The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.

To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).

Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.

  • ☆ Yσɠƚԋσʂ ☆
    link
    fedilink
    arrow-up
    60
    arrow-down
    1
    ·
    4 years ago

    Another big problem with Signal is the fact that it’s centralized with the server being located in US. Even if the protocol itself is secure with the server not having access user data, this presents a huge risk since US government can simply force Signal to shut down the service at any time. The server can also potentially collect metadata about the users providing US security agencies with user connection graphs.

    I think that Matrix approach is much more sound, and would always recommend it over Signal.

    • Seirdy
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      4 years ago

      I wrote about both issues, and why Matrix isn’t a perfect solution, previously: part 1, part 2. Starring WhatsApp, Firefox, Signal, XMPP, Email, and Matrix.

      Also discussed on Lemmy: part 1, part 2.

      Signal’s problem is being a closed platform; Matrix suffers primarily from complexity. Both enable dependence on a single small group, and therefore enable user domestication. That being said, Matrix is considerably less bad than Signal.

      For large public rooms, IRC continues to be the best option. All its issues are client-side; IRCv3 supports history, multiple devices, authentication without NickServ, and even typing notifications. All these features are supported on Oragono. For small, private E2EE rooms, all existing solutions have major trade-offs.

    • roastpotatothief
      link
      fedilink
      arrow-up
      3
      arrow-down
      6
      ·
      4 years ago

      All these discussions tend to ignore Wire. It is similar to Signal but has none of these drawbacks and even some extra good features.

      • ssenecaOP
        link
        fedilink
        arrow-up
        10
        ·
        4 years ago

        Wire was mentioned in this thread. It transferred ownership (which in itself was shady) and its new owners are shady too.

    • DessalinesA
      link
      fedilink
      arrow-up
      24
      ·
      4 years ago

      Same, /r/privacy and /r/privacytoolsio are so completely watered down that I’ve even seen a lot of pro-microsoft / vscode apologia there. The red flags with signal have been there for years, but they choose to ignore it.

      • Cysioland@lemmygrad.ml
        link
        fedilink
        arrow-up
        10
        ·
        4 years ago

        I feel like lots of “privacy-oriented” mainstream tech discourse is a psyop designed to direct people to honeypots or even just inferior solutions.

        • southerntofu
          link
          fedilink
          arrow-up
          7
          ·
          4 years ago

          Yes it’s called advertisement and it’s the byproduct of an ego/profit-driven society ;)

          • federico3
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            4 years ago

            Never underestimate how many people are paid to influence product reviews, social media, message boards and so on.

        • DessalinesA
          link
          fedilink
          arrow-up
          7
          ·
          4 years ago

          Pro US all the way down. It’s why all the reddit “privacy” subs praise microsoft, apple, signal, etc.

          • Ravn
            link
            fedilink
            arrow-up
            5
            ·
            4 years ago

            Off-topic, but the US-centrism is what put me off reddit entirely. I just can’t go there anymore because it makes me immediately feel like a foreigner in another country. I sometimes wish there was an internet-wide filter for anything US.

      • manemjeff
        link
        fedilink
        arrow-up
        3
        ·
        4 years ago

        vscode is a meh software. Vscodium on the other hand…

        • southerntofu
          link
          fedilink
          arrow-up
          1
          ·
          4 years ago

          Do you know of a good lightweight client that works well with tor? I’d like to be able to use matrix but Element is just super heavy (and works really bad over tor because of latency).

            • southerntofu
              link
              fedilink
              arrow-up
              1
              ·
              4 years ago

              I hope for the best, but considering it’s yet another Javascript webapp, i find it hard to trust it’ll do anything better. By design it will force me to drop privacy/security features from my browser, and will use considerable resources.

        • federico3
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          4 years ago

          Tox has a terrible security track record. At the same time, developers are still making wild claims that Tox can protect your from nation-state sponsored attacks:

          Whether it’s corporations or governments, digital surveillance today is widespread. Tox is easy-to-use software that connects you with friends and family without anyone else listening in.

