Like a lot of crypto-puritanism it is rather mixed up. He says he recommended Signal because it was easy to use (more consumer friendly I guess) and secure, then says he wouldn't have gone in the direction of making it easier to use and criticises the things that make it user friendly, like using phone numbers instead of usernames.
He says he thinks the protocol is secure, then says he doesn't want it to use GCM because it routes messages via Google who he doesn't trust (fixing that is the point of the encryption) and then talks about an attack that'd apply to any app regardless of whether it used GCM or not.
He finishes with a call to action: "We as a community need to come up with a viable solution and alternative to Signal that is easy to use and that does in fact respect people’s choices ... this tool should not have dependencies on corporate infrastructure"
But like a lot of armchair moralising, he isn't willing to debate the hard choices that go into building successful software. He says it should "respect people's choices" as if Signal is built by people who are disrespectful, he says it should not have dependencies on "corporate infrastructure" as if volunteer run datacenters actually exist, and then says his motivation is avoided paywalls, ignoring that both Signal and WhatsApp are free.
It reads like a collection of talking points rather than a coherent argument.
Signal is unusual because it combines cutting edge cryptography with consumer friendliness and is actually successful. It's pragmatic, not ideological. Crypto-warriors have a long history of producing secure software that nobody uses and then blaming the general public for not getting it; this sort of blog post is just a continuation of this decades long trend.
I agree overwhelmingly with what you wrote, except that I want to point out that this isn't "crypto-puritanism". It's just hipsterism. The author isn't a cryptographer, and if you asked a panel of 10 cryptographic engineers what messaging system they'd recommend, 9 of them would say "Signal".
The 10th wants you to use something else because they're working on an attack for that "something else", and want their paper to be splashier when it's released. :)
When reading critiques of messaging software, keep in mind that messaging is a fucking midnight back-alley knife fight of a market. For whatever reason --- I think because (a) basic chat software is pretty easy to write, with a near- hello- world payoff similar to, say, blog software for Ruby on Rails and (b) because there have been multi-billion-dollar acquisitions of messaging tools --- there are a lot of different messaging products. Messaging is a network-effect market, so all the different vendors are fighting for users.
I don't think Signal has sockpuppets (it's just not their style), but I know several other "secure" messaging applications do.
I think these types of posts are also the inevitable result of people overestimating our organizational capacity based on whatever limited success Signal and Signal Protocol have had. It could be that the author imagines me sitting in a glass skyscraper all day, drinking out of champagne flutes, watching over an enormous engineering team as they add support for animated GIF search as an explicit fuck you to people with serious needs.
I invite those who have opinions about Signal to start by getting involved in the project. To my knowledge the author of this blog post has never submitted a PR, issue, or discussion post to any of our repositories or forums. Many of these points are things that we would like to address, and we could use the help. The day to day reality of developing apps like these is a lot of work.
To provide some color on a few of these:
> Dependency on Google Cloud Messaging
To clarify this for casual readers, no data at all is transmitted over GCM. GCM is only used as a push event to tell the Signal Android client to wake up and connect to the Signal server to retrieve messages from the queue if the app isn't in the foreground.
This is pretty fundamentally just how Android works. However, people who want to use Google's OS without any Google services flash custom ROMs onto their devices that are missing this dependency.
I have said many times that I have no problem with supporting these custom ROMs. But I would like someone from that community to submit the PR: "I would consider a clean, well written, and well tested PR for websocket-only support in Signal. I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services."
Nobody has done it.
> Your contact list is not private
First, on Android 6+ you can just disable the contacts permission and everything works (although you obviously won't see your contact names).
However, we also spend a lot of time thinking about this class of problems, as well as metadata in general. Right now things are playing out alright for one specific class of attack:
We'd obviously like to do even better. The nice thing about having a centralized service is that we can eventually take steps in this direction. People seem to equate federation with meta-data hiding for reasons I've never totally understood, but I think serious metadata protection is going to require new protocols and new techniques, so we're much more likely to see major progress in centralized rather than distributed environments (in the same way that Signal Protocol is now on over two billion devices, but we're unlikely to ever see even basic large scale email end to end encryption).
However, I would love it if someone proved me wrong. The Signal clients and server already support federation, so there shouldn't be any technical hurdles stopping the people who are really into federation from using our software to start their own federated network that demonstrates the viability of their ideas.
