Again, in the theme of "features every group messaging system had already, but Signal didn't, because they hadn't figured out a way to implement it without turning Signal's central servers into a database of who's talking to who about what". Signal didn't even have user profiles until recently, for the same reason. Here, they've slightly expanded the state of the art in MAC-based anonymous credentials to accomplish their goal.
One interesting aspect of this is that Signal gets to do this, because they have immense goodwill with the cryptographic research and engineering communities; though it's no guarantee of soundness, they have the advantage of having the feature designed, implemented, and ultimately reviewed by cryptography engineers that aren't generally/economically available to other messaging projects.
This is either a reason you love Signal (raises hand) or can't stand Signal. My take is, if you're in the latter group, that's fine; I use Slack, too.
Honestly, the one and only feature I'm missing in Signal that would let me use it and recommend it to everyone without reservations (rather than exclusively for ephemeral-only communication) is the ability to keep identity and full message history when moving to a new device.
Today, on iOS, you can't move your Signal history to a new device, and on Android you can only do so by manually making an encrypted backup file and writing down a 30-digit passcode, completely separate from the normal Android process of moving to a new device.
People keep long histories of messages, going back a decade, containing pictures and memories that aren't stored anywhere else. Message history is valuable data.
This doesn't seem like a "new cryptographic research" problem, this seems like a "well-established crypto (encrypted files) plus integration with standard device backup/migration" problem.
I really like Signal, I think they're doing things very well, and I wish I could use it without being constantly at risk of data loss. And this doesn't seem like an uncommon request, from what I've found.
Is there something I'm missing that makes this a hard problem? Or is it just a problem that nobody has prioritized?
Yes, there are a lot of us out there who use Signal and have this single missing feature as our largest pain point. My previous phone (iOS) would have been donated or sold to someone who could make better use of it, had I been able to actually get years and years of Signal conversations (with media) and memories out of it. But I can't (without prohibitive amounts of manual work), so it lies unused in a drawer waiting for the day I might.
The Signal devs don't discuss their roadmap, as is their prerogative. The result is of course that no one knows if such features are even planned, let alone worked on. Half a decade (?) of sad and frustrated forum posts and GitHub issues attest to that. I scan through them from time to time to see if there's any word.
But! There was actually a tweet from Moxie just a few weeks ago in a thread started by Matthew Green, I think, hinting that they might be working on it. It did make me a little happier. But yes, five years is a long time to wait for this feature, and we don't know for sure if or when it's coming. Me, amidst all the frustration I am very happy for the software they are giving me almost for free (I've donated a little bit).
By the way, Josh, props to you for your patience and professionalism in the debian-devel thread about librsvg the other day.
Oh, wow. I stumbled over the thread just the other day and mechanically just read the month and day... Since it was November I somehow assumed it was recent without reacting. Thanks for the correction! Well, belated props to you then. =o)
I converted several non-technical people to Signal, and a few were devastated to learn that getting a new phone meant that they lost their message history. They refuse to use it ever again.
The other sticking point is the phone number requirement. A (female) friend shared her “Signal” contact info with a professional acquaintance who doesn’t understand boundaries. After ignoring him on Signal, that led to unwanted SMS messages and even phone calls. For such a privacy-focused app, I don’t know why they are not more interested in protecting phone numbers.
I just had the experience with a friend whom I got to use Signal who was shocked that she lost her message history when switching phones. Our conversation about it was kind of awkward because I was thinking something like "mud puddle test" (https://blog.cryptographyengineering.com/2012/04/05/icloud-w...) and she was thinking something like "missing basic feature".
There is no way to move messages from one iOS device to another (such as a new phone). My girlfriend recently got a new iPhone and wanted to transfer our Signal message history from her old iPhone onto the new one. She said it wasn't possible, and then I spent an hour or two reading about it figuring there must be some hacky awful way to accomplish it. I couldn't find one. This has been an open issue for years [0][1].
Android has an inconvenient backup flow (that involves randomly generated 30 digit PIN and manual transfer of file), but that's infinitely better than the total lack of options on iOS. I do wish Android (and iOS) had a method to download all message history to decrypted plaintext (or JSON) for use with other apps. If I own my data, decrypting it should be my choice.
I regret recommending to my girlfriend that we use Signal, and won't recommend Signal to more people after this.
I actually going in the other direction with Signal
I turned on timer (1 week) for all of my conversation.
Nothing stays more than a week and I do not keep any backup.
It's not for security or privacy reasons. I feel like I don't need a full history of all my conversations with everyone from the beginning of time.
This fits more to the real life model of having a conversation with someone. I don't record my conversations with people so why do I need to do it in chat apps?
My Whatsapp is the same. Don't need all the massive amount of chat history...
Interesting that that model works for you, but that doesn't mean it works for everyone.
Persistent history that lasts many times longer than the lifetime of any one device is a required feature to fully replace chat apps that have such history.
BUT I've heard a lot of people request the feature of porting messages. I didn't realize people care about this till they started telling me (I have convinced a good number of my friends to switch to Signal). So I'd say that because the market is asking for it, implement it. (I do notice that it is only iPhone users asking me about how they can do this. Might be selection bias)
BTW, you can do this! [0] I'd think the easiest thing to do (I don't know iOS or Android at all) would be to create a backup to iCloud or Drive that will hold an encrypted file. Then a function for the reverse. Since I don't do anything remotely near mobile, is this not fairly easy to implement? Encrypted backup is one of the top requested features [1] and seems one of the easiest to implement.
- Not being tied to a phone number, or a way to add a user without a phone number
- domain fronting (... thanks Amazon... )[2]
I think both are in the spirit of what Signal is trying to do and would specifically help protestors in authoritative countries. That they can decrypt their phones and not reveal others in the group chats. But I understand that these requests are much more difficult than asking for encrypted backup.
I'm with you on that. Maybe it's just me, but I believe that a communication system (be Signal or email) is not designed for long term storage, it's just not efficient to keep structured data and not made for that purpose.
If a fragment of a conversation is useful, I'd store it somewhere else safe just in case (Password Manager, as a secure note).
I think maybe we have different definitions of "useful".
I'm pretty stubborn about preserving my chat history; it goes back across several phone upgrades. When my dad died earlier this year, I was glad of it. I get to scroll back and see what we talked about.