          This is not a code problem.

  • lorabe
    link
    fedilink
    arrow-up
    45
    arrow-down
    2
    ·
    4 years ago

    Let’s be honest, Signal was never an option.

    Rather than being free software, signal is more like museum software, you can see, but you cannot touch.

    • ssenecaOP
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      4 years ago

      A few years ago (2017?) I decided I would move messenger apps. The aim (and what I’ve achieved) was all my messaging going through a secure, private app.

      Signal was never an option.

      In 2017, Signal really was the only option. Element (Riot, back then) was really bad and didn’t feature e2ee (which only got enabled by default last year!). XMPP was and remains difficult to use (not even many people here use it, how could I expect “normal people” to use it?)

      I made the choice to use Signal, and I don’t regret it. I only regret that it has taken until now that we are starting to see a glimmer of a real competitor, in the form of Matrix. But a really competitor to Whatsapp and the like, back in 2017, just didn’t exist outside of Signal.

      • poVoq
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        2 years ago

        deleted by creator

        • ssenecaOP
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          4 years ago

          It’s not about instances, they’re pretty much equal in that regard. There are two main issues with XMPP:

          1. Clients. There is no “default” or “reference” client for XMPP, whereas there is a cross-platform one for Matrix (in the form of Element). This has several implications, but the most important is that for the non-technically aware (which is the vast majority of people I talk to), it is easier and reassuring to use “the” Matrix client. The more important implication to me is on e2ee. Conversations started in Element now enable e2ee by default. In contrast, every XMPP client I’ve tried (on Linux & iOS) does not.
          2. Message history. Matrix and XMPP differ a lot here, and it’s why the Matrix homeservers are much more resource hungry than XMPP servers. When I use Matrix, I get message history on each device. This is a critical feature for those I want to move from Whatsapp and the like. This is not the case with XMPP.
            • ssenecaOP
              link
              fedilink
              arrow-up
              3
              ·
              4 years ago

              You say you disagree with the default clients idea, but why?

              At most it is a branding/marketing problem

              I don’t know why you’re so dismissive of this issue. I feel like you’re framing me as if I’m anti-XMPP when that isn’t the case; on the contrary I use XMPP and am a Prosody server admin. The reality of the situation though, like I’ve said above, is that next to nobody uses XMPP, even in tech communities. At this point “branding/marketing” could end up being the be-all and end-all of the entire protocol.

              As for the other two points: that is both false and outdated.

              You’ve misinterpreted my comment. I am very well aware XMPP has and has had e2ee support, the issue is that XMPP clients never have this switched on by default, in my experience (which was testing every XMPP iOS client there is, the platform most my friends use).

      • riccardo
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        4 years ago

        Well there was Wire, which offered e2e encryption, an open protocol and opensource clients and backend, it has been audited, and it was based in Swiss which is times better than the US. I tried to move a lot of people there, but luckily I failed, considering it has been bought by an advertisement company recently

        • Ghast
          link
          fedilink
          arrow-up
          4
          ·
          4 years ago

          Wire looked nice, but I stopped using it after they persistently dragged their feet on federation.

          Git discussion

          Once something with federation gains popularity, the discussion may be over, as we won’t have to talk about jumping ship every year. I’m not sure it’s doable yet, but I’m sure that once it takes hold it’ll last, just like email.

        • ssenecaOP
          link
          fedilink
          arrow-up
          4
          ·
          4 years ago

          Wire was pretty good, true. I used it a bit, but chose Signal because Wire (similarly to Matrix, for now) doesn’t encrypt any/most metadata, whereas Signal encrypts everything and always has.

          And like you said, it’s since been sold to an advertising company. Not sure if that’d even be possible with Signal since it’s owned by a non-profit (admittedly not always the case, I guess it could have been possible when they were still OWS).

