community should promote federate chat solution like xmpp or matrix. Everything dealing with your privacy should be federated.
Well that’s not quite true. First federation means sharing a lot of metadata: you have to federate so finding users on a federated i hard without sharing metadata. Matrix “leaks” a lot of metadata. Privacy with “what” you say? Yes, but most offer you this. Privacy with who talks to who, where, etc? Nope.
Signal is Open Source and server builds are replicable (you can be sure that they run official on their AWS server), being centralised means that almost no metadata is leaked. But I also dislike the ways OWS and Moxie make their decisions.
I recomend you reading the whitepaper of Session at getsession.org. Session is decentralised and it has all the Signal benefits (Signal protocol, and no metadata). How? Onion routing. As said, read about it I recommend you a lot.
What is the difference between Session and Tox?
If they use AWS, wouldn’t Amazon get all the metadata?
deleted by creator
Actually I just tried Session and I don’t know if I will keep it. It drained 30% of my battery, if a app requires additional configuration to make it usable without draining all the battery, it cannot be a wide-used alternative unlike Signal according to me.
server builds are replicable
Assuming this is what is really running on the server side, and there is no way to prove it. And there is no way to run an independent server and federate with the walled garden.
being centralised means that almost no metadata is leaked
This is plain false.
deleted by creator
deleted by creator
deleted by creator
deleted by creator
My biggest issue with that is that you almost never know exactly who is running an instance and what their attitudes or competence on privacy and security are. The attack surface just got widened.
i think google play services should be disabled
Not just for Matrix, but in general. It’s spyware.
Well its run by a US company, and they dont allow anyone else to distribute versions of their app (eg fdroid), even though its open source. Also the server code is not open source. I prefer Telegram, at least this way only the Russians get my data.
The client app for Signal users is also non-free software soon to be removed from the FSF Directory:
Isn’t this the signal server code? https://github.com/signalapp/Signal-Server
Having Russians getting your data instead of Americans is a choice one can make, but since TG doesn’t support e2e in Desktop clients, it isn’t really comparable I think. It’s a cloud messenger that also supports e2e in some cases, so while moxie surely gets your metadata, Pavel gets everything.
Ah I’m wrong about that point then, but the others still stand. And I prefer for Russia to have my data, because they certainly dont work with my government, but the USA most likely does.
The best option is Matrix, but so far it still seems too complicated for the average user.
deleted by creator
Distributing the code is not the same as open source. They prevent others from distributing modified versions of the software, which completely goes against the spirit of open source.
deleted by creator
Huge list of security problems with Signal:
https://github.com/privacytoolsIO/privacytools.io/issues/779
(and note that privacytools.io still endorses Signal even after being made aware of this)
People really have to learn to differenciate between PRIVACY and ANONIMITY. Two different concepts.
Anonymity IS privacy. Specifically, anonymity is privacy of identity. So no, it’s not two different concepts. It’s a subset/superset relationship of the same thing.
Calling “privacy” and “anonymity” two different concepts is an attempt to downplay the importance of anonymity. The problem is that you never have absolute privacy, and when privacy is attacked or lost for one reason or another you better have anonymity. You should think of anonymity as a 2nd layer of protection from disclosure.
That’s a good point. Thanks for sharing this view
deleted by creator
You cannot use Signal without a mobile phone subscription. All mobile phone connections (CDMA or GSM alike) inherently impose tracking. Additionally, most of Europe imposes GSM registration which is linked to national ID. So the mere precondition to establish such service is in itself privacy abuse – and that’s before we even talk about forced disclosure of the phone number to OWS.
deleted by creator
As have I, although using a Google Voice number, so avoiding one devil for a different one.
deleted by creator
Outside of the phone number identifiers, yeah.
For your information, there is a fork of signal without google services. https://langis.cloudfrancois.fr/
I never tried it though
deleted by creator
I recently came across this project, does anyone have any information, or background on it? https://getsession.org https://github.com/Loki-project
From my understanding it’s a fork of Signal, with some fundamental differences in network design
deleted by creator
it’s also worth noting that Session is founded and staffed by alt right people.
deleted by creator
Do you have a source of your saying?
It’s time Signal starts working on those logs. they should not be able to even know that.
deleted by creator
deleted by creator
This, centralization, requires phone number, and being USA based. But… personally, I don’t see Signal as an alternative to decentralized, foss chatting platforms. I see Signal as a replacement for SMS/MMS. I think everyone should be using it as their default SMS/MMS app instead of just a stock SMS/MMS app. It can send and receive SMS/MMS, so you do not need a separate app for family members or friends who are stubborn and don’t want to use it, but also can talk to other people who you have on Signal encrypted. And then you can use a seperate app for truly private communications, decentralized, foss, e2ee, etc. that Signal fails at being. Now I am not excusing the fact that Signal is USA based or centralized, I think centralization seems to go hand in hand with SMS/MMS so personally I am ok with that tradeoff. It being based in the USA though, that is concerning to me. But I’d much prefer using it, and getting family and friends on it, then using essentially plaintext SMS/MMS for everything. It’s extremely easy to use and activate, and not confusing even for the boomers in the family. Imo, this is what a lot of decentralized alternatives fail at. Also it does require your phone number, but again I see this as a plus in the sense of a SMS/MMS replacement. I would never be giving out Signal to people I want to talk to online, as I’d be giving out my phone number, and even when they implement usernames, there’d be no point imo as just using a decentralized alternative is the way to go at that point. Use Signal, replace your stock SMS/MMS app with it. Try to get family & friends on it. For any online friends, people who you don’t want to give your number to, or need truly serious privacy/anonymity, pick a decentralized, foss, alternative and stick with that.
deleted by creator
Not sure off hand, I don’t really consider this a major issue but idk it might detect if they uninstall the app. I’ve never had someone uninstall the app. At the very least the message sends unencrypted and you will see it sent unencrypted.
deleted by creator
Not entirely sure as I said, I understand where you’re coming from. I’d still rather people use Signal than not at all, but yeah I see the issue here. Maybe try opening an ticket on their forums and you’d get better responses. https://community.signalusers.org/
deleting app does not delete account on any online service. reason why people are still messaging me on whatsapp and i am calling people on Duo and we are all waiting endlessly. some services like Telegram, Whatsapp (I probably didn’t cover it) etc. have a default inactive account cleanup schedule…not sure about Signal.
deleted by creator
which ‘truly private […], decentralized, foss, e2ee’ communication method do you prefer?