If my choice was between secure comms and keeping history, I'd take keeping history. Surely many people are in the same boat. So if Signal wants to be truly ubiquitous (which increases security for all users), they really have to solve common user needs.
I did the same. Only one person voiced their annoyance due to messages disappearing. I never used chat history as a data store, I move appointments or things I need to know into my agenda/wiki, but it seems some use chat history+search for that.
Since I really dislike using chatlogs, and rather not keep any (and ever since the 90ies, I never have), I really like the 1 week timer on Signal.
I've been putting the same 1 week timer on all chats; it's a breath of fresh air. Very happy that these chats are ephemeral. It feels far more natural.
(Not a "it works for me it should work for you", just wanted to share an anecdote :) )
I've written a little Android app that watches the Signal backups directory and uploads new files to Google Drive when they appear. For a new phone, it can download your latest backup and put it where Signal will find it when you first run the app. I want to polish it and put it on the Play Store, but of course the last 20% is 80% of the work.
I'm also reluctant to release it publicly because I'm worried about the support burden, because, while I've made the experience as easy as possible, it's still not a great experience considering how Signal works. I expect to see a lot of angry users who don't realize (despite documentation) that they need to download the backup to their new phone before running the Signal app for the first time. And then I expect people who lose their backup encryption key to blame me that their backups are unrecoverable.
I guess at the very least I could open source it at some point, but the setup is a pain since you need to create a Google Cloud project authorized to use the GDrive APIs.
Signal really needs this built-in. It puzzles me that it hasn't happened yet, since I built this little app in under ten hours (and I hadn't touched Android development in a good 7 years and had no experience with the GDrive APIs).
> Is there something I'm missing that makes this a hard problem?
Yes. Pretty much the entire security model of Signal underpinned by this UX compromise. The way signal works at the moment, you sign up for an account with your phone number, your device generates a secret, and that secret is used to secure all your communication. You can pass that secret around devices (as long as you have a device that has it - or just the original phone, I can’t remember). You are also responsible for making sure the people you talk to are really who they say they are. When you first add a contact, it’s up to you to make sure they’re not an imposter, and if they have to reset their account their secret changes, and you have to verify who they are again. If somebody takes over their phone number on a new device, they have to generate a new secret, and while they may succeed in impersonating the person (depending on how vigilant their contacts are), they at least won’t get access to the message history.
To allow for recovery of message history, you have to escrow the secret somewhere. If you give it to the service provider, then the security model is thrown out the window, and you just invented FB Messenger. If you give it to the user to escrow, then you’ve just kicked the can down the road, because a consumer is just as likely to lose a secret as they are their device, and the ways they may choose to store it will make the whole system less secure for essentially no UX gain.
This is an unavoidable trade off. If you want the service provider to be able to recover your account, then they (or at least somebody in addition to you) has to have access to your secret. If you want your messages to be private, then you can’t allow for a 3rd party to be able to recover your account.
> To allow for recovery of message history, you have to escrow the secret somewhere.
You seem to be missing the point here: this isn't even about storing your data on someone else's computer with some kind of key escrow, this is about local backups not even working. Apple only recently implemented iMessage "sync", but before that (and still now), iMessage data was backed up to your Mac and accessible in your backup, without any concern about it being on some server or key escrow issues. Signal is simply missing the ability to get your own data out of the app on iOS. (And like, to really underscore how this is not a fundamental issue with Signal, their Android app does have a data export feature. They just don't think this is important enough to prioritize for some crazy reason.)
Yeah that’s true. They should allow encrypted backups to be stored in iCloud backups (they intentionally exclude this for some reason). But even then, this is a feature that will only ever be used by highly motivated individuals. The Android backups are useless if you lose your 30 digit secret. I agree their position on this is shit, but I can’t imagine it’s a barrier to mainstream adoption.
As a messaging service, it’s certainly not ‘unusable’. You’re claiming that the ability to permanently archive message history is an absolute minimum requirement for consumers (and that a service that does not offer this is ‘unusable’). I’m going to put a big citation needed on that.
With passwords lol. When the weakest link in your chain is some terrible password your user picked, then all your fancy crypto is pointless. (It also still allows a user’s message history to be destroyed when they inevitably forget your password)
The best solution I’ve seen for this is the BIP39 mnemonics that crypto wallets use (because they face exactly the same problem - making the user the ultimate custodian of the keys). But it’s still terrible and barely usable.
You can also do the 1Password approach and have other users that you trust store all or part of your key material. But all any of the solutions mentioned in this comment do is spread the problem around a bit, not solve it.
I don't see the issue as dramatic as you do as I probably don't change my device so often. Writing down a 30-digit code once every 2-3 years isn't that hard. I assume people for whom this is too much do already use whatsapp and wouldn't switch over because they don't care about the reasons for why you have to write down this 30-digits code.
> Writing down a 30-digit code once every 2-3 years isn't that hard.
If you know that Signal needs a special backup procedure. If you don't, you've lost your data.
Also, that process applies to manual backups and recoveries, such as for device-to-device transfer from a working device. It doesn't work nearly as well for performing regular backups of a working device in case it abruptly becomes a non-working device.
Maybe the concern is exfiltration? Making it easier to move phones may also make it easier for a hacker to exfil your data from a local hack or your phone's cloud (i.e., just hack your Icloud and trigger restore to a new phone)
Unencrypted data/keys should never be in the backup, only data encrypted to some passphrase. It's perfectly fine (and necessary) to require a passphrase to recover backed up logs on the new device.
Signal has had the ability to export chat backups for a long time. I'm not sure why people would complain other than the export is local and you have to manage migration to new device by copying files instead of it being saved on a server and uploaded to your new device after you lose an old one.
Also, identity is persistent since you're using a phone number and signal attaches the name you list to that phone number with a registration passcode that must be entered intermittently to keep receiving messages.
I think I'm an exception in this instance, but I don't understand what value there is in message history. How often do you find yourself reminiscing by going back through a messaging log?
If there are photos that should be kept then there are other ways to back them up. Is there valuable context in the conversation that was had around the delivery of the photo?
Are messages backed up and restorable for other messaging systems, and have you ever needed to go through a restore process to look back through a conversation?
