• DessalinesOPA
      link
      fedilink
      arrow-up
      12
      arrow-down
      4
      ·
      edit-2
      3 years ago

      Since when does Zuckerberg endorses Signal?

      He uses signal, I don’t think he’s publicly endorsed it. Read over that sentence again.

      The best way to do private/secure messenging is to do it similarly to the least private and secure messaging protocol in use?

      I’m just describing how it works, this seems overly combative. Encryption is a different topic than federation. Emails and phone calls are federated, yet insecure.

      This entire section completely ignores that Signal isn’t designed to talk to random people. It’s designed to talk to your friends/family/coworkers, who most likely already have your phone number. It makes it super easy to migrate. There’s no way my grandma would be able to add me on briar…

      That “ease of migration” comes at a cost: namely that signal’s centralized server now knows your identity. And yes while briar isn’t quite user friendly yet, its just as easy to share a user_id string as it is a phone number. With matrix or XMPP I can share my ID with a link.

      sealed sender

      I don’t know enough about this to comment, but signal still has to know who to send the message to. That means that the server must decrypt the recipient at some point.

      Payment in Signal has been a major request since the migration from WhatsApp. In multiple countries WhatsApp has a payment feature that is hugely popular.

      I’d argue that most people don’t want a cryptocurrency bundled in their chat apps. This is a really strange thing to defend.

      For the last one, its telling that you deleted half my sentence. The full sentence is this:

      Signal’s use luckily never caught on by the general public of China ( or the Hong Kong Administrative region ), whose government prefers autonomy, rather than letting US tech control its communication platforms, as most of the rest of the world naively allows.

      Many countries have now realized their mistake in letting US tech companies control their social media platforms, and are trying to adopt the PRC model of home-grown chat apps. A great example is India, where Facebook and Youtube ( 2 US tech companies ), are the most popular social media apps. This was a glaring mistake allowing these US surveillance giants to so completely own the social media landscape of India.

      • ᗪᗩᗰᑎ
        link
        fedilink
        arrow-up
        9
        arrow-down
        3
        ·
        3 years ago

        I don’t know enough about this to comment, but signal still has to know who to send the message to. That means that the server must decrypt the recipient at some point.

        Then you shouldn’t be spreading FUD about it.

        • DessalinesOPA
          link
          fedilink
          arrow-up
          7
          arrow-down
          2
          ·
          3 years ago

          If you live in France, why would you want a US company to own and control your communications? That was the main thrust of the article, which you never addressed.

            • DessalinesOPA
              link
              fedilink
              arrow-up
              13
              arrow-down
              2
              ·
              3 years ago

              The App is FLOSS,

              As I noted in my article, remember when signal went a whole year without publishing their server source code updates?

              Non of your points are really any concrete proof of Signal being backdoored.

              I also addressed this, in the NSL section. It is illegal for signal to tell you that, otherwise they all face heavy prison time. Your default position then is to “trust” US services… not a good idea from a privacy standpoint given the history of surveillance disclosures.

              • chiefstorm
                link
                fedilink
                arrow-up
                6
                arrow-down
                3
                ·
                edit-2
                3 years ago

                I appreciate and admire your motivation @dessalines@lemmy.ml

                However, Signal is like the one application that’s user friendly and is NOT compromised, and you seem to be completely attacking it.

                I have reason to believe that Signal is NOT compromised. and the code is indeed Open Source and can be trusted.

                I don’t trust the US, but I do trust Moxie Marlinspike to be a privacy advocate, he has spent his entire career being an advocate for privacy.

                although Signal went a whole year without publishing server source code because they were being subtle about introducing mobilecoin crypto-asset support, and they didn’t want people to jump hog wild into mobilecoin. However, they now have released the server source code, therefore I do not think this is a valid argument.

                • DessalinesOPA
                  link
                  fedilink
                  arrow-up
                  10
                  arrow-down
                  2
                  ·
                  3 years ago

                  How do you feel about marlinspikes ruthlessly banning all third party clients and server implementations? Or his choice of phone # identifiers?

                  • tomtom
                    link
                    fedilink
                    arrow-up
                    8
                    arrow-down
                    1
                    ·
                    3 years ago

                    Yes I do not see why we should trust any system which forbids self-hosting, especially when alternatives exist.

                  • ᗪᗩᗰᑎ
                    link
                    fedilink
                    arrow-up
                    4
                    ·
                    3 years ago

                    How do you feel about marlinspikes ruthlessly banning all third party clients

                    False.

                    There are a few 3rd party clients. They all identify themselves to the server that they’re 3rd party clients and they haven’t been banned.