If anyone needs help doing that, let me know. I'd be happy to help.
> However, I would love it if someone proved me wrong. The Signal clients and server already support federation, so there shouldn't be any technical hurdles stopping the people who are really into federation from using our software to start their own federated network that demonstrates the viability of their ideas.
> If anyone needs help doing that, let me know. I'd be happy to help.
I appreciate that you would say this. I suspected that you actually felt this way despite your pragmatic approach outlined in that blog post. I'm a fan of federation, but I think the developers of federated systems have to take the problems outlined in your blog post very seriously and not defensively.
Push notifications without GCM can be done without losing reliability or ruining battery life, but it's difficult. There are a few apps like Conversations doing it well but it's quite rare. GCM is still technically more efficient since it's reused across multiple apps, but it doesn't really matter especially without a large number of apps doing this.
There's already a built-in warning on modern Android because apps need to request a battery optimization exception just as they would one of the dangerous permissions. Otherwise, GCM is the only way they be woken during Doze / App Standby for push notifications. Apps can't simply poll anymore. It's unfortunate that even an app doing a great job like Conversations gets a warning / prompt about this but there's little that can be done about that beyond the OS whitelisting the keys for known good apps.
Conversations is pretty much the only viable option without GCM. It uses a take on the Signal protocol via XMPP (when supported by the other contact) so you helped to make that happen anyway.
> First, on Android 6+ you can just disable the contacts permission and everything works (although you obviously won't see your contact names).
This is very good.
> However, we also spend a lot of time thinking about this class of problems, as well as metadata in general. Right now things are playing out alright for one specific class of attack: [federal subpoena]
Good, so Open Whisper Systems has no metadata. Do any third parties retain metadata about Signal messages?
There's also the issue of mobile numbers. I get that more-or-less anonymous numbers are doable. But arguably, most Signal users don't have anonymous numbers. However, maybe this is a non-issue, if the only data available are "the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service". Is that it?
> Good, so Open Whisper Systems has no metadata. Do any third parties retain metadata about Signal messages?
I'll try to answer to the best of my knowledge (I'm not associated with project, I'm just a happy customer).
Does your ISP know that you are communicating with Signal servers? Yes, IP addresses.
Does it know to whom you are sending messages? No.
Does Google know you are using Signal? Yes.
Does it know whom of your contacts use Signal? Yes, because they have a full list of your contacts and they know if someone has installed Signal.
Does Google know you've sent a message? No.
Does Google know that you are receiving a message? Sometimes, because Signal servers ping your device via GCM with "wake up".
Does Google knows who from your contact list send this message? No, unless you have only one contact who uses Signal.
Can Google infer from pings who is communicating with whom? Yes, although pings are needed only if app has disconnected from server, and this severely limits usefulness of this technique.
Where else may any metadata coming from usage of Signal be? Nowhere.
As for Google having your contact list... Take a look into Flock.
I get that Signal is probably the best option for smartphones. And that maybe its vulnerabilities are only relevant for "TAO targets". But the problem is that "TAO targets" is in rapid flux, given developments in automation and AI. So arguably, more and more journalists and dissidents are becoming vulnerable.
And there's the fundamental insecurity of devices with cellular-radio connectivity, and operating systems that users can't control and lock down. Signal can do nothing about that. Even something as simple as reliably obscuring identity in connections to Signal servers is nontrivial.
> But the problem is that "TAO targets" is in rapid flux, given developments in automation and AI.
You are implying that cost of TAO consists mostly of labor costs. Which is false. NSA and friends are not really limited by money. They are limited by amount of unpatched software vulnerabilities. Every use of vulnerability in the wild is a chance of revealing it to world and losing it. Snowden docs reveal the existence of automated software which evaluates chance of vulnerability being revealed by attack. XKeyScore or one of related pieces, AFAIR.
It's nearly impossible to find out. But if I trust corporations like Google not to exploit the possibilities, I wouldn't be looking for an open-source alternative to WhatsApp in the first place.
You shouldn't use a smartphone if you expect to be TAO. Even the hardware could be compromised. Use a laptop with Linux for anything anyone might want to track...
Then why is Moxie advertising with Snowden the Signal app as communication for TAO targets?
