow preferences of Moxie, many people don’t realize that Signal can act as a standalone sms/mms app by itself, without creating an account with your phone number attached. None of the security features of Signal will be active when you opt out though.
