• kbal@kbin.melroy.org
    link
    fedilink
    arrow-up
    47
    arrow-down
    12
    ·
    edit-2
    10 months ago

    Whittaker says that, for better or worse, a phone number remains a necessary requisite

    Worse. It is for the worse. We sure did wait a long time for this half measure, Signal.

    • LWD@lemm.ee
      link
      fedilink
      arrow-up
      36
      arrow-down
      2
      ·
      10 months ago

      Is there a reasonable alternative, though? Email addresses? Adding a cryptographic challenge to prevent somebody from generating tons of accounts?

      As far as phone numbers go, I’m not a big fan of Signal having them, but I definitely prefer not having to give them out! That change is a huge deal to me, as I can now communicate with people without handing them a phone number. And Signal has provided their client and server source code, along with evidence that their servers store absolutely nothing.

      Nowadays, the most likely way your Signal data will get leaked is if somebody screenshots it.

      • kixik
        link
        fedilink
        arrow-up
        6
        ·
        10 months ago

        Jami doesn’t require a phone number, which is p2p. Xmpp (+ Omemo) doesn’t require a phone number and it’s federated… I mean, if a service is willing to rid of phone numbers, it’ll do totally without them.

      • Որբունի@jlai.lu
        link
        fedilink
        arrow-up
        3
        ·
        10 months ago

        The challenge of having your device solve a nasty PoW that takes minutes would not deter most people: a timer once is better than evil captchas, phone numbers, etc. I don’t understand why they use hCaptcha and not that.

        • LWD@lemm.ee
          link
          fedilink
          arrow-up
          10
          ·
          10 months ago

          If one computer can create a single spam account every few minutes, imagine how many total spam accounts could be created by a small farm of computers, in a single day.

          • Որբունի@jlai.lu
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            10 months ago

            A lot, but farming phone numbers from poor countries is also cheap and Signal sends them insanely expensive SMS. There is no perfect solution, spammers aren’t stupid. Since Signal is centralised they can enforce PoW incrementally if they get reports for spam, I still think it is way better than hCaptcha which is garbage.

      • Scolding0513@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        phone numbers for spam prevention are a bandaid for a mediocre solution. the mediocre aspect being that it’s totally centralized when it should at least be federated like SimpleX. SimpleX is the ultimate solution to be honest with you, it’s federated, fast, extremely private and extremely secure.

        • LWD@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          10 months ago

          I don’t mind SimpleX. I use it myself, sometimes. But it is also currently a very obscure service, and it’s not exactly easy to find people to communicate with. Phone numbers, and now usernames, provide a jumping-off point for that.

          How do you find people on SimpleX and then make sure you’re talking to them in a group later on? Right now, that’s really hard.

          And right now, SimpleX is pretty small, so if it starts expanding in that first area, how would it prevent spam?

      • RandoCalrandian@kbin.social
        link
        fedilink
        arrow-up
        4
        arrow-down
        6
        ·
        10 months ago

        It’s the signal metadata that they want to keep associated with an identity

        They still can fulfill government requests for who is talking to who and how often

        • LWD@lemm.ee
          link
          fedilink
          arrow-up
          9
          ·
          10 months ago

          Only the recipient number has been in the messages, so unless Signal servers have been compromised, and they’ve figured out how to associate sender IP addresses with phone numbers, and they’ve never been caught by the multiple government demands from them… I think it’s fair to say

          1. they probably don’t keep these logs, and
          2. they made it about as hard as possible to do
        • cjf@feddit.uk
          link
          fedilink
          English
          arrow-up
          7
          ·
          10 months ago

          Got proof for that last claim?

          I thought their sealed sender feature was meant to prevent exactly this scenario.

  • PoliticalCustard@lemmygrad.ml
    link
    fedilink
    arrow-up
    10
    ·
    10 months ago

    If anyone knows how to get the beta without having to join the beta programme on Google Play please let me know; my phone is degoogled. They do have an apk on their site but it’s not the beta.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    5
    ·
    10 months ago

    Signal is one of those apps that is good because it is popular and old.

    However, they need to step up there game if they want to compete with other messagers.

    • nomad@infosec.pub
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      10 months ago

      Its also the only really free messenger. Free as in freedom and no money.

        • Kilgore Trout@feddit.it
          link
          fedilink
          arrow-up
          7
          ·
          10 months ago

          I use Jami daily. The pro is that it is completely decentralised: it doesn’t need a server to run, all communications are over DHT. The cons is that not all messages are delivered instantly, and both sender and recipient need to be online at the same time.

        • nomad@infosec.pub
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          10 months ago

          Yeah mainstream messenger that other people have. I personally like briar but it sucks my battery dry in houra.

  • besbin@lemmygrad.ml
    link
    fedilink
    arrow-up
    2
    arrow-down
    6
    ·
    10 months ago

    You still need to put in your phone number to use their increasingly limited service though. Either go full bare sms/RMS integration or go full anonymous username only. This half ass approach please no one.

    • admiralteal@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      10 months ago

      I still cannot comprehend their logic for why having full SMS integration would be such a disaster. It just makes no sense and I wish they’d admit that it isn’t a security concern but is just that they don’t want to do it. They just don’t want to, and don’t care that this policy makes it harder for users to adopt and use their service.

      I know that SMS is a US-specific thing. But at least in the US, most people regularly interact with SMS. Having a platform that supports SMS means you can basically live in that platform – this is a major part of the success of iMessage.

      The idea that it would create huge security gaps… I just don’t believe. I think the kind of user who wants to be on Signal clearly understands that SMS is not secure. All they need to do is have a clear visual indication when you are texting instead of using Signal, which isn’t that complex.

      Instead, people like me who might try using it as their primary platform just see no point. None of my friends use it. So why should I even have it installed? And none of my friends see a reason to install it because I and everyone else don’t have it installed. If I could use it as my SMS app I might have it installed and lived-in, which greatly lowers that barrier.

      • LWD@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        10 months ago

        They’ve definitely said, albeit relatively quietly and sparsely, that SMS/MMS messages have always been a headache to implement and maintain. It makes sense, although it sure as hell frustrates me too. It’s harder to sell somebody on an app that only works on a proprietary messaging network, whereas old Signal could be sold to friends as “a texting app that can be encrypted” or “does big files”.