And for non-TAO targets, WhatsApp is just as good as Signal – the users won’t read the source code anyway, and in both cases President Trump gets your social graph.
Aka NSA's "we really need to get access to this device and will fund diverting backbone traffic / writing firmware malware / whatever else we need to in order to get it" team(s).
> I invite those who have opinions about Signal to start by getting involved in the project.
Yeah we've been there. Do you remember someone on Github complaining about the Google dependency? You closed that issue as a wontfix. Or LibreSignal? I read the post where you basically told them to go away on Github too.
That's why I haven't recommended Signal ever since trying it myself a year or two ago.
Not sure what you're talking about, because the issues in question, #127 and #1000, are open.
> you basically told them to go away on Github
Quite the opposite [1]:
"I would consider a clean, well written, and well tested PR for websocket-only support in Signal. I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services."
Plus the complaint about giphy seems to completely miss the point that the more 'random messaging users' Signal attracts the better from a POV of deniability/etc.
Although the masking effect may be useful, my immediate thought was how much extra code and buffer overflows had been added to the client. Android doesn't have any sandbox mechanism like pnacl to contain such code.
In addition to Moxie's comment about using Java, you're more broadly confused, I think.
Pnacl provides sandboxing, but it doesn't seem to provide any protection against buffer overflows. Android apps are also sandboxed, so I'm not sure what your point was.
Android (at least recent versions) has both NX pages and ASLR, both of which are specifically designed for these kinds of attacks. Sandboxing isn't, really, especially if your sensitive content (messages!) are inside the sandbox, obviously.
Perhaps I did not isolate my concerns in sufficiently deliberate language.
You may be aware that of late there have been numerous buffer overflows (or other parsing problems) in standard image parsing libraries. Where these are implemented in Java that may be less of a concern, but this type of task is often handled by native code. And while more Java exploits are via breaking the verification in clever ways, via reflection or priviledged calls or pickling, that does not rule out that processing external data can lead to an inconsistent state. It might not be a problem with gifs, if they are small, but animated gifs can be large. Or maybe java
See this discussion on Android image processing:
https://code.facebook.com/posts/366199913563917/introducing-...
The point of PNaCL is that you can use it to sandbox components within the same process/permission set, you don't have to rely on the OS. It has a much smaller attack surface than Java.
You talk about NX and ASLR being useful in the same post as you say buffer overflows can't happen. In any case, while they may be designed to restrict attackers, they are by no means sufficient. There are Java ROP gadget chain builders! JVMs use JIT, which inherently means they are creating new code. Eg. see jit spraying.
are you part of that knife fight? calling the article writer a hipster in this comment, and what seems to amount to "It's not wrong to criticize Signal. but don't because telegram is worse and more likely to win" in your other comment (since they arn't asking for libresignal to take over, just for a decent alternative to exist which currently probably does not)
It seems a really strong and a bit aggressive of an attitude to have against a person's opinions
No, because I'm not affiliated with any messaging applications. Nor, by the way, am I saying that the author is --- I don't know them. I'm saying it's a good thing to know about the conversation.
Rereading my post here, I can see why a reader would infer from it the idea that the author might be a sockpuppet. I don't believe that! I was thinking more about the kinds of comments on message boards that say Signal is a "honey pot". I could have written that more carefully, so, sorry about that.
GCM has practically nothing to do with the security/privacy of Signal, but it is the #1 "concern" that people who don't understand cryptographic messaging security feel they must relate about Signal.
My main concern with GCM is that it's unavailable on fully open OS builds, so requiring it compromises the security of the device as a whole, rather than Signal in particular.
That's one of several things that are reasonable not to love about Signal. Criticism intended to urge Open Whisper Systems into changing their Signal policies are reasonable. A statement that someone would recommend less secure messaging solutions to investigative journalists is another --- something I find much harder to be supportive of.
There are alternatives with comparable or better security, but they tend to have other flaws. Most of the alternatives including Wire and Riot ALSO depend on GCM, otherwise they either lack push or force ridiculously bad battery life. They also have bad UX since they don't ask the user for a battery optimization exception permission, so the user would have to somehow know it's required or they'll break after a while in the background.