                  • chiefstorm
                    link
                    fedilink
                    arrow-up
                    4
                    ·
                    edit-2
                    3 years ago

                    I appreciate your critique and well written essay, as well as your motivation. Thank you again for writing this, and I will heed your advice and be more skeptical of signal foundation. However, but I have followed Marlinspike for years, and was an early signal adopter, so I do have some trust that the project is not compromised.

                    comment from lobster also makes some good points here, and I tend to agree with this guy

                    This take comes up every so often, e.g. in some of the linked articles. I’m sympathetic to many of the concerns raised, but I’ve yet to see serious engagement with some of the deeper issues raised. For example: A significant number of security and privacy-enhancing technologies (PET) have received US military funding or other support. See: Tor from the Naval Research Lab, OpenBSD from DARPA. SELinux comes from the NSA. The Open Technology Fund has also support Ricochet, WireGuard, ? Delta.chat, and Briar (that the author recommends), etc. (link). Are all these tools suspect? As an aside, the EU also funds a significant number of PETs. While not as egregious as the US, the EU is no enemy of mass surveillance, either. One reason for Signal’s centralization is, in short, that it’s hard to update federated protocols, including their security features. E2E encryption in XMPP or email is still a pain, and far from usable for most people. I hope that e.g. Matrix can pull it off, but they face challenges that centralized services don’t. With a centralized service, you know that you can handle unforeseen security developments quickly. Shouldn’t this be a key priority for a security tool? Using phone numbers as identifiers has its benefits: you don’t need to store users’ contacts on your servers. A service like Wire, that does allow you to sign up without a phone number, has to store your full social graph on their end. Avoiding this sort of metadata is a hard problem — Signal has opted for minimizing the amount they store. It’s hard to overstate how much ease of use matters when it comes to gaining mass adoption for these tools. For a long time, privacy & security tools were super user-unfriendly, reserved only for a small technical elite (see PGP). If we want to combat mass surveillance, we need tools that the masses want to install (in my experience, it’s hard enough to convince activist groups to migrate off Discord or Slack — the alternatives need to be similarly easy to use).

                    How do you feel about the guy who donated 50 million to Signal? He probably has the most influence on the project second only to Marlinspike.

                  • Halce
                    link
                    fedilink
                    arrow-up
                    4
                    ·
                    3 years ago

                    We have one FLOSS project that is very high quality, secure and gained significant popularity, and we start shooting it down ourselves…

                    This would be a truly problematic sentiment in some other cases. But the point here, is that unlike Matrix, Signal is not really ours.

                • jazzfes
                  link
                  fedilink
                  arrow-up
                  5
                  ·
                  edit-2
                  3 years ago

                  So if we don’t know what runs on the server side, how do we know then that this is not used to map user networks, i.e. who communicates with who? From an activist POV wouldn’t that be a significant risk?

                  Also, even if you trust the company today, given that it is US based, it is subject to the gag orders the US government agencies hand out. So that makes it still a problem, no?

    • poVoq
      link
      fedilink
      arrow-up
      9
      arrow-down
      2
      ·
      edit-2
      2 years ago

      deleted by creator

        • poVoq
          link
          fedilink
          arrow-up
          7
          arrow-down
          4
          ·
          edit-2
          2 years ago

          deleted by creator

                • DessalinesOPA
                  link
                  fedilink
                  arrow-up
                  8
                  arrow-down
                  1
                  ·
                  3 years ago

                  If that were the case, the sealed sender stuff would a complete lie, which would seem out of character for Signal.

                  It seems like your loyalty to signal isn’t based on any facts or history whatsoever. I go over the untrustworthy history of signal’s founders, but you’ve ignored all those points in your replies so far.

                  • ᗪᗩᗰᑎ
                    link
                    fedilink
                    arrow-up
                    5
                    arrow-down
                    1
                    ·
                    3 years ago

                    I go over the untrustworthy history of signal’s founders

                    The OTF also funds the following: Briar, Tor, Wireguard, Delta Chat, Bind9, CGIProxy, CertBot, K-9 Mail, Tails, NoScript, QubesOS, The Guardian Project

                    You going to say that Briar is a good alternative despite receiving funding from the CIA just like Signal? How about QubesOS or NoScript. Are they also no longer trustworthy because they’re funded by the OTF?

    • DessalinesOPA
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      3 years ago

      they don’t have the message senders thanks to sealed sender

      Reading over this again. The primary identifier in signal, is phone numbers. You think signal doesn’t store those, or use them to route messages?

        • DessalinesOPA
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          3 years ago

          How would the signal server know who to route the message to?

            • DessalinesOPA
              link
              fedilink
              arrow-up
              4
              arrow-down
              1
              ·
              edit-2
              3 years ago

              In a centralized database, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.

    • tomtom
      link
      fedilink
      arrow-up
      4
      ·
      3 years ago

      Federation increases censorship resistance. I do not think it necessarily decreases privacy, although having metadata strewn across multiple servers may be a risk. Still, I think the comparison with email is a bit of a strawn man argument, since it is not only the federated nature of email which makes it easy to surveil but also the fact it is unencrypted by default.

      Moreover, email these days is concentrating in the hands of a small number of providers (gmail, etc).

      XMPP seems a lot more distributed at this point in time.