If it's for the purposes of software project development team discussion and history needs to be kept for legal reasons then I think Signal is intentionally not aiming at that demographic.
I get that there are special moments in life but, for me, the textual conversations around them are very secondary to the moments themselves. But then, in discussions I've had with other people, my opinion seems to be the exception.
I have all my Signal messages set to auto delete after 7 days (or less). And I'm pretty happy with how that works. If I thought people at a bar were recording every conversation they had or could overhear forever, I'd talk less freely (and go to different bars).
Not everybody wants ephemeral chat. But I suspect more people _think_ that's what they've got - but in reality do not have...
I'm going to keep digging this hole for myself because I think there is some amount of treasure to be found. I'm also interested to see how far out of touch I am.
There are tiers of conversation. Letters between famously literate people or during times of war have a value proposition on an entirely different scale to group chat messages.
It's about the value that the individual assigns to the content of the conversation (this is almost arguing against my stated position). But if that conversation is never re-visited anyway, the value is the status of Schroedinger's cat.
What content that is worthy of "Letters of note" is a) to be found in chat history? b) not already been saved elsewhere due to it's noteworthiness? c) going to be re-discovered by going back through hundreds or thousands of lines of conversation text on a mobile device screen? d) worth trawling back through hundreds or thousands of lines of conversation text on a mobile device screen?
Again, I'm aware that I'm an exception, but I think it's potentially natural human laziness to want to keep 'everything' in case it might be useful or valuable in a few years' time. Electronic hoarding.
I've recently setup an instance of NoteSelf to more easily track links to interesting articles and my own thoughts and ideas and various other things that I think are worthy of keeping. This is my form of targeted electronic hoarding. I'm in control of it, and it's robust enough to survive a mobile device theft, breakage, or some other kind of failure. Prior to that I write things down in journals, or other systems, some of which have been totally lost, but I don't find myself missing it or 'wondering what could have been'.
It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things' - for me, primarily, it's the far improved wheat / chaff ratio.
Conversation is connection. Yes. But recorded conversation is just a reminder of connection, not the connection itself. I think my argument falls down when it comes to someone that's passed away, and keeping their flame alive to some extent. I don't work like that, but I wouldn't expect it of others.
Second, time helps ("we were talking about it around this time of year").
Third, you don't necessarily know how valuable the conversation is when you first have it.
And fourth, pictures and video and similar.
> It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things'
I used to carefully archive every email in an appropriate folder. Now I only have one folder, "Archive", which contains all mail, and I use search to find what I'm looking for. (Search is all I used back when I had folders, too.) That requires far, far less work at the time of receiving a message.
Consider the time taken to carefully file something away, the difficulty of keeping such things organized manually, the ease of just automatically storing everything organized by time and people, and the likelihood of you successfully predicting in advance what you'll want later.
> There are tiers of conversation. Letters between famously literate people or during times of war have a value proposition on an entirely different scale to group chat messages.
Only in retrospect. At the time, it's impossible to know. We happen to have (some of) Picasso's childhood artwork. What might it be like if we had da Vinci's and Bosch's and that of the Lascaux Caves artists?
Destroying information now is expressing 100% confidence that nobody will have use for it later.
> It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things' - for me, primarily, it's the far improved wheat / chaff ratio.
Depends on the cost of storage and retrieval, really. That was certainly true for, say, paper letters. But as the cost of storage and retrieval goes steadily down, manual archive selection becomes less and less worth it. Hoarding is only a problem IRL because it becomes expensive and unsafe. But my digital archives grow much more slowly than Moore's Law, so the cost to me of keeping all my email, photos, etc, is effectively zero. When I replace my backup drives every few years I spend about the same amount of money, and I keep having more and more space left over.
> Destroying information now is expressing 100% confidence that nobody will have use for it later.
Or an acknowledgement that it might have the capability to be used against you later.
Would you be happy for every word you ever said, in public or private, to be recorded and transcribed and searchable just in case it becomes an "important source to historians", or just as likely "an important source of parallel reconstruction data for $yourCountry{'nsaEquivalent'}"???
We never got a record of Pepy's bar discussions, only what he chose to record in his diary. I'm not sure we need my Signal messages stored for posterity either. Read my blog or Reddit posts, other stuff was intended and should stay private.
There's a good reason a bunch of interesting bars banned Glassholes...
Sure! Don't store them if you don't want to. I'm not sure how you take me as saying we should live in some sort of totalitarian fantasy you have constructed. I'm trying to help somebody understand why other people want to voluntarily save things.
> It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things'
On the topic of plain text things (such as text messages) - how much data are you actually hoarding?
Let's say you type 100 words per minute for the next 40 years (and each word is 10 bytes). No sleep, no breaks, just 40 years of typing. Congratulations, you just produced 21GB of data. This fits on an SD card (<$30) or in the cheapest tier of cloud backup like Dropbox or Google Drive.
You can search your 40 years of typing in well under a minute. If you remember the year you typed in, you can grep the data from that year in under a second.
I don't like the term "hoarding" for this. Hoarding has a negative connotation. Storage of plaintext is so incredibly cheap (and search so fast) that I feel that option value of retaining the text is almost always greater than the miniscule cost of storage and slower retrieval.
I don't think are any valid analogies between storing physical items and digital items, as digital storage and search is orders of magnitude cheaper. Consider the same experiment where one writes with pen and paper for 40 years, and then wishes to search for the name "George".
Making a decision of what to keep must be more expensive and time-consuming than just keeping everything.
I remember searching for something in Hangouts at work for a tidbit of info that I should have noted elsewhere. It was useful, but I wouldn't say it's a must.
An email thread is useful and somewhat readable, and endless conversation between an individual or a group is less so.
Been using signal since textsecure I think (I even think there was another name before that). In all that time, one thing keeps me thinking about backing out: phone numbers. When a contact decides to uninstall signal, I lose contact. Signal still thinks that the recipient has a signal account, and hence won't deliver messages via SMS.
Assuming you're talking about the Android app, but you can actually force sending with SMS. The option to do so in a conversation/thread can be found by long-holding the send button, which then pops up a context menu to send via Signal or SMS.