Conversations / OMEMO is a great Android messaging client, but it's ONLY available for Android and a desktop client (Gajim OMEMO plugin). It can use OTR (which it marks as less secure) but there isn't even a decent iOS OTR client anyway. ChatSecure iOS will probably get OMEMO and push support along with becoming a more decent client but it's going slowly. Until that happens, Conversations is problematic because there isn't a decent way to talk to iOS users.
Nobody is saying Signal has less secure cryptography than others. But being able to run it in CopperheadOS without loading microg would make the whole setup much more secure. And one cannot dissociate both things.
What confuses me about the post is that the author does not make it clear if he recommends that journalists run CopperheadOS. It sounds like he does not recommend this, but rather opposes Signal's dependency on Play on general principals.
But if his journalists are using Android or iOS anyway, there's no practical advantage in Signal not depending on GCM or the Play Store, and some real disadvantages (like less secure updates). So the whole complaint seems like rather contrived to me.
(I would contest the claim that running a massive, not-practically-auditable open source OS is actually any more secure than running iOS or Android+Play Services, but whatever.)
The point of CopperheadOS is not that it lacks Play Services... and Play does not provide more secure updates than an app store like F-Droid. In fact, Play abuses system privileges to bypass the signature system used by Android. It will happily clobber an app with another with a different signature. It moves all the security checks for that into the cloud... completely bypassing the standard trust-on-first-use signature system. Official builds of Signal could be hosted via an F-Droid repository, although there's no point when it depends on Play.
My point was that there's no real merit to the complaint that Signal requires Play Services if you're going to use an OS with Play Services installed anyway. One can reasonably argue that Signal should work on non-Play Androids, but since his target audience is non-technical users, it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones, which implies a significant reliance on your vendor anyway.
Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
> it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones
In what sense are they more secure using stock Android than CopperheadOS? They wouldn't be installing it themselves either way. It's a product available for purchase too... have you done any research into what it is before making claims about it?
> Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
Play contains a bunch of privileged / platform signature apps. They don't follow the regular permission rules. An unprivileged app not signed with the platform key cannot do automatic upgrades and counts as an unknown source. The Play Store chooses to bypass the trust-on-first-use signature checks of the package manager too. Upgrading apps via F-Droid or manually will perform the signature checks, but the Play Store does not. Try installing an app from F-Droid on a phone with Play, and note how Play will happily clobber it with an update signed with a different key. On the other hand, F-Droid won't do that even if you sign it with the platform key as CopperheadOS does to mark it as a unknown party source.
What's the threat? An attacker who can observe only traffic on the wire (e.g. an ISP) probably gains nothing from observing GCM, since a) it's probably hard to distinguish different types of GCM messages and b) the attacker can just observe traffic to the Signal servers directly.
An attacker who cannot generally passively intercept (but not decrpyt) traffic on the wire but can passively intercept traffic to/from the GCM servers would be foiled by not using GCM, but that's a very narrow case.
Hipsterism? That's horseshit. TFA is completely reasonable. At least 3 of these issues have prevented my privacy conscious friends from using it.
Especially the phone number thing. Phone numbers are quite sensitive. In some cases, the USG uses phone numbers alone for targeting drone strikes. They're enough to pull your credit report.
I'm not a cryptographer. I .. am reasonably sure that no one would take me for a hipster.
But two issues - or call it 'differences in opinion' - in that article are relevant for me: The inability to use the service without a mobile number and federation.
I understand the rationale behind the former ("It's easier"), but I don't understand why it is mandatory. I could've been 1283783127356128531312 on Signal and optionally add my phone number to that identity for others to find me (and optionally let Signal use my contacts to search for someone). That could even be the default, opt-out during registration. But right now, I'm basically using my phone number, which I really hate to do.
Federation is probably hard to get right, and looking at Eric Lippert's "Every feature idea starts with -100 points" rationale I guess it is understandable that this isn't a thing. But I don't want to join another silo, even if it's the best of the crop so far.
For users like me, Signal, WhatsApp and yes, Telegram are basically the same thing, come with the same set of limitations and I feel that it is worth pointing them out from time to time. Just as the article did (I'm not agreeing with everything in there btw.)
People jump in to defend Signal whenever this comes up, but maybe that isn't necessary. Signal is a great project and most criticism I've seen here so far is not 'Signal sucks', it is usually more a long the line of 'Signal is not for me' and I have a hard time understanding why that is debatable or why this shouldn't be a valid position.
