A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isnât great, if contents of the website are behind a paywall maybe copy them into the post
- Donât promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 8 users / day
- 48 users / week
- 114 users / month
- 325 users / 6 months
- 14 subscribers
- 1.95K Posts
- 8.84K Comments
- Modlog
Yet another IM protocol. Walled garden. Fees to be paid to a central company.
Thereâs plenty to criticise about signal, but âmesiboâ is not the solution.
Besodes, the signal-dissing in the article seems mostly a FUD exercise.
Can you elaborate on how this is FUD, please?
Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.
Using phone numbers as identifiers is a well-known Signal flaw.
And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that âup-to-dateâ CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?
I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.
Oh no itâs a pretty good idea, and unfortunately mosibo isnât the first project to implement it⌠in an entirely new protocol that nobody will ever adopt. Implementing SMP in a widely-used protocol (email/PGP, IRC/OTR, XMPP/OMEMO) would benefit a lot more users.
Indeed, but once again we have dozens of protocols providing messaging primitives, whether federated or centralized. Why should we even consider Signal or Mesibo? To be honest, i appreciated Mosiboâs criticism of Signal: itâs fair and strongly deserved. I would add to this that Signal dropped on-disk database encryption which is horrible: users set a passphrase expecting some security⌠only to find out later that the passphrase is purely cosmetic and the local DB is unencrypted.
I donât think itâs either FUD or invalid. It just looks like yet another corporation making yet another protocol for yet the same usecases we already have a dozen protocols for. If mesibo is only about cryptographic research, OMEMO/MegOLM could use a refresher⌠but unfortunately theyâre promoting an entire ecosystem and itâs really not clear what the technical/business model is (i found the code for libmesibo but i donât see any server implementation on their github).
I think given the very fragmented ecosystem we already have, the burden is on them to prove that their project is interesting/useful. From my perspective, it looks like some cryptographers wanted to do cool stuff, but need a bullshit business front (like any startup) to operate⌠like a lot of crypto research, unfortunatelyâŚ
I agree with all of your points :)
Fuck signal and their phone number requirement, how is it vs Element?
I have difficulty taking Signal seriously because of this.
Yhea their double ratchet algo is a complete joke. I wonder why itâs been implemented in WhatsApp, xmpp, matrix , etc.
Disclaimer: iâm no cryptographer
I think the crypto in Signal looks fine. The double ratchet isnât bad, although it has some drawbacks (at least the OMEMO variant) about long-absent participants running out of published ephemeral keys.
The problem with Signal is the centralized system (which relies on absolute trust in a serverâs âtrusted computingâ module) and the business governance. Iâm very critical of m0xie and friends in their political/economic decisions, but they seem to produce good cryptographyâŚ
I was trolling.
I know the direction of the project and their stance against centralisation is debatable but they produce good and reviewed software and libraries.
What you do with it is a personal choice.
Matrix does have some metadata problems (not hating on Matrix though)
Interesting. Can you elaborate?
In matrix pretty much everything is a public, logged append-only datastore (a room in matrix vocabulary). There is some access-control applied on top but it means that basically any server involved in some room (because their users are part of it) gets a full copy of the full history of the room including all user addresses.
In contrast, XMPP has a clearer threat model: your server knows about you, the server of a user youâre communicating with knows about you, 3rd party services you employ know about you (eg. chatrooms) but other users of that 3rd party service donât. Practical example: when i join room anarchism@chat.jabberfr.org from southerntofu@userserver.net address, iâm giving the chatroom server (MUC server) a nickname to identify me with. When other users receive messages in the chatroom from me, they see it from southerntofu from chatroom anarchism@chat.jabberfr.org but have no idea what my actual JID (XMPP address).
Thatâs certainly good for reducing chances of having all your messages being logged by a sysadmin somewhere, but itâs even better for abuse-resistance. Having your address leaked in every public interaction is fine for most people but is a no-go for people who have stalkers or are targeted by harassment campaigns. See also this HN thread on XMPP and anti-abuse mechanism.
You can use VoIP with Signal so itâs not much of an issue.
Do they require a phone number when registering? I remember they do, but I might be wrong. I compared all FOSS WhatsApp alternatives a while ago, and I think thatâs one of the reasons I ruled out Signal. Element was the winner btw.
BTW, even if they donât, I still think Element is better. Signal doesnât meet f-droidâs standard while Element does, and ofc Element is federalized while Signal is not (itâs centralized Oo).
I didnât explain myself very well but yes they do require a phone number. What I meant was you can use any VoIP number with Signal and itâs fine, TextNow or any service that lets you retain the number works.
Oh OK, tnx.
I upvoted because the phone number requirement is the n°1 problem with Signal.
But to be clear, Signal does meet F-Droidâs policy (albeit with a âcentralized serviceâ antifeature flag). The only reason Signal is not distributed on F-Droid is because Signal threatened legal action if it ever was (LibreSignal scandal).
Also, i appreciate that Matrix (Element is just a client) is a federated protocol. Unfortunately, it consumes a lot of resources server-side (like A LOT of RAM and disk storage), and the default client Element is nearly unusable with high-latency links (eg. over Tor). I personally recommend getting into XMPP⌠there is no default client because XMPP is an ecosystem not a government-backed startup and some of them really suck (see joinjabber.org for the better clients) but at least the client and server donât eat all your resources (a âbigâ XMPP server for hundreds of users uses <500MB RAM, a similar matrix server uses 5-20GB RAM).
TIL. Tnx.
I thought the reason they doesnât at F-DROID is that theyâre using google firebase (I think session uses that too because itâs a signal fork but Iâm not sure).
Well thatâs the reason upstream Signal was not packaged on F-Droid, that it required Google Play Services to run. Thatâs why Signal was forked into LibreSignal (which didnât change anything beyond removing this dependency) which could be distributed on F-Droid. [This ticket]https://github.com/LibreSignal/LibreSignal/issues/37) is where the discussion took place. m0xie from Signal team said:
This discussion ultimately led to an article (and a CCC talk) called The ecosystem is moving, to which Conversations developer Daniel Gultsch replied. There was also a more XMPP-centric reply to the talk. Happy reading.
XMPP+OMEMO or OTR is a great alternative, lots of people use it in the DNM realm.
Yup Jabber/XMPP has some interesting properties, although the ecosystem is far from the potential it could achieve with more full-time dedicated efforts (and/or more funding to employ people for that). Whatâs DNM though?
Dark net markets .
Iâm somewhat cautious of Signal. Given what the US government is, I donât trust any entity based in thr US.
By this standard you should probably not trust any entity at all because all governments are evil and their secret police are after revolutionary troublemakers. I agree that Signal being centralized is a huge problem, but i personally believe the bigger problem is that it requires a unique identifier (the phone number).
We all use centralized services sometimes, for example to sign up on a forum. But when we do so over Tor and with a nickname (pseudonym) thatâs a reasonable security practice.