• DessalinesA
    link
    fedilink
    arrow-up
    9
    ·
    5 years ago

    :index pointing up: . My problem with signal isn’t necessarily that its encryption is broken, but that it uses phone number identifiers, which in most countries are 100% linked to your identity (and cost money too). Since signal is US based, we have to assume its DB is compromised, so they might not be able to see message content, but they can certainly see connections between people, and timestamps, building social graphs that way.

    You and I can’t even use signal, unless you wanted to tell me your phone number, so its also useless as general-purpose online communication.

    • cipherpunk
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      5 years ago

      Bingo. Not to mention that people without mobile phones (either by choice or by poverty) are excluded from contacting friends through Signal. The absurdly reckless mandate to get a mobile phone and share the ph# with OWS is what inspired this issue:

      https://github.com/privacytoolsIO/privacytools.io/issues/779

      which grew into something quite large. Something like requiring a mobile phone is so fundamentally indicative of an organization with little regard for privacy that you can easily expect to find other issues. Once you take a close look at it, the red flags are like mushrooms (after spotting the first one you start to see there are many clustered in the same area). And there are many mass surveillance vectors with OWS Signal. PrivacyTools and PRISM Break continue to lead ppl astray by sending them to Signal.

    • jbrown
      link
      fedilink
      arrow-up
      3
      ·
      5 years ago

      You and I can’t even use signal, unless you wanted to tell me your phone number, so its also useless as general-purpose online communication.

      Usernames as secondary identifiers are being rolled out so this is no longer true.

      “Usernames on Signal are optional. If you choose to create a username other Signal users will be able to find you by this username and contact you without knowing your phone number.” -Pointed out from dev commits on signal forum https://community.signalusers.org/t/signal-introducing-usernames/9157/3

      • DessalinesA
        link
        fedilink
        arrow-up
        1
        ·
        5 years ago

        It’d definitely be a good thing if they added this, but they’re kinda late to have this as an afterthought. Matrix / riot being federated, self hostable, and e2ee capable, is pretty much the future of comms.

        • renor
          link
          fedilink
          arrow-up
          3
          ·
          5 years ago

          The metadata that needs to be shared on decentralised services is a lot and Riot/Matrix shares a lot of it. If you seek for anonimity and privacy this is not the best, you will always have to trust your instance admin. I too think that Riot/Matrix is the future but not for Anonimity. Only IM who has achieved not sharing metadata being decentralised is Session with the onion routing used when messaging.

        • jbrown
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          5 years ago

          Matrix / riot being federated, self hostable, and e2ee capable, is pretty much the future of comms.

          I think that’s overly hopeful. Webrtc dependent sollutions can’t be reliably used over TOR and most major VPNs. Being self hostable is definitely a plus, but from the perspective of the communication protocols themselves Matrix is outclassed in both usability and call/message security.

    • dpreacher
      link
      fedilink
      arrow-up
      3
      ·
      5 years ago

      absolutely agree with that last line. My friends on Wire still remain on Wire as I can’t/won’t give my phone number to add them on Signal. #sorry