Signal and Telegram are not the same thing. Telegram has, according to Reuters, been actively compromised by people working for oppressive regimes (Iran, in particular).
If you're just using a secure messenger on general principles, it doesn't matter much which one you use. Probably WhatsApp is your best choice.
But if you actually need secure messaging, you should be using the safest secure messenger. Since we don't know who's reading these recommendations and what they're doing with them, we should employ the precautionary principle, and be clear with people that systems like Telegram, while probably fine for keeping messages out of the hands of jealous ex-partners, are simply not up to the task of protecting messages from serious, well-funded adversaries.
I don't think we disagree. If you need secure messaging, go with Signal. I'd agree (with less credentials to back it up compared to people that work in that industry cough).
I said that for me they are basically equivalent. And for now I pick Telegram as the best compromise I'm going to get (still using my mobile number, still a silo, crappy encryption vs usability and cross-platform/multi-device support).
You seem to say that people should cheer for Signal so that people that NEED the secure messaging features aren't lured into the wrong direction. That makes sense. But if someone reads HN for secure messaging recommendations .. I kinda expect them to read more than a single comment and do a bit of research.
People are pointing out that Signal doesn't satisfy some requirements for their individual needs. It's not a "You shouldn't use Signal" (which would be bad), it's a "You might not like Signal, if .. " listing reasons like federation and identity. In this setting here I think that's fair and reasonable. No harm done, no danger for a random person stumbling upon these discussions and dismissing Signal because a random person online said that it doesn't support federation.
Signal is a nice project, I'd recommend it for everyone that has hard requirements for their secure messaging solution. I still don't want to use it myself and feel that it's fair to point out why Signal cannot cater to everyone. That doesn't harm Signal or its global perception, I think.
Look, that all makes perfect sense, and apart from the fact that I think Telegram is a deeply problematic project, I don't generally care what people use for casual communication. I use Slack, FFS!
But please remember the article we're actually commenting on starts like this:
One of the things I do is cryptography and infosec training for investigative journalists who have a need to keep either their sources and communications confidential so they can more safely do their work in the public interest.
Right. You got me there. In THAT context I'm completely with you and the recommendation for these people probably should be Signal, keeping the technical/philosophical differences for places like this one here.
Wishing that Signal would do things differently? Fair. Not recommending Signal to these users if it is your job to train them? Not a good idea.
I am not using Telegram and wouldn't have used it if I was a US journalist working on something potentially dangerous, but I don't think this is a good argument.
As long as Telegram isn't compromised by USA-allied countries (Iran is somewhat allied with Russia), it might be a safer choice than Signal for US journalists. The reason is that USA can easily send a letter to Google that would reveal a lot about that person + they have root on the device.
Just like the safest place for Snowden right now is in Russia.
Is that completely accurate? As Moxie explained elsewhere they do sync contacts, but that's optional. I'm not sure there's any other dependency beyond the GCM push, which I don't know is very concerning.
Google definitely has root on your phone, but is that automatically an implication that Signal is compromised?
> Telegram has, according to Reuters, been actively compromised by people working for oppressive regimes (Iran, in particular).
I just wanted to add some details: someone checked the Iranian phone numbers range at Telegram servers and learned which of them are registred with Telegram. Message contents or contact lists were not obtained.
I guess this attack could be done with other apps that use phone numbers and phone contact lists for identification.
Telegram sends activation code to known devices, no sms (and I don't remember when it happened, maybe 4 years ago, probably for all other competitors). Also creators of telegram told everyone to use secret chats if conversations are secret to ensure p2p and forward secrecy. And to check key fingerprints to identify peers.
As usual, security threads consist of ancient beliefs, non-users and stories of low-conscious people using high-tech software. And there is always someone who mentions whatsapp as an alternative. Things like wickr are not even mentioned here.
Agree. I'm not a cryptographer and never claimed to be either. -- and I think it would be difficult to mistake me for a hipster. For one, I don't have that snazzy majestic beard.. Anyway, on to the point. :)
Yes, the phone number thing is a policy decision by the Signal people. As I write in my article, it's maybe marginally easier to get connected using phone numbers, but I may want to communicate via Signal with someone I don't want to give my phone number to. Handing out personal phone numbers on the willy nilly is not something I'm comfortable with. There's no reason why we couldn't have some other identifier, possibly easy to remember to connect us to via Signal. So this was a policy decision by the Signal people.