The same holds for WhatsApp, btw. I once got a new phone number that had been used by someone else before, and was still associated with their WhatsApp account. People kept sending me messages over WhatsApp without me even being aware (I don't use it myself).
Yes i know that. So when people don't reply, I check three messages has not been delivered and try to find a why to tell my contacts how to unregister. Which is an unreasonable burden I put on people who try signal and decides it's not for them.
I love Signal, and upsell it whenever I can. Signal has its ideosyncratic parts, some of which are being worked on, others not so much. Some of the more visible ones are IMO:
Signal forces users to use phone numbers; some people don't like this because they want to use multiple ephemeral usernames so they can be 'Joe' to friends, 'kleptoclown' to their github group, 'dungeonmaster42' to their DND group, 'joesolutioner' to anyone who browses their personal website or business card, etc. that way they are not having to give out the phone number to strangers which represents Sim-jacking and spam risks.
If you create a signal group and invite folks to it, you cannot remove members from the group (this is being worked on now) without them clicking the 'leave' button or creating an entire new group sans whoever needs to go, which causes loss of group history.
Signal cannot have multiple mobile clients, only one mobile client and a single desktop version. WhatsApp Riot etc. all support clients in as many spots as you can login from.
Again -> these are focused nitpicks, but in most cases Signal is much better for upholding the promise of 'you send someone a message and you have a reasonable sense that ONLY THEY will be able to read it' compared to the likes of Line/WhatsApp/FB messenger etc.
It's really an engine for revealing people's true preferences for messaging, which, for many people, tend to be that they want all the ergonomics of Slack a lot more than they want cryptographically sound secure messaging.
What's hopeful in all this is that Signal is, slowly, catching up. Slack can roll out new features just by assigning a couple developers to it, and Signal has to coordinate new cryptographic research --- not just new cryptographic research, but research that produces something deployable at scale within the resources of a project like Signal! --- so Slack (and Wire and Keybase) are at a permanent advantage here.
But over time, Signal gets more and more usable without having to consider tradeoffs.
It is, but there's another aspect besides convenience and ergonomics. You surely know better than me that privacy and security are non-binary, and everyone has their threat scenarios.
In some cases, an ability to have multiple independent accounts/identities (pseudonymity) would - unfortunately but practically - beat true cryptographic security that Signal offers. I mean, personally, I'm less concerned about platform (e.g. Wire or Whatsapp) or some government agency learning that I'm talking to my buddies at certain schedule, than mixing up my acquaintances from different groups together, having to maintain a single identity for them all. Some people I talked with didn't knew my name or phone number, and I would be uncomfortable if they would. For me, in my life I've said less things I wouldn't want governments to learn about, than times I've used a pseudonym/throwaway account to talk to people.
My biggest annoyance with Signal is that getting a new phone ends up wiping out all conversation history with apparently no way to transfer it.
This loss of user data is not advertised well enough up front, and leaves users feeling tricked. In many contexts loss of user data is an even bigger sin than weak security.
What's ironic here is that in the adversarial setting the application is designed for, unexpected retention of user data (on end-user devices) is a sin.
I like to think about messages being ephemeral. If a piece of information needs to be saved, I just store it outside the messaging app. This includes media files, too.
That’s fine. But Signal should then advertise itself as unsuitable for general-purpose communication, primarily relevant when someone is specifically worried about adversaries reading the communication.
I can see how this makes sense for journalists, dissidents, diplomats, criminals, corporate executives, etc., but if data is under threat of disappearance, regular people should be warned away and told to use something else for day-to-day communication.
Personally, I'm happy to lose the data. I found it odd that with both phones and the SIM on the desk in front of me, I couldn't figure out how/if I could vouch for my key changing in any way.
Needing to say I have a new phone just trust me largely defeats the purpose.
If you are on an Android device you can export an encrypted backup and scan a QR code / type in the password to the encrypted archive to transfer messages / group memberships with only a safety number change in most cases.
I think that's the opposite of what I want? I want to inform people of the new safety number using the old channel and purge all data like a good user.
In this respect a keybase like model makes more sense to me.
Two small corrections: Signal-Android's backup works with a passphrase only (no QR codes involved) and does not cause safety number changes on restore.
Why would a group communication tool be compared with another group communication tool? What's the part you're missing there?
I have some friends I talk to in Signal groups. I have others I talk to in Slack. In both cases, the goal is the same: communicate privately with a known group of friends.
In the case of Slack though these are "private" communications only in the same way that say, email to colleagues at work is "private". Lots of people certainly could snoop this, and more probably would be able to if they really wanted to. You would not be told about that, it'd just happen and everybody involved would convince themselves that it's fine. Is it fine though?
Signal's rationale is that if we actually secure this type of conversation, we can tell people not to accept insecure conversations because they're trading something you might want (actual privacy) for... not very much.
We've been here before on the Internet, at least twice now. When I was still (barely) a teenager Tatu Ylönen invented SSH and connecting to another machine was now secure instead of hopelessly insecure. And at almost the same time a bunch of people at Netscape invented SSL (which became TLS) and made the World Wide Web secure. It only took a few years for ordinary (relatively) people to _expect_ SSH not telnet and it took a bit longer for HTTPS but in both cases we got to a place where secure was the default and expected condition.
Yes, thanks, I understand the technical difference. What I'm saying is that from a user perspective, many people don't care, or don't care very much. Otherwise they wouldn't be using SMS, telephones, or email.
If Signal wants to be broadly successful, they have to be as good from the perspective of the broad base of users.
Please recall that earlier in the thread, the following was posted:
"[Signal is] really an engine for revealing people's true preferences for messaging, which, for many people, tend to be that they want all the ergonomics of Slack a lot more than they want cryptographically sound secure messaging."
This comparison to Slack makes no sense - Signal replaces texts and makes them end-to-end encrypted. It's a straight upgrade to texting (except, apparently, on iphone, where apple won't let the app send plain old texts and the "drop-in replacement" quality is neutered). It requires a phone number to use, and is linked to that phone number.
Signal is right to be what it is, and if Apple got out of the way, I would insist on replacing all texts with Signal. Replacing my Slacks with Signal or my Signal messages with Slack fails to type-check.