          In both cases, their centralised nature means changing ownership can be devastating (like in the case of Wire). This is why I believe Matrix is the future. Its community is much healthier and active in the development of the ecosystem (3rd party clients, bridges, they actually accept PRs, etc…)

          • southerntofu
            link
            fedilink
            arrow-up
            8
            ·
            4 years ago

            Signal encrypts everything and always has.

            This is not exactly true. Encrypting metadata is most times impossible due to the server needing to know who to deliver messages to (at the very least). “Sealed sender” is now a thing (though i don’t know how strong a protection that is), but to my knowledge Signal continues to aggressively expose users’ phone numbers both to the server (in a hashed formed, for contact discovery) and to other users in public chatrooms. Please correct me if wrong.

            it’s owned by a non-profit

            A non-profit doesn’t mean you need to do good. Also, it can turn into a for-profit over the years. It’s in fact a conscious strategy of startups in the field of “sharing economy” (remember couchsurfing?)

            This is why I believe Matrix is the future.

            Matrix is one among others, but i’m not convinced a single solution is going to be the best:

            • Matrix really has a startup vibe and introduces a lot of complexity (reinventing quite a few wheels along the way), to the point the current situation is there’s only one bad client/server implementation (really resource-hungry)
            • Jabber/XMPP has a much slower but dedicated non-profit ecosystem (let’s not even talk about the commercial branches) and lots of client/server options for all hardware/systems, but the clients don’t have good UX/polishing
            • ActivityPub has a vibrant ecosystem but most clients are web-oriented (such a shame) and tailored to a specific use-case (peertube/mastodon/pixelfed)

            They all have strong arguments going for/against them. I believe interoperability is the only way to go. These network are doing mostly the same thing, and there’s no reason we can’t talk across networks.

            Which brings me to the fact matrix folks really don’t seem to care about interoperability though i hope i’m wrong about this.

            • ssenecaOP
              link
              fedilink
              arrow-up
              4
              ·
              4 years ago

              I have a lot of thoughts about this but don’t really have the time to reply.

              All I’ll say is that I hope you’re following Element’s progress with Dendrite closely. I host my own Dendrite server and it is much more reasonable in terms of resource usage versus Synapse, and it hasn’t even had any resource optimisation features implemented yet.

                • federico3
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  4
                  ·
                  4 years ago

                  massive privacy issue, as this immutable and permanent history room state data is synchronized across any server that has a member joining

                  This is terrible.

                  Matrix evolved evolved in a very messy way, starting without encryption and hacking it in later on, and now it’s even trying to become P2P. I expect more serious privacy-breaching “features” to come out over time.

              • southerntofu
                link
                fedilink
                arrow-up
                3
                ·
                4 years ago

                Element’s progress with Dendrite

                I’m keeping an eye on Dendrite. I’m not convinced go is the best language for server software, as it suffers many same pain points as Python (eg. GC pauses), but it looks like a neat progress. In fact i’m going to try dendrite very soon when i have some time.

                Element on the other hand i would just put in the dumpster because it’s full of everything that’s wrong with web applications. 9MB initial loading just for a simple chat application, seriously? Several seconds of latency just to switch chatrooms? Seriously it’s 2021 folks, how can anyone be happy with such mediocrity and then complain why noone is using Element…

                Just found gomuks which appears to be a lot better for desktop/laptops (not mobile). I will try it out and see…

                • ssenecaOP
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  4 years ago

                  Element the client is garbage, I was talking about Element the organisation formally known as New Vector, who develop and maintain the Dendrite homeserver

                • southerntofu
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  4 years ago

                  gomuks

                  So i just tried gomuks and it’s a pleasure to use! Room switching is instant (compared to 5-15s on Element) and it took just a few seconds to compile. Only downside is it was designed for dark theme so contrast is really bad on light background.

