I mean trust specifically in the context of the technology. Things need to be independently verifiable. And thanks for correction regarding the clients, I was under the impression that you could only use the official app with their server. If you can use an open source client that addresses my concern regarding verification.

At the very least we can know that the protocol works as advertised. Since it’s E2E, I think it’s probably reasonable to assume that at least the messages themselves are secure.

That does address that concern.

Yeah, others corrected me. My understanding was that you had to use the client from the app store to talk to the official server.

I’ve found signal fans to be more fanatical in their loyalty to it than most advocates of other privacy apps

It’s because all criticism I’ve seen of Signal is at best circumstantial, and have nothing concrete despite the app being open source, with reproducible builds, under a ton of international scrutiny. I have read part of their code. I have understood the protocol itself for some of my classes.

It’s one of the rare FLOSS project that is actually good enough in terms of UX to actually reach popular adoption. We shouldn’t shoot it down.

On the side there are some concerning security issues with Matrix which I detail here. Signal is much much more attentive to the security of their implementation.

yeah, i didn’t mean that anything bad is going on, just that it’s a somewhat controversial topic and heated debate is taking place hehe

How do they know when a specific client sends a message?

I don’t know enough about this to comment, but signal still has to know who to send the message to. That means that the server must decrypt the recipient at some point.

Then you shouldn’t be spreading FUD about it.

He uses signal, I don’t think he’s publicly endorsed it.

That’s not what in you essay. Also, this is a fact that I doubt a lot since he owns WhatsApp. The story about that was when there was the huge Facebook data leak, allegedly, his phone number was in it, and it was possible to see that he was registered on Signal. At the time I tried to fact check this but couldn’t find anything that convinced me 100% of the veracity of this fact. I haven’t checked again so there may be some more convincing evidence available today.

Also, him being registered on it wouldn’t necessarily mean he is a user of Signal. He could have just registered to see what the competition looked like.

And if it were true that Marc Zuckerberg used Signal everyday, I would take it as a very strong confirmation that Signal is trustworthy. A quick way to test whether a conspiracy is true or not it to check if it would affect the rich and powerful.

Anyway, rich people endorsing Signal doesn’t mean anything. I hate Elon Musk too, but he just jumped on the bandwagon when it was already leaving and Signal was already gaining in popularity. A broken clock is right twice a day.

its just as easy to share a user_id string as it is a phone number

It’s not. I can dictate my phone number. I can’t do it for a cryptographic user id.

With matrix or XMPP I can share my ID with a link

With Signal I don’t have to because my phone number is already in their address book. When username arrive in Signal, a similar feature will likely be available anyway (though this is speculation, I don’t really know what it will look like and I don’t have the motivation to look at their WIP github branches).

sealed sender

I don’t know enough about this to comment, but signal still has to know who to send the message to. That means that the server must decrypt the recipient at some point.

It still is much less valuable than what you claim in your essay. They might be able to track you via your IP but that’s much less efficient and can be easily prevented via a VPN or using the builtin censorship circumvention proxy. Cryptography ensures that the rest cannot leak.

I’d argue that most people don’t want a cryptocurrency bundled in their chat apps. This is a really strange thing to defend.

If it is transparent and the use of crypto is hidden to the user while still preserving their privacy, it could be amazing. There’s no reason not to try, the beta version of the app is there exactly for this.

Many countries have now realized their mistake in letting US tech companies control their social media platforms, and are trying to adopt the PRC model of home-grown chat apps. A great example is India, where Facebook and Youtube ( 2 US tech companies ), are the most popular social media apps. This was a glaring mistake allowing these US surveillance giants to so completely own the social media landscape of India.

While I do wish my country (France) and other EU countries would do more in terms of regarding our concerning digital dependency on the US, I don’t see how the PRC is any better. They don’t have FB and other platforms which in some way is a good thing, however they have massive state surveillance in all of their internet platforms, and secure communication methods are banned.

It doesn’t necessarily mean that the phone number is sent with every API call. The real authentication of who sent the message happens on the receiver’s device when they decrypt it.

Federation makes it much harder to keep metadata private, though you could technically achieve the level of privacy found in Signal, it’s not easy.

In practice, Signal is a lot better at protecting your metadata than Matrix and XMPP.

Now that matrix has a lot of different clients and implementation, of would be super hard for them to implement something like Sealed Sender, which Signal was able to deploy very easily. I find it very unlikely that matrix will end up fixing its privacy issues. While Signal will be able to evolve and fix them. They are currently working on usernames for example.

Neither is Matrix if you use some 3rd party clients. With the most popular XMPP clients e2ee is enabled by default.

Also a few interesting things: I saw a lot of people saying that Signal isn’t keeping metadata, and a few articles from4 years ago claiming that. I took a look at the signal ToS and Privacy Policy which states quite the opposite: „SIGNAL DOES NOT WARRANT […] THAT OUR SERVICES WILL BE […] SECURE, OR SAFE”, „For the purpose of operating our Services, you agree to our data practices as described in our Privacy Policy, as well as the transfer of your encrypted information and metadata to the United States and other countries where we have or use facilities, service providers or partners.“ and „Other instances where Signal may need to share your data

To meet any applicable law, regulation, legal process or enforceable governmental request.“

distributed*

I didn’t know about any of that. TBH this subject comes up a lot on lemmy and you’re the first to mention those things.

I’ve not noticed any bugginess or lack-of-support type problems.

TBH those complaints don’t even sound that bad! compared against the problems the other messaging apps (inc signal) have.

Also, its not that signal just got lazy with letting their code get out of sync. They chose not to publish updates for their server for a whole year, until the open source community got really angry, and then they finally relented. If I or any open source maintainer did that, we’d rightly be abandoned. Some here are giving signal a pass for it tho.

the server code being not federated means you effectively can’t (or won’t) self host.

This doesn’t matter if the app is designed to not require a trusted server

Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

Because they originally worked by encrypting SMS, which required phones numbers. Internet messaging arrived later, and they are working on usernames in a similar way to how Telegram does it if I understand correctly.

the server code being not federated means you effectively can’t (or won’t) self host.

Agreed. I hope they change their minds on this, although I’m not holding my breath.

Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

Agree. The devs have stated that this is coming this year. We’ll see if they can roll it out before the year ends.

Yeah, they let it get out of sync for a while

Why, though?

Honestly, don’t know and don’t care. I suspect because they didn’t want to yet make public their crypto stuff, but I’m not going to assume malice here without evidence.

Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.

Whatsapp also lets you pay - although I believe its only in India. Telegram also attempted to include crypto. Why wouldn’t we want a private way to pay instead of letting Facebook/Google/etc, take over? I fully support them making sending money easier and more private.

I’d agree if you’d add “one of” between “currently” and “the”.

I’ll agree that it’s “one of” the best. Which one would you throw in your top 3?

Bind9

Damnit! guys and gals, the CIA is hinding in bind9

No fixed account and really easy multi-server connection clients like with IRC kinda works also.

Okay, I will keep that in mind. I thought Molly was the ideal alternative to replace Signal. I will try to use more Element or Briar.

You don’t have to use matrix with a browser client

But the presence of a browser client seriously undermines the security of the whole platform. People don’t know that they should not use the browser client. If it were a third party client it wouldn’t undermine the seriousness of Matrix, but the browser client is an official one, which shows that Matrix takes security much less seriously than Signal.