For people like that, end-to-end cryptographic security is at best a nice-to-have. And I'd guess that's circa 90% of people.
Signal's true value comes when lots of people are using it. I never bother with secure email, because almost nobody I know has it set up. But I use Signal for the great bulk of my texting, because most of my friends are on it. If Signal wants that to be more and more true, they have to compete with the other tools people use for group communication.
I recently was selecting a messaging platform for my family, and we evaluated both Signal and Slack, and went with Slack. My wife did the same with her family, and went with Signal. From this, I gather they overlap in some features enough to compete for some use cases.
One (Signal) is a replacement for texts, and one isn't. "Overlap in features" wouldn't cover it, but rather how much you want it to be like texting.
Thomas Ptacek is a big Signal advocate, as am I, but he doesn't like to think of it as a drop-in replacement for texting, whereas I do (because that's what it is and where it shines). I move texting onto Signal whenever I can.
Which is number one reason why I'm not even considering it
"some people don't like this because they want to use multiple ephemeral usernames"
That's not my reason: I don't want people I don't know to get my phone number through other people I know and trust, but are used to share everything online. Of course that would be possible without any social application as well, though using one makes it much more natural.
Then this one from their site: "Multiple mobile devices and Android tablets are not currently supported"
Triple facepalm here: this makes it even worse than Whatsapp I use (read: am forced to use) on an old tablet. Whatsapp sucks badly just at everything (didn't I write I'm forced to use it?) but at least I can read what I write.
Downvotes welcome, though advice on secure+open alternatives that don't assume I have a smartphone (I haven't one and don't plan to) would be more informative.
The day I would be comfortable giving out my phone number to stranger is when it becomes mandatory to whitelist all callers, much like how just about any non-PSTN systems work.
Maybe this is because of the social expectations of that it will work without such overhead but I just simply can't notice how all the "countermeasures" phone industry (and governments as this is a heavily regulated industry) are ignorance to elephant in the room...
If you are a client for Signal, rubberhose cryptoanalysis is a much bigger issue.
Here is a story what has happened to Doubi (SSr developer.) He was a very well aware of anonymity risks, and he evaded police for years on end. China literally tried to do geolocate him by turning off the internet in entire cities, but to no result — he caught on to that, and started randomising his release timing, and avoiding releasing "hotfixes". So, the entire Chinese police and MSS been looking him for 4-5 years.
What has happened? A few month before his arrest, he registered a Twitter handle with a throwaway SIM card. Those are being usually sold by "grannies" in Chinese 2nd tier cities who peddle things like fake tax receipts, anonymous train tickets and such.
China either hacked Twitter, or had somebody bribed there, and they got the number. They then tracked down the granny who sold him the SIM card, and went on and checking every person door to door in that small town. Then, they found him.
He got 5 years prison, and 4 years of laogai (gulag)
That's super interesting, thanks for sharing! Would you mind posting a link or a two about the story of Doubi. I can't find much and would love to dig into this story.
Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven.
Here is what Doubi's online followers figured:
State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.
Twitter haphazardly closed the breach in complete secrecy.
API hole explanation is excluded as people with 100% private accs got police visits.
People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.
2016 breach is also out of question.
The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.
Pardon my ignorance but I'm unable to find much about this story... and the links you posted are hard to piece together with this narrative.
Not even doubting it, just wondering if there's more of a source that's laid out (work/timeline/etc)? It's supremely interesting and should probably be more well known if it's not already.
Most of what I know was found by people on Doubi's forum which now went down. Near nothing about that in English besides stating the fact that he is gone now, that he got a term, and that his Twitter was the most likely source of his ID leak as deduced from public records about his case.
Early accounts explored the possibility of Chinese police exploiting SMS gateway, and password reset abuse, but it has since been confirmed that even users who lived for years in the West got deanonymised, and their relatives got harassed. MSS/police having fresh twitter user DB is the most probable explanation at this point.
But, in this story - had he used signal - if the police arrested anyone in contact with him, any one of those would be able to turn over his phone number? Which would be linked to the sim card in his phone?
Am I missing something? Or am I misinterpreting your story? You're saying that sign up bound to a Sim card is bad for Twitter and bad (worse) for signal?
> ”Signal cannot have multiple mobile clients, only one mobile client and a single desktop version”
This is wrong. You could always have multiple desktop clients. You can also add iPads as linked clients now. Personally, I have two desktops and an iPad linked to Signal.
WhatsApp doesn’t support linked devices at all, the web client connects through your phone. Signals linked devices function independently, you can power off your phone and they’ll still work.
> Signal cannot have multiple mobile clients, only one mobile client and a single desktop version
You are right about the mobile client, but that's not true of desktop. I have Signal installed and setup on every desktop/laptop that I use without any issue.
I wouldn't say I can't stand it (indeed, I am using it), but I've had problems with it. Disappearing messages and the like: being contacted via another medium by a person, asking why I hadn't responded, with no record of there ever being a message on my end.
It's OK in my books: a symptom of there being no server to step in and enforce a universal truth. You just have to understand what you're getting in exchange for the occasional inconveniences.
Very nice (seriously!). Now, please let people use the platform without needing a valid phone number. The one major issue I have is that. Phone numbers are the new SSN, just like SSN is being misused by traditional businesses, phone numbers are also misused thse days (due to how you generally can be tracked down to a physical area for antifraud and how "everyone" has a cell phone) to uniquely identify users.
I don't get why users can't be addressed by both phone numbers and a "signal id", if you opt-in to use a phone number for addressing, your phone will be verified and signal will resolve it to your signal id. If you opt out people will need your signal id to address you and you can't use it for SMS. What are the challenges with that?
If I have a signal private group system, signal can find out a ton about me and my associations with others using only that information. Many other messaging platforms do not nees this very sensitive information from me to function. And it does not support a desktop only app even if you give them a phone number and verify you control that number.
I am always reminded of General Hayden (Former NSA chief) was saying how they love PGP at the NSA because they can sniff metadata and know who talks to who, it lets them easily find who has something to hide so they can target them. Not that I have the NSA in my threat model but I am very sensitive to unnecessary metadata being generated
What you're asking for is exactly how Telegram works, you can add someone with a phone number or by username, but if you add someone via username they don't see your phone number. Of course, Telegram chats are not encrypted by default, and there is some controversy over the encryption protocol.