            • michel
              link
              fedilink
              arrow-up
              3
              ·
              4 years ago

              FluffyChat is a decent alternative client (with E2EE support). If you don’t need e2ee there’s actually a healthy number of clients, and some of them do seem to have it on their roadmap

              https://matrix.org/clients/

              Point taken on server implementations though

              • southerntofu
                link
                fedilink
                arrow-up
                2
                ·
                4 years ago

                FluffyChat is not an option because it doesn’t support proxies including Tor. If you’re using fluffychat please open an issue there for integrated tor support like Conversations/Gajim does in the Jabber/XMPP world :)

  • fidibus@lemmy.161.social
    link
    fedilink
    arrow-up
    15
    ·
    4 years ago

    I can’t tell y’all how many friends, family and other peers would just chat with me with WhatsApp if signal didn’t exist. Let’s be real for a moment, these people wouldn’t use Matrix or Jabber instead, because these can seem a little bit unreliable from time to time.

    I know the weaknesses of signal, but I don’t think a better solution exists as of today.

    • poVoq
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      2 years ago

      deleted by creator

      • fidibus@lemmy.161.social
        link
        fedilink
        arrow-up
        8
        ·
        4 years ago

        yes like that, but my private xmpp groups all have issues with people turning OMEMO off because they can’t get some messages of each other.

        Like I wish it was better and I’d totally advertise it to non-technical people over signal, but that’s not the case today. I hope that projects like https://snikket.org/ take off and solve these issues.

        tldr: Signal sucks, but it’s the best we have for some scenarios for now.

        • poVoq
          link
          fedilink
          arrow-up
          1
          arrow-down
          5
          ·
          edit-2
          2 years ago

          deleted by creator

          • fidibus@lemmy.161.social
            link
            fedilink
            arrow-up
            6
            arrow-down
            2
            ·
            4 years ago

            obscure and developer hostile OS (that 1/3 of people use). I don’t like iOS but I wanna chat with my friends who use it?!

            Like what even are you saying? That we didn’t have this problem (we did)? That it doesn’t matter (it does)?

            • southerntofu
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              4 years ago

              Yes iOS and Apple are incredibly user-hostile and developer-hostile:

              • you can’t install applications that are not approved by Apple, so obviously you can’t install a user-friendly app store like F-Droid (i say like because of course F-Droid is specifically for Android, but the fact is something like that cannot exist for iOS without jailbreaking your phone)
              • you can’t change your operating system (remove iOS)
              • Apple makes it pretty hard for users to interoperate with anything else, by requiring non-standard protocols everywhere (airplay, etc…) to the point where for years iTunes was (maybe still is?) the only way to interact with an iDevice
              • you can’t develop for iOS without an iOS device
              • you can’t develop for iOS without official, non-free Apple software
              • you can’t publish an application on iOS without an official Apple developer certificate
              • even if you got all this, you can’t push information to your users without going through Apple’s centralized push notification gateway (they actively suspend background network connections, so you can’t build anything useful on iOS)
              • you can’t tear apart your phone without specific tooling
              • you can’t even remove the battery without specific tooling (<-- seriously this is fucked up)
              • you can’t use a standard micro-USB/USB-C cable because Apple is the only brand going strongly against any form of standard
              • you can’t use a standard micro-jack cable for audio because Apple is the only brand going strongly against any form of standard

              Should i go on? Seriously if prisons were in fact designed to protect people not businesses, all Apple execs would be rotting in jail by now, along with the collaborating engineers who let that happen. To be clear, i don’t think prison is a solution for anything/anyone, just pointing out that the worst crime-doers in society are also those kept further away from prison.

            • poVoq
              link
              fedilink
              arrow-up
              4
              arrow-down
              4
              ·
              edit-2
              2 years ago

              deleted by creator

      • ssenecaOP
        link
        fedilink
        arrow-up
        7
        arrow-down
        2
        ·
        4 years ago

        recently went down half a day

        It was more like ~3 days

    • Nevar
      link
      fedilink
      arrow-up
      2
      arrow-down
      10
      ·
      edit-2
      4 years ago

      deleted by creator

  • k_o_tM
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    edit-2
    4 years ago

    edit: i didn’t mean to say that this post is unimportant, rather that this course of events for signal was somewhat predictable and i’m not terribly surprised that this happened…

    • southerntofu
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      Don’t trust computers, sure. But specifically apps from the US? come on… Most governments have got people on the payroll to defeat cryptography, not just the US. China, Russia, France are not doing ANY better than the USA in this regard.