It would depend on my use case, I would take into consideration XMPP, Jami, Briar, Self-hosted Mumble, Jitsi, Rocketchat, Self-hosted IRC. Not all are exactly decentralized and e2ee, a handful are, but those are just what I’d personally consider. Some have different use cases. Some are easier to use than others, for example I’d probably not invite normie friends to IRC, but would consider the other options. Some may not be the best for group voice chat, Mumble is my preference, although not e2ee, it is encrypted. I wouldn’t completely trust unless it was a self-hosted server or I trusted the hoster. Do some research and choose what works best for you and fits your needs.
deleted by creator
deleted by creator
:index pointing up: . My problem with signal isn’t necessarily that its encryption is broken, but that it uses phone number identifiers, which in most countries are 100% linked to your identity (and cost money too). Since signal is US based, we have to assume its DB is compromised, so they might not be able to see message content, but they can certainly see connections between people, and timestamps, building social graphs that way.
You and I can’t even use signal, unless you wanted to tell me your phone number, so its also useless as general-purpose online communication.
Bingo. Not to mention that people without mobile phones (either by choice or by poverty) are excluded from contacting friends through Signal. The absurdly reckless mandate to get a mobile phone and share the ph# with OWS is what inspired this issue:
https://github.com/privacytoolsIO/privacytools.io/issues/779
which grew into something quite large. Something like requiring a mobile phone is so fundamentally indicative of an organization with little regard for privacy that you can easily expect to find other issues. Once you take a close look at it, the red flags are like mushrooms (after spotting the first one you start to see there are many clustered in the same area). And there are many mass surveillance vectors with OWS Signal. PrivacyTools and PRISM Break continue to lead ppl astray by sending them to Signal.
absolutely agree with that last line. My friends on Wire still remain on Wire as I can’t/won’t give my phone number to add them on Signal. #sorry
You and I can’t even use signal, unless you wanted to tell me your phone number, so its also useless as general-purpose online communication.
Usernames as secondary identifiers are being rolled out so this is no longer true.
“Usernames on Signal are optional. If you choose to create a username other Signal users will be able to find you by this username and contact you without knowing your phone number.” -Pointed out from dev commits on signal forum https://community.signalusers.org/t/signal-introducing-usernames/9157/3
It’d definitely be a good thing if they added this, but they’re kinda late to have this as an afterthought. Matrix / riot being federated, self hostable, and e2ee capable, is pretty much the future of comms.
The metadata that needs to be shared on decentralised services is a lot and Riot/Matrix shares a lot of it. If you seek for anonimity and privacy this is not the best, you will always have to trust your instance admin. I too think that Riot/Matrix is the future but not for Anonimity. Only IM who has achieved not sharing metadata being decentralised is Session with the onion routing used when messaging.
Matrix / riot being federated, self hostable, and e2ee capable, is pretty much the future of comms.
I think that’s overly hopeful. Webrtc dependent sollutions can’t be reliably used over TOR and most major VPNs. Being self hostable is definitely a plus, but from the perspective of the communication protocols themselves Matrix is outclassed in both usability and call/message security.
deleted by creator
Signal does not accept non-mobile phone numbers.
deleted by creator
deleted by creator
deleted by creator
Server builds are replicable. So it’s not a problem beig hosted on AWS. Don’t spread misinformation. Sealed sender reduces metadata, so Signal along with Session are the two IMs that share the least metadata.
You’re neglecting the elephant in the room. AWS is an Amazon service. Even if you can fully trust the sealed sender mechanism, you certainly cannot stop OWS from paying money to Amazon.
Amazon is a notorious privacy abuser who has pushed surveillance into homes and neighborhoods by way of Alexa and Ring. Amazon has made an astronomical investment in facial recognition technology that’s used to abuse the privacy of countless people globally.
When you feed a vendor or service that feeds Amazon (e.g. Open Whisper Systems “Signal”), you are contributing to privacy abuse.
You’re completelly right!
deleted by creator
Apparently it forces you to use reCaptcha. I wonder if it’s possible for the reCaptcha code to access user data.
It’s javascript, so unless Signalapp takes special defensive actions, anything in javascript is possible. E.g. Google could get your internal LAN IP address even if you proxy your traffic through Tor – which can then be used as part of the fingerprint. Visit wtfismyip.com to see how that works.
How useful is an internal Lan IP? I’d imagine for most people it’s just 192.168.something or 10.something. Though if you’re on IPv6 is it just the same was your public IP?
I choose a quite obscure LAN IP so it’s less trivial for someone who gets past the firewall to target a host. There are thousands of LAN subnets, so once you divide a non-unique fingerprint into thousands, it’s quite trivial to identify unique hosts, particularly if the traffic to a particular site is not in the thousands.
Even running a browser add-on/extension is sufficient to alter a fingerprint to be more unique.
deleted by creator
So it is alleged.