Last time I checked, the only option to login was using a phone number. And at least the web client only has the phone number as login. I do not want to give them my phone number. Full stop. They can tie my account to my email, to my domain, to a chosen username, whatever. But if your service requires a phone number to use it, it’s not something I will use.
It's still true. Telegram still uses your phone number to login, even if you never give your phone number to anybody. At least usernames are an option unlike Signal and WhatsApp.
I dislike it too, but understand the reasoning behind spam prevention and account authentication.
I really want Signal to succeed. Or rather, I want anything that has decent cryto and is not FAANG to succeed.
The problem is not which messaging app I want to use, it's which messaging app my friends are using.
That said, if I had to choose, I think Matrix has a slight edge in my books because it's a protocol rather than a silo. Even though Signal is private and open source, they are hostile towards people running their own Signal builds on company servers, and unwilling to federate with other servers.
Essentially, you run the official Signal app on the official Signal servers, or GTFO.
They provide good reasons for doing so [1]. I share your hope that "anything that has decent cryto and is not FAANG" will succeed and I would prefer it to be a federated system but I also see what moxie describes in the article.
Basically federation only works on a lowest common denominator. This means progress is very slow or impossible.
Comparing the current state of the Matrix ecosystem and Signal I find it a lot easier to convince friends and family to join Signal. After all, that is what makes a messenger useful.
Matrix and Signal aren't comparable from a security perspective. Because Matrix is a protocol rather than a silo, many (most?) of its implementations don't even support E2E, and because Matrix has its roots in an ecosystem where E2E was a nonstandard add-on, Matrix will never be as safe as Wire or Signal.
Matrix project lead here; fwiw we’re aiming to turn on E2E by default for private rooms by end of Jan. It’s not really a non-standard add-on; it’s in the core of the protocol and has been designed for from the outset. It’s a pain in the ass to get right in a decentralised world though, hence the delay in forcing it on for everyone.
p.s. support for ephemeral msgs was released on the server in RC yesterday.
The way these conversations are structured, I'm always going to come across like I'm rooting for Matrix to fail, which is not at all the case. Like I said, I use Slack more than any other group messaging system, and while Slack does have some security assets that Matrix lacks, nobody can say that it has a more coherent encryption story. I wish Matrix all the best; I just don't think it's reasonable to suggest it as an alternative for people who need secure messaging that reliably works in groups of people.
Never seems a bit strong? Surely over the next decades we could have a Matrix 2.0 that is still federated, but mandates e2e (especially with Signal doing some of the research)?
True. On the other hand, there are some aspects in which Signal will never be as safe as Matrix. The big one is SMS verification. If someone loses their keys and has to reauthenticate over SMS, Signal notifies their conversation partners, but legitimate users do this all the time (in part because Signal lacks good key migration mechanisms), so said partners usually don’t see this as suspicious and often don’t bother reverifying the user’s identity. On Matrix’s side, I’m not sure how well it handles key migration (I don’t use it, for unrelated reasons), but it’s almost certainly less vulnerable to account theft in the first place. Matrix’s identity servers could of course be hacked or legally compromised, but they’re probably not as willing as cellular carriers are to hand over accounts to random people on request! Signal could improve its situation by getting better key migration support, but as long as it’s rooted in phone number identities, it will ‘never’ be as resistant to account theft.
Another aspect is that Matrix, if you’re technical enough, lets you set up a custom server for your secret group, which is somewhat less vulnerable to centralized metadata interception (though there are holes, like centralized mobile notification relays). Admittedly, this is mostly out of scope for Signal, which focuses on security for non-technical users.
Finally, to state the obvious, for many use cases, pseudonymity is safety. Along the lines of the “$5 wrench” XKCD, in practice the single most likely way for your secure messages to be disclosed is not through some clever protocol hack, but by their being pulled at rest from some conversation participant’s device – often with their active cooperation. Similarly, Signal’s deniability feature is cool, intentionally allowing users to forge cryptographically valid messages supposedly sent to them by others. But in practice, messages are typically leaked via screenshots, with no attempt made to detect forgery in the first place.
In such an environment, the most effective defense overall is probably self-destructing messages, which Matrix... apparently doesn’t support, but will soon. (Yikes – like I said, I don’t use it.) But in cases where the people you’re talking to don’t need to know your real identity, pseudonymity is a close second. Its weakness is that people are bad at separating identities and maintaining opsec, but it’s still better than nothing. It’s strongest in cases where you’re part of a large group (say, of protesters): this greatly increases the chance that the adversary will be able to read your messages (with a mole in the group), but also means that they probably don’t care about you personally and would prefer to go after low-hanging fruit. Or even if everyone is equally protected, it increases the amount of time they have to spend going after each person, reducing the number of people they can find.
Anyway, I don’t want to be too negative. The world is certainly better off for Signal’s existence. Maybe Signal will add non-phone-number account support someday, solving two of the issues I mentioned in one blow. Maybe it won’t, but it’ll still be useful to many people, and its continuing cryptographic research will strengthen other messengers, including ones that target use cases Signal does not.
Still, I feel like there’s some dissonance. From a cryptographer’s perspective, Signal is head and shoulders above the pack; they really know what they’re doing, to an extent that practically nobody else does. But in other areas, Signal is just okay. Not bad, often better than average, but rarely outstanding. And that includes areas that impact security, like key transfer and the other things I mentioned.
Interesting. I wonder what design they'll come up with. The thread links to a tweet from Moxie from a few months ago, which (along with some other tweets in the thread) is interesting to think about:
In theory they could keep using the native contact list and just stuff Signal usernames in there; iOS does have the APIs to do that, and I'd assume Android too.
The one thing I don't like about Signal is that it's tied to a phone number. Sure, you can tie the account to a VoIP number but that's not the same as Wire which allows you to sign up with an email address and your account id based on a username, which cannot be SIM-attack hijacked.
I really hope Signal takes over the world from Whatsapp. I hate Whatsapp and yet I am forced to use it due to all my friends / family / parents use of it. I try to fight but is hard and currently FB mess and WA are the only ones with a consistent reliability of delivering notifications promptly, while rest of chat apps either are too hard to use for non-computer people or they lose notifications. I mean, c'mon Microsoft!!! Is it really that hard to make Skype reliable again?!!