      All governments are psychopaths by nature, and the only way to protect ourselves is to never ever trust a government. (Better yet, burn down all governments and start to live free)

  • ihaphleas
    link
    fedilink
    arrow-up
    9
    ·
    4 years ago

    Signal is the easiest alternative to WhatsApp for now. But we need to be moving to something like Jami.

      • ihaphleas
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        I like those too, still mostly centralized at the moment though…and no one I know uses them

      • kevincox
        link
        fedilink
        arrow-up
        3
        ·
        4 years ago

        Jami does look nice but personally I really like having partial sync. So that only recent data is on my mobile device and the majority of the data can be saved somewhere with more storage available. I think this could be added to Jami by adding per-device automatic deletion of old data and having one device serving as an archive (with the ability to resend messages to other devices if they scroll back or search) but this would be a huge feature and doesn’t really match the current architecture IIUC.

    • ssenecaOP
      link
      fedilink
      arrow-up
      4
      ·
      4 years ago

      Last time I looked into Session, my conclusion was that its background was shady enough that I’d never use it.

      p2p solutions would be great. The team at Matrix have demonstrated p2p over Matrix (using the Dendrite homeserver) so hopefully that also becomes more accessible at some point.

  • adbenitez
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    4 years ago

    I recommend Delta Chat, it doesn’t needs to create an account since it is just an email client with a chat interface, it is not a replacement for your fancy chat app but for your email app, everyone have email, so will need an email app anyway, it makes email easy to use and encrypted out of the box without your friends having to know what encryption means.

    I like XMPP but UI/UX is really poor, it is surprising that this email client has a much better UI/UX than Conversations, it has swipe to reply, etc. I found Conversations ridiculously “hard” to use, blabber.im improves a lot of small details that have an impact in the users every day workflow

    https://delta.chat

    • ssenecaOP
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      Delta Chat does look really cool. Like you said, it’s client (testing on iOS) is nice. It’s a shame their desktop app is Electron though.

      • adbenitez
        link
        fedilink
        arrow-up
        2
        ·
        4 years ago

        I have tried it and it is fast, but I would also like to avoid Electron, I think they are considering to replace Electron in the future

          • adbenitez
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            4 years ago

            when was that? I used to have freezes in the past but recent versions (prereleases, not stable releases) are faster

  • Evoke3626@lemmy.fmhy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I’ve been recommending Session over signal for a while. It does what’s signal is supposed to do, and more, with even more anonymity

  • manemjeff
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    4 years ago

    not trying to be rude, but uh, no shit? I think it’s malicious of them to say that they’re end to end open source to be honest.

    • ssenecaOP
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      4 years ago

      The legality of this is unclear. If their silence on this topic isn’t because they’re trying to do their best Apple role-play (which is most likely, imo), the cynic in me says it’s because they acknowledge they should publish the source ASAP in compliance with the AGPLv3.

    • federico3
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      4 years ago

      If you are the sole owner of the copyright of some software you can do whatever you want with it. The license applies to others, not yourself.

      • ssenecaOP
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        4 years ago

        Not well versed in this, so this may be inaccurate, but the other issue is that the Server relies on and uses other AGPLv3 software (e.g. storage-service), so if they want to use the latest versions of each they also have to release all the latest changes to the server under AGPLv3 (which is why Google avoid AGPL like the plague).

    • PM_ME_UR_PCAPS
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      do you have any links/more info about the people who had issues running their own infrastructure? ive been following Signal development pretty closely and all features im aware of make sense that they would not require a server code change. I’d love to see any actual technical details over the hysteria in this thread.