You can't run your own signal server. All accounts use phone numbers in the same namespace as ID, and all messages go from the phone to opensystems.org, further on to google, and from google to the destination phone (with lots of encryption being added and removed at various points). This has advantages (it's difficult for the Man distinguish a received signal message from other android notifications) but also disadvantage (moxie can do traffic analysis and you can't do anything about it).
You can totally run your own server for yourself and your friends: https://github.com/WhisperSystems/TextSecure-Server (you'll have to change the server's URL in the client's source as well and compile it yourself, but that's really easy)
What you won't be able to do is federate with the official servers.
Oh, and there's also a WebSocket transport (used by the Desktop client) that doesn't involve Google. That just doesn't provide a pleasant experience on mobile.
Yeah, so instead of being in Whisper Systems' walled garden, I can set up my own and ask people to install Rvense's Magical Messenger App. Sit there in my treehouse with a bucket on my head and a NO DUMMIES sign or something.
You can sideload apps without a developer subscription. It's annoying but works. But you have an unsolved update problem on both Android and iOS. You really shouldn't do this if you're not 100% sure of the implications.
> you'll have to change the server's URL in the client's source as well and compile it yourself, but that's really easy
I'm sorry, but is this a joke? "To not use a centralized server that you can neither audit nor trust, you have to recompile the client, but that's easy?"
This smacks of "oh, PGP for email is fiiiiiine." To say nothing of the silliness of the inability to federate.
No, it's not a joke and you shouldn't treat it as such. Non-technical people really shouldn't be whining that their "free service" doesn't cater to a click-and-run crowd. The source is available to the public to create their own, and changing a URL in the code is a single regex command away.
Don't casually disregard him because you or others can't understand basics of doing what it takes to alter and run a service in your own private space.
I don't casually disregard him. I thoughtfully and with consideration disregard him, and you as well. The idea that there is a priestly-class of technical people and "non-technical people shouldn't whine" is silly. This is not for technical people. This is for non-technical people. I've been doing this stuff for twenty years. But me being able to do it doesn't do a damned thing to help the people who actually need help.
I don't need Signal to communicate with knowledgeable people. We need something to communicate with everyone else.
And yet the same argument has been made time and time again against SMTP. Let's stand back for a second and understand why SMTP has stood the test of time. Yes it has flaws that allow the "first contact" problem (ie spam). But the people working on SMTP at least understand the weaknesses and advantages of that.
The moment you open the door for federation, the protocol is written in stone forever. All it takes is one server in the federation network with a substantial user base that chooses not to update. (See SMTP).
OWS decided that relinquishing the ability to force updates (i.e. away from a broken cryptosystem) would sacrifice too much in the way of security to be consistent with the project's goals.
I understand that. I don't think it's a malicious decision. I think it's a wrong one. I'm not criticizing Whisper Systems, I'm criticizing the tech-priesty stuff out of the post I replied to.
I didn't say this was a good way for normal users. Normal users don't care about federation and don't want to run their own server. But for people on HN it should be easy, and if you and your hacker friends don't trust moxie you can do it. I never said you should, just that's it's possible and not hard.
Compiling the client is much less daunting than running your own server, so "easy" seems like a fair description in this context. I don't think there's a large intersection between "People who can't easily compile the client" and "People who would run or audit a secure messaging server."
My response is that we just have to try harder. He's focusing only on encryption and ignoring the massive social problem of one company or a few companies having a monopoly on digital communication. Just like whether or not I'm spied on is irrelevant to whether or not I have the right to private (encrypted) communications, it doesn't matter who has monopoly or what they use it for. We should not be building infrastructure that encourages monopolies, and unfederated services are by definition monopolies.