What I really want from Signal is the ability to use it as an application transport. In particular, I want to authorise certain people to request my phone's location.
At the moment I share it with Google so I can share it with friends or family, which sucks.
Please. I hope that's sarcasm. Because if it's not, then may I steer you clear of that annoying series and into Breaking Bad + its follow up Better Call Saul?
The point of this seems to be hiding the identity of users when they fetch or modify group attributes - but why? The user’s identity is otherwise known to the server: they know that account X was accessed by IP address Y, and that IP address Y fetched metadata for group Z, therefore account X is in group Z. They can also figure out group membership by tracking clusters of messages that are sent simultaneously. What am I missing?
They do not know that information unless they’re monitoring on-the-server in the clear. They simply know they’re talking to Signal servers. This new feature protects in the case of Information Requests because they themselves don’t know who is in what groups.
You either have to trust the server operator not to keep logs, or assume they are keeping logs and _do_ know what groups you’re in. In either case, what is this fancy crypto scheme actually buying you?
The fancy crypto is what allows them not to (effectively) keep those logs in the first place. If you build this feature without the fancy crypto, then even if you say you're not logging this stuff, you (effectively) are, because your system depends on durable access to that metadata in order to function. This is, for instance, the major security difference between Signal and Wire.
One strong indication you have that Signal isn't logging this stuff is that they had to wait until they were able to advance the state of the art in anonymous credentials in order to implement group access control at all.
To verify the claim that my group message content is protected, I can examine the Signal client. I don’t have to trust the server operator whatsoever; I can independently confirm there is no way for them to see the content of my messages.
In contrast, I cannot verify this new claim that my group memberships are protected. I have to trust them.
I think you are basically saying: ‘well, they built all this crypto that is only useful if you believe they’re not logging, so I believe they’re not logging.’
No, what I'm saying is that without the cryptographic protections, a messaging provider can't claim not to be logging, because their serverside logic requires the log.
Prior to doing this cryptographic work, Signal simply went without having these features at all.
You're both right. The other poster's claim is that we cannot verify the code running on the server. They could support this new scheme AND just store every thing in plain text. We can only verify the interface is the same (because that's what we're using).
But you're also right it would be a long con to go without these features for so long, develop state of the art cryptography to add them securely and privately, then not use that.
> They could support this new scheme AND just store every thing in plain text.
Store _what_ in plain text?
Right at the top of the article are some commonplace things other "chat" systems, even if they claim end-to-end encryption - store in a central database. Metadata, like the name of the group, a logo or "avatar" and then also the core fact of the group, a list of its members.
Signal's server doesn't end up knowing /any/ of those things. It doesn't need them for anything it does, so it never gets told what they are. It couldn't store them in plain text any more than it could your Signal messages.
With the proposed enhancement Signal's server would store the data so as to serialise access, but it would still be encrypted with keys the server does not have so it's meaningless to the server.
Members of each group learn a key (picked at random by the group's founding member) -- which Signal's server doesn't know -- and that key lets them decrypt the metadata about the group and encrypt new data if they e.g. decided to change the group's name, invite somebody to the group or remove someone from the group.
The part we can't _prove_ Signal is doing as a result of this work is the new use of Anonymous Credentials and Roles. Maybe Signal will actually let Alice add an entry to the members list for my group Carolines And Tiaras even though Alice isn't a member. This won't work very well, because since Alice isn't a member she can't add _correct_ entries, for example she can't add herself or a collaborator, but she can add gibberish and maybe annoy the group members.
> They could support this new scheme AND just store every thing in plain text.
Could they?
I am not clear that this is possible. I thought the entire point of "Alice provides a zero-knowledge proof to the server that she possesses an AuthCredential matching some particular entry" is that the server learns nothing about Alice other than her possession of a matching AuthCredential. Indeed, the paper says: "Because of the zero-knowledge property, the server has assurance that the user possesses such an auth credential without learning the UID certified by the credential, or other information that might link this use of the credential to other uses or to credential issuance."
It would be nice if someone more knowledgeable could confirm whether it is indeed possible for Signal to compromise user privacy while using this scheme. Is SheinhardtWigCo right when they write, "In contrast, I cannot verify this new claim that my group memberships are protected. I have to trust them."?
SheinhardtWigCo's central idea is that if someone receive a packet over the network it has an IP address in it, and that's the sender's "identity" and so the Signal servers can't avoid knowing Alice's "identity" when she does this, and then they can collect such data to try to re-assemble group membership in terms of IP address "identities".
For example let's say a packet arrives from 10.20.30.40 [[ all IPs used are from 10/8 as examples I am aware that Signal probably rejects packets claiming to be from an RFC1918 network ]] which contains proof that group #1 member #4 has authorised adding a new member #8
SheinhardtWigCo believes this tells us that this identity (10.20.30.40) is a member of this group, group #1 and they suppose that Signal's server could in fact store this, and then perhaps later tell some Spooks a list of such members of group #1 and it could do this on a vast scale, so that it would be able to say for any "identity" (IP address) the list of all identities (IP addresses) which seem to be members of groups which that identity is also a member of.
Now, I don't think Spooks would find that very useful, but there you go, that's what SheinhardtWigCo thinks is a big problem here.
I see, thanks. I was confusing "logging" for logging the association between AuthCredential and UID rather than logging IP addresses. For what it's worth, Signal does allow connecting over Tor.
Using a throwaway for obvious reasons...
I am grateful these are being worked on because they are extremely needed for some use cases.
I have been part of a group organizing protest in Beirut and I was surprised there was no clearly go to app that provided the security features we need.
We started off with WhatSapp because that's what everyone used before security became a concern.
We then moved to Signal mostly to get auto-deleting messages.
We then ran away to Telegram because there was no way to kick a compromised phone outside of a Signal group.
We considered using Wire which seemed to have what we needed but the interface was a bit clunky and it did not run well on all the phones of the group...
We are currently evaluating an considering Keybase.io which seems to have all the feature too, but not sure how it will handle about a hundred people in the group...
If anyone has ideas about which apps are recommended for that (or has additional useful things) please help, the main things we need are:
- Encryption E2E is nice to have but not a deal breaker.