Federation is indeed hard to get right, but I think with proper versioning, and various teams keeping their software up-to-date and close to the reference paper/the Signal protocol, I see no reason why it cannot be overcome. For XMPP/Jabber it also works quite well.
Moxie has written at some length about the problems they've had with federation in the specific case of their experience with Signal and also more generally about federation and its potential impact of the development of network technologies.
Your answer to all that is "I heard it's hard but really, versioning/XMPP and also, it's not hard". How well has 'proper versioning' worked out for SSL/TLS? Federation hasn't really 'worked out' for XMPP. Never mind anything substantial in response to Moxie's writing. People calling your piece 'hipsterism' are being very, very polite.
It's unquestionable that federation and decentralisation increase complexity significantly. For context, prior to Matrix the Matrix team used to write commercial comms app silos for telcos - and then we had the epiphany that building silos is harmful to end-users and the industry as a whole, and shifted entirely to the longer-term mission to build an entirely decentralised & open alternative. Despite the fact that we already had an entirely functional centralised implementation, it took about 1.5x longer to create Matrix. And if had been starting from an entirely clean slate, I suspect it'd have been 3-4x longer.
However, we very strongly feel that the resulting freedom and choice from the resulting open ecosystem is worth the additional complexity.
Users can choose any service provider without compromising interoperability. They can run their own servers. They can write their own clients. They can write their own servers. They can choose precisely who they trust with their data. They can contribute to the spec and help define the ecosystem. They aren't forced into trusting a provider who may be trustworthy today, but who knows in future.
I believe Moxie's viewpoint is that privacy is paramount, and any complexity which could introduce bugs which could undermine security/privacy is anathema. From a cryptography dev perspective, this makes perfect sense.
On the other hand, Matrix believes that there is more to life than just privacy, though (as critical as privacy is, of course) - and it is possible to have both privacy and freedom.
Yes, it slows down the rate of development a bit. Yes, it means you have to think much more carefully about layering the protocol to allow the different layers to evolve as independently and efficiently as possible, with the necessary mechanisms (both technical and organisational) to upgrade and lock out obsolete clients and servers. Yes, it means there's more complexity, where bugs could hide. Yes, it means that you may not be able to force the world to upgrade as rapidly as a silo might in the face of a critical security issue.
Use Wire then. You can either use you e-mail or phone number. Uses Signal OTR protocol and a single sign in for all your devices. The clients are open source.
IMHO Signal is only usable on smartphones. I don't want to link my desktop client with the phone, so I use Wire on the desktop.
Oh and Wire is a Swiss company. I see you run your blog off the .ch TLD.
That has other issues though. Last I checked you're unable to remove contacts from your contact list. I'm not kidding.
You can 'block' people, but simply removing them? Nope.
Why do I care? Because at one point the 'upload all contacts to Wire to help you find them on Wire' wasn't optional (I understand it is now) and now I'm stuck with entries on my contact list that I just don't care about. Very weird..
You are not a cryptographer and not a hipster and apparently never had your life on the line in a way that made it imperative that your communications not be associated with your phone number.
Whether you are a journalist or an abused individual hiding from the ex spouse/parents/whomever that abused you, if your life and/or the lives of other people are on the line, this detail (and perhaps others, as I am not super technically literate) is a serious deal breaker.
It has nothing whatsoever to do with some kind of vague, hand-wavy preference, like preferring red phones over blue ones because you like the color red. It has to do with "If I use this, will I or others end up dead, maimed, in jail for a lot of years or otherwise basically have one's life utterly ruined?" Like that movie scene where they blow up everything "because you made a phone call" (Enemy of the State, IIRC).
I'm .. confused. Aren't you basically just confirming my position, with stronger examples? Are we on the same side or do you disagree with my comment?
I mean, I think I wrote[1] that I really dislike the connection between identity and phone numbers. I happen to use Telegram at the moment (I have exactly 5 contacts, one of those is the Telegram 'we updated the software' bot, another one is a random 'Sticker' bot), but I'm an xmpp guy deep down. Matrix looks promising, I just need to find the time/energy to make the switch (and convert the 3 'real' Telegram contacts).
