Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
i've just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
There is none. Theres like 0.1% of people who complain about it who have a valid point.
And those points are always meaningless in light of the alternative's drawbacks.
Signal does have your phone number, which is a problem.
On the other hand, the only information linked to that phone number is, "the person with this phone number uses signal". AFAIK your phone number is not linked to your contacts, your message content, etc.
So in practice, the fact that Signal has your phone number is probably only a problem insofar as you don't want anybody to know that you use Signal.
But to be fair, why have that issue if you don't have to. Signal is actually good, still, but there are even better alternatives.
Well, it’s 100% linked to your contacts in one way or another because when you install it Signal will happily alert you to which ones of your contacts are already using Signal. I can’t see how they could manage that without slurping up your contact information.
AFAIK the client slurps up your contacts, but the E2E encryption ensures that the Signal server cannot actually see those.
i agree with everything you said about signal, but i'm uncomfortable with a lot of the alternatives. a cryptographer i sorta follow has written about a couple of these: xmpp, matrix three or four times (linked in the introduction to the post), others
Using phone numbers is the only real criticism imo any service that uses phone numbers is fundamentally compromised.
SimpleX Chat is an actual privacy focused app that's easy to use and doesn't harvest your phone number like Signal does https://simplex.chat/
Any concerns around the fact that SimpleX Chat is Made in the UK?
Signal is the best "easy" alternative. And DIY leaves many holes for rookie errors.
Do explain what makes it better than SimpleX Chat?
Would love to use SimpleX too, but the plan fell apart while trying to use it with family. Surprisingly many people fail to grasp the concept of anything other than a phone number, social media profile, or email address. It fell apart among my more tech-savvy friends because we missed calls and had delayed notifications despite SimpleX eating through the battery like no other messaging app.
No doubt, SimpleX is the concept of a messaging app done right and could be better than any other. It's just the implementation that needs work. But I'd be happy to hear if there's any optimizations I could try and revisit it.
It's an easy alternative. It took me a decade to get my friends to download a second app
It's fine as long as you don't do something silly like invite a journalist to your top secret government group chat.
Or use a third party client that doesn't have as much scrutiny on the source code and will Leak your message s
Would you say Molly is big/trustworthy enough for this to be negligible, or is it a huge risk?
man imagine trusting in an israeli signal fork lmao
There is no problem
The problem is it isn't Telegram, Whatsapp, or some other insecure platform that nefarious actors would rather privacy minded individuals use.
No, privacy minded individuals do not use a platform designed to harvest phone numbers lmfao.
I got around it by registering a new number with phreeli.
granted, this is not something most people can go and do, phone numbers are hard to separate from. however, you might agree that privacy minded individuals are more likely to find that workaround acceptable.
I do like Dessalines post regarding alternatives, I'll have to do more research.
Perfect is the enemy of good. Moving to Signal would be way better than getting analysis paralysis and staying with Whatsapp.
Given what you've said, Signal is still what you want and is good for it.
There are two main issues people have with Signal:
First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It's not meant to be anonymous, though. It's meant to be private. Those aren't the same thing.
Second is that it runs on AWS. This isn't a problem in the sense that it's possible for it to still retain privacy while running on AWS. Some people don't like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.
The usual conspiracy theory is that Signal is funded by the CIA and therefore a honey pot.
what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
Signal. I can do almost everything that i.e. WhatsApp or Telegram offer, is as easy to use as those and the client is verifiably encrypted and secure.
how to explain it to my friends who use signal because i recomended?
Explain what exactly? Why they should use it?
what this means for other apps in general?
Please clarify the question.
Maybe you should reply to that comment you've mentioned and ask them to explain why they're spreading FUD.
I'll start by saying that i don't use signal.
if this is true
There are some concerns that other people in the comments explained. It's up to you to decide if the trade off is good enough for you. There's no silver bullet for this.
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
Signal is ok. Same as matrix, delta chat, xmpp, simplex. Avoid telegram, messenger, whatsapp, instagram, snapshat, max...
-how to explain it to my friends who use signal because i recomended?
Most people mess up the concepts of anonymity with privacy.
-what this means for other apps in general?
There's no silver bullet. All the apps have ups and downs. Most people don't realize that if a state actor (I'm not talking about police but for example NSA, CIA, mossad, mi6) is after you, they will get you. Usually from a side channel, or from some stupid mistake you made years ago.
Signal is alright IMO.
There is no perfect service. Thats why smarter people than me analyze this and talk about it: https://www.messenger-matrix.de/messenger-matrix-en.html
I think deltachat is pretty cool. Decentralised, open source and quite easy to use and setup.For me it is something for friends willing to try out new stuff and as a fallback when signal fails.