- Possibility to kick a user from the group, deal breaker ( a thug stole someone's phone in the protest once and another time we got a message saying someone's security code changed then they became inaccessible) both incidents ended up ok but there was no way to kick the person out of the group and proceed while clearing things out with signal.
- no old history kept of the conversation. Either auto-deleting messages set to short duration like signal, or if not possible we can survive with an admin at home deleting old messages constantly and clearing the chat for everyone in sensitive situations ( like telegram allows)
- Free. For various reasons, some people can't buy apps no matter how cheap.
- easy to use. Most protesters are not too technical.
- possibility to display sender and group but not the content of messages in the notifications.
- having an easy way to add password to the app itself. (nice to have)
- making screenshots inconvenient to take (just nice to have).
- Not tied to phone numbers also really nice to have but not mandatory.
Our main threat is riot police and pro government thugs taking protesters phones and forcing people to unlock them or running away before the phone is locked then snooping around.
Very rarely are people alone when this happens so we almost always get a notification that X is compromised, so we clear chats and kick them out of the group before their phones are really compromised.
I don't think the government is running sophisticated deep packet inspection.
I don't think our group has been infiltrated but that is always a possibility.
We are also trying to find some free device management solution to remotely track / lock and maybe wipe phones when they get taken.
Sorry for the wall of text... just though now might be a good time to ask...
Except for the "no screenshots" everything else is implementable, but as you already know no app has them all. But since you're a group, make one. I mean world is full of freelancers so hire one and create what you need. Better, make it open-source and publish it on Github so anyone can review its code and point bugs/bad implementations.
We thought so.
The lack of auto destructing messages is inconvenient but not a deal breaker.
But it uses SMS to authenticate new sessions... we were a target of attack that exposed our group.
A few users had not set up two factor authentication so they woke to a warning from telegram that someone is logged in to their account from across the world.
> Note
that a user who has acquired a group’s GroupMasterKey and then leaves the group (or is
deleted) retains the ability to collude with a malicious server to encrypt and decrypt group
entries. We deem this risk acceptable for now due to the complexities in rapid and reliable
rekey of the GroupMasterKey.
Does this mean that the server and a deleted user can always collude to get the deleted user readded to the group? Also, is there no provable audit trail of who added or deleted whom? Unless I'm misunderstanding, it seems like deleting a user is therefore enforced only via server trust, but please correct me if I'm wrong.
Yes, this means the server and a deleted user could collude to re-add them, or anybody of the deleted user's choosing to the group, or to remove selected people from the group (the server doesn't need collusion to remove random people from a group)
No, the members of the group would be able to see that the deleted user is back, or whatever else has happened to the list. Signal's server isn't responsible for deciding who gets the group messages, only for storing the agreed list in encrypted form. So members don't need to trust that the server did as it was told.
Certainly if you have a group where you suspect a member of colluding with the Signal server to betray the group you should probably NOT remove that member but instead take the extra trouble to explicitly form a new group (without that member obviously).
Got it. I was thinking that for bigger groups, it might be hard for members to keep track of who got deleted when and by whom, so it might be easier for a deleted user to slip back in without attracting notice.
Your point that the deleted user and the server can collude to add a rando to the group seems like a bigger deal, since it would be harder to catch.
To make the same point more critically, if the members need to constantly recheck the mapping of group name to membership list (to stop server cheating), then the scheme might not be buying much.
Overall cool stuff. It feels like this has implications for auth/authz schemes in general, like a variant of kerberos, or a way to do auth/authz for a ssh like service - maybe even a way to anchor trust (in user principals and service principals - like ssh keys and/or certificates)?
If we replace "the signal server" with "the authentication/authorization service ("the AD service" / the organization's internal certificate authority")...?
Maybe I'm just needlessly afraid of the complexity of managing a real world certificate authority (keeping it secure, keeping it running, keeping as much as possible off line..).
Is it a coincidence this came up on HN at the same time Telegram is getting dissed on HN? Can't help but think it was coordinated...which is sad for HN
People don't like Telegram because it's a centralized thing and maybe not trustworthy. I'm not sure if I'd trust the Telegram founders, and their commitment to open source seems questionable to me (no server, outdated clients).
People advocate for Signal because it's arguably the least offensive of the available e2e options. Also the founder for Signal has a long history of doing good work in this area.
> People don't like Telegram because it's a centralized thing and maybe not trustworthy.
Just like Signal.
> I'm not sure if I'd trust the Telegram founders, and their commitment to open source seems questionable to me
Meanwhile Moxie Marlinspike's opposition to free software is evident. You use the client he dictates or fuck off. There's closed source software that respects freedom more than Signal.
I doubt it. It seems to have been posted to HN at the same time as the blog post itself was posted. The timing of the blog post seems to have been based on when their paper went up on eprint [0]. As you can see they seem to have submitted the paper on Dec 6 (date on pdf) and it got posted to the eprint server on Dec 9 (which is the typical time frame). At the very least, zero reason for the MSR people involved in the paper to base their release date around Telegram.
I think I know the answer already, but just in case: is there a way to use Signal to communicate with users using Whatsapp? IOW, can I receive Whatsapp messages in Signal?
The only reason I use Whatsapp is because it's what all my contacts use. It's everywhere. It's the de facto standard for text communication. And I hate the app. I hate its guts.
I read that whatsapp implemented the signal protocol, does that mean anything with respect to being able to communicate with people using a different app? Because I was hoping so, but I can't find a way to see my whatsapp messages in signal.
Yup, you guessed right. By default that's a no. However, you can do a cow-helicopter by using a 3rd party that will be a proxy between your signal account and your whatsapp account. Hell, you can do whatever you want between any 2 services with a 3rd party. Problem is, you still need an account on both ends.
One interesting aspect of this is that Signal gets to do this, because they have immense goodwill with the cryptographic research and engineering communities; though it's no guarantee of soundness, they have the advantage of having the feature designed, implemented, and ultimately reviewed by cryptography engineers that aren't generally/economically available to other messaging projects.
This is either a reason you love Signal (raises hand) or can't stand Signal. My take is, if you're in the latter group, that's fine; I use Slack, too.