If you look at the thread with tptacek I do have to agree that the safest bet probably is Signal right now - if it leaks the phone number or not. I don't have to like it though...
1: If you look at my comments it seems that I repeat that in every other one, but English isn't my native language. Please blame the language barrier first, then blame the human behind the message.
Signal is a great project and most criticism I've seen here so far is not 'Signal sucks', it is usually more a long the line of 'Signal is not for me' and I have a hard time understanding why that is debatable or why this shouldn't be a valid position.
To me, remarks like this one read as "Eh, if Signal is not to your tastes, no big, but no reason to trash it either." But the article and I and others here are saying, "Yeah, no. This is not the same thing as picking a phone because you like red more than blue. This is more like refusing the blue one because it explodes sometimes when you answer it."
For people for whom lives are on the line, this goes a lot deeper than personal preference.
Okay, I kinda get where you're coming from now. But .. for a good number of 'life is on the line' scenarios leaking a random anonymous phone number (prepaid, whatever) and the arguably best encryption for instant messaging today might be a Good Idea™.
Yes, you (and I, let's not forget that we kinda agree that this is bad design) might not want to share your private phone number just to contact someone via Signal. But I feel you're painting this a bit too black or white.
If lives are at stake or not, Signal might or might not be the right solution. If people feel that their life is at risk, I hope they know how to evaluate the trade-offs - or have someone around that can explain it.
We both don't like Signal. I don't agree that it should be dismissed and emotional appeals are ~questionable~, can probably be turned around (see first paragraph). Individual decisions need to be made and if Signal is a good fit or not for a specific scenario isn't an good indicator about the general fitness of Signal in general imo.
No, I don't have a beef with Signal. I have no familiarity with the product. I am a woman and violence is often directed at women merely because they are women, regardless of what part of the world a woman lives in. I am also someone whose father spent 26.5 years in the Army and he fought in two wars and my ex husband was career military and ...etc. My parents also helped relatives of my mother's escape East Germany during the Cold War.
While you may hope that they know how to evaluate the trade-offs or have someone around that can explain it, many people live life under very risky circumstances and an uninformed choice can be the last choice they make.
No, I am not painting this a bit too black and white. Alive or dead is a pretty black or white thing and many people live lives where death dogs their steps. This is not an appeal to emotion or hyperbole. This is a fact.
If it isn't that big of a deal for you, cool. Glad to hear your life is fairly comfortable. But I do think it matters that informed, knowledgeable people discussing it on a forum with a strong reputation for being a good source of technical information (as well as other kinds of information) is a place where someone needs to make it very clear what the potential consequences are for people who live in dangerous circumstances and don't have the technical background or connections needed to figure this out.
Yes, I'm living a comfortable life (if we define that as "Not worried about dying"). I seriously cannot imagine what people in those situations might go through.
But regardless of one's technical skills, I believe that someone cautious about giving up their phone number would stop and reconsider when Signal wants you to provide your phone number?
I also really hope (for the sake of the people you stand up for) that getting a random / anonymous SIM card, a 'just for close friends and family' phone number is something that is well-known and good practice?
I .. don't want to dismiss your opinion. Honestly, I'm _still_ convinced that we feel the same about Signal. Let's turn this around: What would you _hope_ for here? What do you expect or wish for? What do you criticize exactly?
I don't think we specifically disagree about Signal per se, if that is what you are asking. I just think it is worth making some distinctions here, because not everyone in danger would realize that it is a problem when the app asks for your phone number. Does that make more sense?
I am not trying to argue with you. But I think this is a distinction worth making. We don't know who all is reading. People in real trouble often cannot ask questions. They may only be able to read. In which case, it matters if someone points out such a detail.
Wire can use e-mails or phone nunbers for IDs, so you can use the same ID on multiple devices. But the mobile UI is worse than Signal's and it's also it's not federated. The source for the clients is on Github. It does have desktop apps for Windiws and Mac and a web app that works in most modern browsers. It's in many ways better than Skype. You don't have to link it to your phone in order to send messages - just use an e-mail account. It's also run by a Swiss company, so the servers might just be outside of the US.
People need to get the fact that all traffic across the Internet traverses lots of people's systems. There is no difference between it relaying off Google vs Verizon, AT&T, Amazon, OVH, or dozens of other carriers and cloud providers.