You, yes you, scrolling.
Here.
XMPP
I see you.
I'm put off by the centralized server. I'd want to self host without having to build a special client, something like nextcloud. That the company chose to prevent that gives me a bad impression. So I haven't been using it so far.
I've played with GNU Jami a little but it was flaky when I tried it last year. Maybe it's better now.
You can't have it both ways. It's hard enough to get people to switch to signal, or least also use it next to other messengers. Now imagine they'd have to connect to multiple servers to talk to multiple people. Possibly everyone connection details. Even if that's done in the background, you have to somehow get the connection registered once, discovered if you will.
Anything and everything you send through their server is end-to-end encrypted. Some people hate on the phone number being required to create an account, but it's also the reason it works at all: anyone in your contacts who also has signal you can talk to. Phone numbers are an international standard. If course this also has downsides...
Finally what you're asking for exists. NextCloud has "talk". Which is essentially a messenger app, it's built in. Go use it. I have a NextCloud instance and I don't use it either. What's the point of having an app I can only use to talk with people so close to me that they're in my NextCloud with an account already?
You can’t have it both ways.
Of course I can. Jitsi Meet lets you do it both ways. I don't know if Nextcloud has an official hosted server but they could if they wanted. I use it self-hosted and it works, the Talk app is just not very good. Jami uses a DHT instead of a centralized server which is another approach, though it might be part of its flakiness. Linphone (a regular VOIP client, not a secure chat thing) is set up by default to point to Linphone's own SIP servers but you can change that in Settings. No reason Signal can't do similar. Heck, even Lemmy works that way (you choose your server).
Signal is simply being evil and your defending them is unconvincing. I could opt to self-host Signal and build a special client for my users, at the cost of hassle for everyone but no serious technical drawbacks. Signal chooses to create that hassle because they want to funnel users through their servers, not incidentally collecting metadata about ALL the user conversations.
There's actually a configurable Signal client called Amanda or something like that, though I haven't tried it. Someone here mentioned it last time this came up.
Also, Signal's own client isn't on F-droid, which raises more potential questions. I haven't cared enough to look into it.
Added: oh re Nextcloud, I see what you mean, account creation is an obstacle, though that could be handled like Hipchat used to. You could generate a randomized URL to invite someone to your private chat without their needing an account. Nextcloud has that too, though just for file access, not for chat for some reason. Come to think of it, Signal could also work that way: it shouldn't need accounts at all.
When I've invited people to my Nextcloud I've just enrolled the account for them myself and told them "please log in with username X password Y".
No one can break the encryption, so even though it routes through AWS sometimes it's still completely E2EE with quantum resistant encryption that not even the feds could break
the only way it can be "hacked" is with phishing
Nothing, it's good. There's FUD to get you not robust it
There was one instance of the white house using signal on the down low to evade records retention and then got caught because they accidentally invited a journalist to the houthi bombing group chat, bit that's a user error
And they didn’t use a trusted Signal app, it was an Israeli clone app IIRC
This is long, but answers your questions: Why Not Signal?
-how to explain it to my friends who use signal because i recomended?
Okay it doesn’t answer that one. But also, whether they should use Signal or not depends on their threat models. Many people don’t see the US police state as a threat.
why are you making a post instead of replying to a comment?
They don't allow third party clients.
They are open source, and you can run your own, but it won't ever be allowed to connect to the standard signal server.
Signal has a piece they say is for fighting spam so they can't release the code to it. So you just have to trust them.
https://signal.org/blog/keeping-spam-off-signal/
"We build Signal in the open, with publicly available source code for our applications and servers. To keep Signal a free global communication service without spam, we must depart from our totally-open posture and develop one piece of the server in private: a system for detecting and disrupting spam campaigns"
Signal is not perfect. It's better than most.
I personally use Matrix as I can go to another server or run my own. I run multiple clients. It is NOT perfect and has it's own issues.
That's a third party software list created by someone not Signal and basically tells you it's a work around to Signal:
"Signal does not have an official API, and the published code requires additional effort to be used outside of the official signal clients."
So I'm not certain the point of the link. There are still clients for Reddit and YouTube and others that are third party and aren't official. Signal doesn't support those.
if this is true
It's not. Can be closed
The only secure communication involves a dead drop and one time pad. Everything else is Mossad.
Its not what I would use while communicating with someone else who values anonymity, but, its probably the best out there for communicating with people that dont care about any of that and just want something easy that works. Its easier to onboard people on to it.