Like you say that is the point of end to end crypto.
I disagree with your criticisms entirely and I think you are conflating things.
First, ease of use: the distinction you miss is ease of use from a UX point of view. Managing your own security is hard for the vast majority of people. It is an advantage that there is ease of use with respect to the security aspects - no command line commands to generate keys, for example - and ease of use from a UX point of view is completely different. Making a decision to to ease the UX can indeed negatively affect privacy elements, and there is no contradiction there.
Which brings me to the second point, which is that there is no contradiction in the discussion of security. The service could be using insecure protocols or algorithms, but the author says it isn't - from the point of view of cryptography, those choices are said to be sound. On the other hand, having your communication routed through a PRISM partner is a different concern. There is no contradiction in saying that the part of security under their control is sound, but that the part routed through Google may not be.
Cryptography is complex and rigorous. What you call puratinism is actually rigor with respect to sound practices. The points the article makes are, in fact, coherent; where you call puratinism and hipsterism on the article, I call cynicism and likely uninformed reasoning on your comment.
There is a coherent argument which you just refuse to see.
Signal was marketed as anti mass surveillance secure messaging system. It is but a mere user friendly email+gpg alternative. It actively avoid anti-mass surveillance methods and does the opposite - encourages centralization and collection of user statistics.
Even Telegram is better, as people arent fooled by what it is.
A better alternative is Ring.cx or Tox.im with for example Antox client.
How does it actively avoid anti-mass surveillance methods? There are no metadata obfuscation mechanisms that work at scale against all adversaries. Using GCM is without a doubt a big win for privacy because adversaries that have backbone taps (like your friendly local intelligence agency) just see SSL to google.com which tells them nothing of any use, not even that you use Signal. A big encrypted packet from google.com might be a Signal message or it might be an email or a Play Store update or whatever.
People always overlook the fact that the world is full of adversaries and 99% of them can't get access to Google's datacenters. Those adversaries matter too. Look at Turkey!
Wire for example, doesn't require you to sign up with a phone number. You don't even have to have a phone.
How is it not an obfuscation mechanism that works at scale?
Also, what if google has a rogue employee who works for one of the surveillance agencies?
Trusting all your private data to an advertising company that has root access on your device in an app that is explicitly built around security and privacy is insane.
Also, what if google has a rogue employee who works for one of the surveillance agencies?
Trusting all your private data to an advertising company that has root access on your
device in an app that is explicitly built around security and privacy is insane.
In that eventuallity they might be able to keylog or otherwise monitor the activity of applications anyway. I don't see how you can avoid that sort of eventuality aside from tossing the mobile phone and using snail mail and a OTP. Even then there could be someone looking over your shoulder.
it would be much harder to implement such monitoring if they don't have root on your device.
There are degrees of difficulty. If you use Signal, you make it more difficult than if you use whatsapp but easier than if you have a rooted phone with open source software.
Also, you make it easier than it has to be with giving away contacts/phone numbers.
I don't think you can reasonably post a top-level comment on a thread suggesting that Signal is a "honey pot", and then reply to a different comment on the same thread saying its author "refuses to see a coherent argument".
He says he thinks the protocol is secure, then says he doesn't want it to use GCM because it routes messages via Google who he doesn't trust (fixing that is the point of the encryption) and then talks about an attack that'd apply to any app regardless of whether it used GCM or not.
He finishes with a call to action: "We as a community need to come up with a viable solution and alternative to Signal that is easy to use and that does in fact respect people’s choices ... this tool should not have dependencies on corporate infrastructure"
But like a lot of armchair moralising, he isn't willing to debate the hard choices that go into building successful software. He says it should "respect people's choices" as if Signal is built by people who are disrespectful, he says it should not have dependencies on "corporate infrastructure" as if volunteer run datacenters actually exist, and then says his motivation is avoided paywalls, ignoring that both Signal and WhatsApp are free.
It reads like a collection of talking points rather than a coherent argument.
Signal is unusual because it combines cutting edge cryptography with consumer friendliness and is actually successful. It's pragmatic, not ideological. Crypto-warriors have a long history of producing secure software that nobody uses and then blaming the general public for not getting it; this sort of blog post is just a continuation of this decades long trend.